ssl certificates with godaddy and heroku

none of the guides out there are very good for this.  a very high-level description of these steps is included at the very end of this article.

to setup ssl certificates with a godaddy domain and heroku hosting:

from godaddy's control panel:

  1. purchase an ssl certificate from godaddy ($30/year)
  2. set the certificate up, using "secure.yourdomain.com" as the domain name (if you don't know what you're doing, be sure to use secure.yourdomain.com, and not "www.yourdomain.com")
  3. you might see a screen where they ask you for a certificate or key.  leave this screen in the background for now, we'll come back to it.

from your ruby on rails project root folder (ie one level above /app), do the following from terminal:

  1. mkdir ssl-cert
  2. cd ssl-cert
  3. openssl genrsa -des3 -out host.key 2048
  4. (enter a passphrase that you can remember when asked, you'll need it later)
  5. openssl req -new -key host.key -out host.csr
  6. (answer all the questions, but be very careful to use "secure.yourdomain.com" under the "organizational unit name" and "common name" fields)

here's an example:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Mountain View
Organization Name (eg, company) [Internet Widgits Pty Ltd]: My Company Name
Organizational Unit Name (eg, section) []:secure.mydomain.com
Common Name (eg, YOUR name) []:secure.mydomain.com

Email Address []:contact@mydomain.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

from your rails project:

  1. copy the contents of host.csr and paste them into godaddy's form, where they ask for your certificate signing request.  note: if you screw something up and do these steps over, you can just "rekey" your ssl certificate (although if you create a certificate using something like "www.yourdomain.com" you have to start all over with a new certificate--call godaddy, get a refund, and build a new certificate from scratch using the proper domain name)
  2. download the certificate from godaddy (either via e-mail or the control panel) and unzip the file to your desktop.  it's very important that you combine the two files in this zip file now, so run the following in terminal from your desktop:
  3. cat secure.mydomain.com.crt gd_bundle.crt > mydomain_combined.crt
  4. move your mydomain_combined.crt file to your ssl-cert file in your rails project
  5. cat secure.mydomain.com.crt host.key > host.pem

now we need to remove the pass phrase for heroku to properly boot the ssl certificate.  from your rails project:

  1. openssl rsa -in host.pem -out nopassphrase.pem
  2. openssl x509 -in host.pem >>nopassphrase.pem
  3. openssl rsa -in host.key -out nopassphrase.key

and finally, add the keys to heroku and be sure you have all the proper add-ons.  from your rails project:

  1. heroku ssl:add ssl-cert/nopassphrase.pem ssl-cert/nopassphrase.key
  2. heroku addons:add custom_domains:basic
  3. heroku domains:add secure.mydomain.com
  4. heroku addons:add ssl:hostname

this adds a $20/month fee for ssl.  heroku will e-mail you a domain that looks like something.amazonaws.com.  you need to go back to godaddy and insert a CNAME record with this domain pointing to secure.mydomain.com.

test it out from your rails project using "host secure.mydomain.com" and be sure the output is your something.amazonaws.com domain (and not proxy.heroku.com).

after all of this, you should be able to visit https://secure.mydomain.com without any errors or warnings.

here's how all of this works:

 

  1. you use godaddy as an ssl certificate provider
  2. you create your keys with proper certificate information about yourself in your rails project, send them to godaddy, and godaddy provides you with downloadable certificate files
  3. you send your keys to heroku and use the ssl hostname add-on
  4. when a user visits your site using https://secure.mydomain.com, they're hitting your godaddy CNAME record, which points to an amazonaws address which effectively routes the request to heroku's grid, and a secure connection gets established from there following the standard SSL handshake process.

was this helpful? this can usually be a tedious process, if you felt this was helpful, please consider donating a beer or two.

16 responses
Why can't you use www.yourdomain.com for the ssl cert? (I fall in that category of 'I don't know what I'm doing', but I'm trying to learn!)

Thanks for the great post!

you can do that, but it will cause all pages on your site to be secure, which is usually unnecessary because you only need to secure pages that involve sensitive data (such as a credit card, ssn, dl #, etc). using a secure.yourdomain.com is a good standard way to do it because you can separate when you want to have secure pages or not.
I thought it would only make pages secure if you use 'https'? For example, 'http://www.yourdomain.com' would not be secure, but 'https://www.yourdomain.com' would be.
that's correct, it's your preference just make sure you use the same domain all the way through. secure is a more explicit way of letting the user know they're on a secure connection as well.
Should you use the 'mydomain_combined.crt' in step #5, instead of 'secure.mydomain.com.crt'?

It would read:

'cat mydomain_combined.crt host.key > host.pem'

instead of

'cat secure.mydomain.com.crt host.key > host.pem'

Thanks again!

i don't recall whether the naming matters, although you can generate multiple certs under different names without a problem. if you don't include www, that might also be causing errors, because without the "www" implies you're using an IP based SSL cert.

the best thing to do if you're unsure is to just use a convention like secure.yourdomain.com, as mentioned in the second step.

Were you ever able to access your site over https without seeing a warning? I tried everything you said here and still get the 'Safari can't verify the identity of the website "secure.smartshortcuts.com"' when I navigate to https://secure.smartshortcuts.com

Any thoughts?

Finally, I got it to work. No warnings on Safari, Firefox, IE, or Chrome on Mac OS, Ubuntu, or Windows. W00t! I've attempted to document what I did here:

http://matthodan.blogspot.com/2010/06/how-to-setup-heroku-godaddy-standa.html

Most of this is a repeat of your tutorial, with some notable exceptions in section IV. I hope this saves someone else some time!

For anyone who wants to see the Heroku SSL write-up I posted in my last post, I moved my blog to Posterous and now it is at this link:

http://blog.matthodan.com/how-to-setup-heroku-hostname-ssl-with-godaddy

Sorry for the confusion...

Nice article, i appreciate for putting this together! "This is obviously one great post. Thanks for the valuable information and insights you have so provided here. Keep it up!"

child abuse essays | civil war essays

This is brilliant information, I'm quite new to all this ssl business and this is a great help. My wife is looking to set up a website to sell her handmade creations and as she's not too keen on the technical side, she's left it all to me. Luckily I don't mind too much and with blogs like this it should be a breeze.
Hi, I found register web domain is a good and very cheap web hosting company in India, where they provide affordable and reliable domain name registration services. They are famous for quality services. Hire domain register if you need the Cheapest web hosting services in India.
Hello,

Your steps for combining / preparing your certificates for Heroku are incorrect. The steps should be as follows:

1. Combine your certificate with the GoDaddy bundle (gd_bundle.crt) which you can here: https://certs.godaddy.com/anonymous/repository.seam) to create your complete certificate:

cat presskitapp.com.crt gd_bundle.crt > final.crt

2. Create a passphrase-free private key:

openssl rsa -in mykey.key -out final.key

3. You can now add your finished certificates to Heroku:

heroku ssl:add final.crt final.key

4. Then add your desired SSL addon:

heroku addons:add ssl:hostname

Thanks!
Heroku Support

Fine!!
As this way i got my SSL certificate through this site http://www.thewebpole.com/secure-domain-certificate/ , here it gives the best plans for the SSL certificates and also has secure data as well as transaction.........
Finally i get it required information through this blog and superb contents you have described here. Web Hosting