Project

heroku_ssl

0.02
No commit activity in last 3 years
No release in over 3 years
Quickly and easily add SSL to a Rails App with Let's Encrypt
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Runtime

~> 0.4.0
>= 4.0.0
>= 3.0
 Project Readme

NOTE: Heroku now offers their own Let's Encrypt integration. We recommend using it instead

This gem will no longer be kept updated.

Heroku SSL

With the advent of free SSL from Let's Encrypt, SSL should be as easy as clicking a button. This gem allows you to generate and add an SSL certificate simply by running a rake task.

Usage on Heroku

Add this gem to your gemfile, then deploy it to heroku. Add a free redis instance (https://elements.heroku.com/addons/heroku-redis) if you do not have one. Then, you can simply run rake heroku_ssl:update_certs

This should prompt you for everything you need to update your shiny new SSL certificate! The only thing left to do will be to configure your DNS correctly. You'll also want to make sure that the domain had been added to heroku with heroku domains:add [your domain]

Usage outside of Heroku

Although designed for Heroku, it can generate certificates on other providers. To do so, on your server, run rake heroku_ssl:generate_certs. This will print a JSON encoded set of PEM keys to the console. You can download these (you will likely want to use privkey and fullchain as your public and private keys respectively) and add them to your own servers and configure the DNS yourself.

Installation

Add this line to your application's Gemfile:

gem 'heroku_ssl'

And then execute:

$ bundle install

It also requires one of the following:

  • The global variable $redis is set
  • The environment variable REDIS_URL is set
  • The environment variable HEROKU_REDIS_URL is set

Note that this means you need to have a live version of redis; on Heroku the free tier will work: https://elements.heroku.com/addons/heroku-redis.

Contributing

Submit a pull request!

FAQ

Why do I need redis?

To issue an SSL Certificate, Let's Encrypt needs to verify that you actually own the domain you say you do. It performs this verification by issuing a secret key to put at a given url on the server (eg make it render foo when a GET request is made to /.well-known/acme-challenge/fop). However, since most hosts, including Heroku, allow multiple servers running the same app, we can't just write a file, which would only affect one instance (in fact, if it were done through a rake task on heroku, it would be completely sandboxed from the running dyno); instead, we need to make sure all running servers know what the key is. We handle this synchronization through redis

You can get rid of redis (in fact, you could even get rid of this entire gem) once your SSL certificate has been issued. Of course, you'll have to reinstall the gem when the certificate expires.

How do I configure my DNS?

You need to set a CNAME record in your DNS zone file that points to [yourdomain].herokudns.com. The DNS zone file specifies what urls get mapped to what servers on the domain name you own. If your site is already pointed to your Heroku app, there will already be a CNAME record; you just need to change where it points to. If not, you'll need to add a new line:

[subdomain] [TTL] IN CNAME [yourdomain].herokudns.com.

For example, I have

www 10800 IN CNAME www.kaimarshland.com.herokudns.com.

Which points the www subdomain (ie the www in www.kaimarshland.com) to www.kaimarshland.com.herokudns.com. The TTL, or Time To Live, is set to 10800 seconds, which determines how long DNS information will be cached for.

How can I add a certificate generated with this manually?

After running rake heroku_ssl:generate_certs on your server, which will print out a JSON object with your generated certificates in it, you'll need to take the fullchain and the privkey and add them to your HTTP server.

On nginx, this looks like creating a new server block something like:

server {
    ...

    listen 443 ssl;

    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;

    ...
}

On apache, this looks something like like:

<VirtualHost 192.168.0.1:443>
...

SSLEngine on
SSLCertificateFile /path/to/fullchain.pem
SSLCertificateKeyFile /path/to/privkey.pem
SSLCertificateChainFile /path/to/chain.pem

...
</VirtualHost>

What's the deal with certificate expiration?

Certificates expire after 90 days -- you can read about why on Let's Encrypt. You'll get an email as the expiration date approaches, at which point you'll have to rerun rake heroku_ssl:generate_certs. We're looking into ways to renew the certificates automatically; however, at the moment the Heroku API doesn't let us.

License

The gem is available as open source under the terms of the MIT License.