Let's Encrypt and Heroku [Solved]


[Moderator’s note: Heroku recently announced automatic integration with Let’s Encrypt]


I’m really new on using SSL certificates, and I don’t have much experience on it. If possible, can anyone help me or explain me if it’s possible to use Let’s Encrypt with Heroku, and how?

Thank you so much.

Best regards,

Help finding outdated documentation


I’m having the same issue. I tried:

$ sudo heroku certs:update /etc/letsencrypt/csr/0000_csr-letsencrypt.pem /etc/letsencrypt/keys/0000_key-letsencrypt.pem
Resolving trust chain... failed
 !    No certificate given.


For now you’ll have to use the http-01 challenge in manual mode and deploy the necessary files to your Heroku instance.


Could you be explicit about which commands I need to run?

How do I [quote=“jhass, post:3, topic:4272”]
use the http-01 challenge in manual mode

Pretend I don’t know what http-01 means, because I dont :slight_smile:

Thank you!


Well, thanks for being cavalier. I’m close to just using a different tool (cloudflare) & being done with this.

But I’ll spend a bit more time learning some things that I probably won’t use again.

I don’t know what the ACME spec is.

I assume you mean.

I googled http-01 & it seems like it’s specific to letsencrypt.

http-01 is not in


I’m confused…Could you help me another clue?


I’ll take vague over nothing (aka assuming I’ll magically know your implicit thoughts) :wink:


You seem to have found the relevant spec via my pointers fast enough.


I found it, true.

However, http-01 is not in there. I’m just trying to solve a problem. I don’t feel like I need to learn how everything in the internet works to minute detail to solve my problem; Particularly when there are domain experts (i.e. you).

Saying rtfm is all fine & good, however sometimes you need to wtfm in a sufficient way first. Good thing we have a technology called search engines, which will help the next person who is attempting the same thing I am. That person can reference this topic!

I did what I thought was appropriate research before asking.

Thank you for clearing up the unknowns.


Meh, looks like there are still a lot of outdated versions in the search results, the most up-to-date one is at https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md#http


Yes, expressing things is hard because context is implicit…

I’ll do my best to read this doc, build, & express the context to what you said, if you aren’t willing to.


if you’re using Ruby on Rails you could try letsencrypt-plugin:

and then please follow Heroku guide:


I’m using node.js & I found the carefully guarded answer; so I’m a cool kid now B-)

./letsencrypt-auto certonly --manual -d <your-domain>

This opened an interactive command line dialog.

Note that I had to deploy a file in <webroot>/.well-known/acme-challenge/<filename-given-by-command> with the contents specified by the interactive letsencrypt-auto command.

I then ran:

sudo heroku certs:update /etc/letsencrypt/live/<your-domain>/cert.pem /etc/letsencrypt/live/<your-domain>/privkey.pem

Note that <your-domain> is specified in the letsencrypt-auto command.

In case you are interested in streamlining your UX, the url currently must be http. I had a http -> https redirect that I needed to temporarily disable to make this process work.

Since I did work in documenting how to make letsencrypt work with heroku, please add me to your list of contributers :slight_smile:


There are some non-obvious security concerns with supporting HTTPS for http-01 challenges, see this post for more details.


@enric Please mark this thread as [Solved] if this solves your issue…


You need to switch to the “webroot” method so that the renewal can process automatically.


Sorry @riking, what do you mean by “switch to the webroot method”?

Do I need to modify this command ./letsencrypt-auto certonly --manual -d <your-domain> to achieve it or is this something else?

Thank you


I just made a wrapper for getting certificates on Cloud-Foundry - which might just work with Heroku. It uses the Heroku python buildpack.


@n370, manual is a direct alternative to webroot, so yes, you do need to modify that.

Using the webroot domain verification method

@riking @btakita - [nuked previous / useless edits]
Okay - so it looks like running manual does in fact give me this interactive prompt. I should be able to do the deploy and force my webserver to return a string, for that path, to pass the challenge.

The webroot method as outlined here ( Using the webroot domain verification method ) doesn’t have an interactive component though. Doesn’t seem to be a way to pause the thing until I can do the deploy.

Edit 3: Okay, so I think I can get it working fine with -manual! Wheee! Now, still have that remaining question about working with -webroot which ya’ll mentioned allows for autorenewal and is easier to manage…


The webroot method does substantially the same thing as the manual method, but it does it automatically: it creates the file for you so you don’t have to create it yourself. You have to tell it (with -w) where on your system it can create files that the existing webserver will serve.