jared tame

carpe noctem

ssl certificates with godaddy and heroku

Ssl_heroku_gd

none of the guides out there are very good for this.  a very high-level description of these steps is included at the very end of this article.

to setup ssl certificates with a godaddy domain and heroku hosting:

from godaddy's control panel:

  1. purchase an ssl certificate from godaddy ($30/year)
  2. set the certificate up, using "secure.yourdomain.com" as the domain name (if you don't know what you're doing, be sure to use secure.yourdomain.com, and not "www.yourdomain.com")
  3. you might see a screen where they ask you for a certificate or key.  leave this screen in the background for now, we'll come back to it.

from your ruby on rails project root folder (ie one level above /app), do the following from terminal:

  1. mkdir ssl-cert
  2. cd ssl-cert
  3. openssl genrsa -des3 -out host.key 2048
  4. (enter a passphrase that you can remember when asked, you'll need it later)
  5. openssl req -new -key host.key -out host.csr
  6. (answer all the questions, but be very careful to use "secure.yourdomain.com" under the "organizational unit name" and "common name" fields)

here's an example:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Mountain View
Organization Name (eg, company) [Internet Widgits Pty Ltd]: My Company Name
Organizational Unit Name (eg, section) []:secure.mydomain.com
Common Name (eg, YOUR name) []:secure.mydomain.com
Email Address []:contact@mydomain.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

from your rails project:

  1. copy the contents of host.csr and paste them into godaddy's form, where they ask for your certificate signing request.  note: if you screw something up and do these steps over, you can just "rekey" your ssl certificate (although if you create a certificate using something like "www.yourdomain.com" you have to start all over with a new certificate--call godaddy, get a refund, and build a new certificate from scratch using the proper domain name)
  2. download the certificate from godaddy (either via e-mail or the control panel) and unzip the file to your desktop.  it's very important that you combine the two files in this zip file now, so run the following in terminal from your desktop:
  3. cat secure.mydomain.com.crt gd_bundle.crt > mydomain_combined.crt
  4. move your mydomain_combined.crt file to your ssl-cert file in your rails project
  5. cat secure.mydomain.com.crt host.key > host.pem

now we need to remove the pass phrase for heroku to properly boot the ssl certificate.  from your rails project:

  1. openssl rsa -in host.pem -out nopassphrase.pem
  2. openssl x509 -in host.pem >>nopassphrase.pem
  3. openssl rsa -in host.key -out nopassphrase.key

and finally, add the keys to heroku and be sure you have all the proper add-ons.  from your rails project:

  1. heroku ssl:add ssl-cert/nopassphrase.pem ssl-cert/nopassphrase.key
  2. heroku addons:add custom_domains:basic
  3. heroku domains:add secure.mydomain.com
  4. heroku addons:add ssl:hostname

this adds a $20/month fee for ssl.  heroku will e-mail you a domain that looks like something.amazonaws.com.  you need to go back to godaddy and insert a CNAME record with this domain pointing to secure.mydomain.com.

test it out from your rails project using "host secure.mydomain.com" and be sure the output is your something.amazonaws.com domain (and not proxy.heroku.com).

after all of this, you should be able to visit https://secure.mydomain.com without any errors or warnings.

here's how all of this works:

 

  1. you use godaddy as an ssl certificate provider
  2. you create your keys with proper certificate information about yourself in your rails project, send them to godaddy, and godaddy provides you with downloadable certificate files
  3. you send your keys to heroku and use the ssl hostname add-on
  4. when a user visits your site using https://secure.mydomain.com, they're hitting your godaddy CNAME record, which points to an amazonaws address which effectively routes the request to heroku's grid, and a secure connection gets established from there following the standard SSL handshake process.

was this helpful? this can usually be a tedious process, if you felt this was helpful, please consider donating a beer or two.