Heroku and Lets Encrypt


#1

Anyone else ran into this? I don’t believe there should be a pass phrase on any Lets Encrypt certificate. when i remove the passphrase, the certificates are still the same. I was also able to secure another application on Heroku a few weeks ago…


#2

Let’s Encrypt definitely does not use passphrases on any certificates it issues. Certificates are public documents after all.

Let’ Encrypt does not have access to your private key either. This means that this is either an issue with the method you use to generate the files you upload to Heroku, or an issue on Heroku’s end. If you could share more details about the software and/or commands you use to generate those files, we could probably figure out which of the two it is.


#3

i’ve used certbot and https://gethttpsforfree.com/, which i’ve used the second link successfully before. here are the entry fields on heroku. to clarify, where should the signed / intermediate certs go?


#4

You’d probably need to use fullchain.pem (when using certbot) or the gethttpsforfree-equivalent (i.e., the certificate and intermediate concatenated in one file).


#5

exactly, and just the certificate for the private key, correct?


#6

Public key? Aren’t you mistaken it with the private key?

No, the private key is a key you previously generated when using gethttpsforfree or is called privkey.pem when using certbot.


#7

Can you post the command you used to generate your private key? Note that the passphrase would be on a key rather than on a certificate.


#8

@jsha

sudo certbot certonly --manual 

however, currently certbot isn’t working properly for me, see this other thread i started: Certbot not generating keys in live folder


#9

hi bsweaty

any SSL install will have 3 key artifacts

A) Private Key used to generate the CSR and the key associated with the certificate
B) The domain certificate
C) Intermediate Certificates (which provide a chain of trust for browsers to trust certificates)

Looking the the heroku documentation https://devcenter.heroku.com/articles/ssl you can import all 3 as individual items

Private key - you should have generated this using something like OpenSSL or Putty. Depending on what method you used it may have created a password for the key. search how to remove the password from the key in google.

Certificate - this is what you do with domain validation etc.

Intermediate bundle - depending on what client you use you may get these with your certificate or you may get the certificate only. You can download the intermediate bundle manually here: https://letsencrypt.org/certificates/


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.