Menu
Is it possible to have many SSL certificates in the single Heroku Application ?
We have multiple domain names of different types and TLD's pointing to our application and need to secure each domain name. Preferably without redirecting to a different secure URL.
203
A lot of people want to know whether you can install multiple SSL certificates on a single domain. The answer is yes.
Add Multiple SSL/TLS Certificates to Apps Previously, an app on Heroku could only have one TLS termination certificate. This constraint has been relaxed starting with certificates generated with Heroku ACM.
Heroku now supports Let's Encrypt, a free way of generating SSL certificates. They call it Automated Certificate Management (or ACM in short). Although the certificate is free, you still need to upgrade your application to at leasta Hobby plan to use it.
Heroku SSL is a combination of features that enables SSL for all Heroku apps. Heroku SSL uses Server Name Indication (SNI), an extension of the widely supported TLS protocol.
There is a way to have multiple SSL endpoints routing traffic to the same app.
An SSL endpoint works by terminating the SSL connection and injecting the unencrypted traffic back in to the normal Heroku routing layer.
You can take advantage of this by creating a new app with a new SSL endpoint to terminate the SSL connection and route the traffic to your existing app:
Add your domain name to your app:
$ heroku domains:add ssl.example.com
Create a new app:
$ heroku create endpoint-for-example-com
Add the SSL endpoint add-on ($20/mo):
$ heroku addons:create ssl:endpoint --app endpoint-for-example-com
Add your certificate to your new app:
$ heroku certs:add server.crt bundle.pem server.key --app endpoint-for-example-com --type endpoint Resolving trust chain... done Adding SSL Endpoint to endpoint-for-example-com... done endpoint-for-example-com now served by kagawa-1482.herokussl.example.com Use the ssl endpoint assigned to your new app (e.g. kagawa-1482.herokussl.example.com) as the CNAME host for the domain name you wish to secure. This is normally done in your domain's DNS configuration.
The new app does not need any dynos, but there will be a charge of $20 / month for the SSL endpoint add-on.
Notes:
175
Recently heroku has added automatic LetsEncrypt TLS certificates for paid dynos, hobby and up. This will work across any number of domains and subdomains automatically. This method only works if you don't need wildcard subdomains.
Additionally you can manage the LE certification yourself across multiple domains and subdomains, with certbot
certbot certonly --standalone -d example.com -d www.example.com -d test.net
You can refer to this heroku doc for uploading custom certificates.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
