2017-01-14

Using certbot to establish SSL in a Rails App on heroku

This is an instruction for Mac OS X with homebrew

primary source:

Tomáš Vestenický on Medium - "How to set up SSL with Let’s Encrypt on Heroku for free"

Please, read this guide as a whole first, as this can't be done step by step!

Please! donate to letsencrypt for their incredible service, if you use it.

Important/Update

heroku offers automated certificate management (acm) for free with paid dynos

install certbot brew install certbot
set up your app in heroku
- running on a hobby dyno at least
- Custom domains set up and running

modify your controller (in this example pages_controller.rb - make sure your setting correspond with the following route settings)

def letsencrypt
  # second-part-of-string-random-characters
  # will be a key that certbot / letsencrypt create for you
  # you need to replace "second-part-of-string-random-characters" later
  render text: "#{params[:id]}.second-part-of-string-random-characters"
end

add a route for your rails app in routes.rb

# Let’s encrypt
get '/.well-known/acme-challenge/:id' => 'pages#letsencrypt'

run certbot:
```
sudo certbot certonly --manual
```
the program will guide you through the setup, it needs your primary and valid contact email and urls (with and without "www").

Certbot will ultimately present you a key. It will probably look like this.
```
120EgkFYSSYCvSQw3TNiUolJg_mOEl5RbKsO3oNbM7U.dfzRfvDOCKOH-QqfuudgpTf-mty5h13wZTRlIIp5Kax
```
Look for the "." in the middle. Copy the part of the key after the dot and replace second-part-of-string-random-characters in your controller method for letsencrypt (see above).

DO NOT CONTINUE WITH CERTBOT!
your app is now set up properly, please push your app to heroku
after your updated app is online, continue with certbot and finish the process, the certificate and all keys will be generated for you under: /etc/letsencrypt/live/<your.domain>/
Now all what's left to do, is pushing the keys to heroku for your app. Fire up a new terminal, replace <your.domain> and <your-app> in the following line according to your setup:
```
$ sudo heroku _certs:add /etc/letsencrypt/live/<your.domain>/fullchain.pem /etc/letsencrypt/live/<your.domain>/privkey.pem — app <your-app>
```

Finished

I do not need automation for this process, refreshing the certificate every 3 months is fine for me. One more time: Please do not forget to donate to letsencrypt for their incredible service.

More on this:

Tomáš Vestenický on Medium - "How to set up SSL with Let’s Encrypt on Heroku for free"

linode: Install Let’s Encrypt to Create SSL Certificates

Bonus

In case you want your staging app not to enforce SSL:

setup a environment variable on heroku for your production app e.g. FORCE_SSL = true and edit your app's production.rb to:
```
config.force_ssl = true if ENV['FORCE_SSL'] == true
```

← Previous Post | Next Post →