Let's Encrypt and Heroku [Solved]

I found it, true.

However, http-01 is not in there. I’m just trying to solve a problem. I don’t feel like I need to learn how everything in the internet works to minute detail to solve my problem; Particularly when there are domain experts (i.e. you).

Saying rtfm is all fine & good, however sometimes you need to wtfm in a sufficient way first. Good thing we have a technology called search engines, which will help the next person who is attempting the same thing I am. That person can reference this topic!

I did what I thought was appropriate research before asking.

Thank you for clearing up the unknowns.

Meh, looks like there are still a lot of outdated versions in the search results, the most up-to-date one is at https://github.com/ietf-wg-acme/acme/blob/master/draft-ietf-acme-acme.md#http

Yes, expressing things is hard because context is implicit…

I’ll do my best to read this doc, build, & express the context to what you said, if you aren’t willing to.

Hi,
if you’re using Ruby on Rails you could try letsencrypt-plugin:

and then please follow Heroku guide:

I’m using node.js & I found the carefully guarded answer; so I’m a cool kid now B-)

./letsencrypt-auto certonly --manual -d <your-domain>

This opened an interactive command line dialog.

Note that I had to deploy a file in <webroot>/.well-known/acme-challenge/<filename-given-by-command> with the contents specified by the interactive letsencrypt-auto command.

I then ran:

sudo heroku certs:update /etc/letsencrypt/live/<your-domain>/cert.pem /etc/letsencrypt/live/<your-domain>/privkey.pem

Note that <your-domain> is specified in the letsencrypt-auto command.

In case you are interested in streamlining your UX, the url currently must be http. I had a http -> https redirect that I needed to temporarily disable to make this process work.

Since I did work in documenting how to make letsencrypt work with heroku, please add me to your list of contributers :slight_smile:

4 Likes

There are some non-obvious security concerns with supporting HTTPS for http-01 challenges, see this post for more details.

@enric Please mark this thread as [Solved] if this solves your issue…

You need to switch to the “webroot” method so that the renewal can process automatically.

Sorry @riking, what do you mean by “switch to the webroot method”?

Do I need to modify this command ./letsencrypt-auto certonly --manual -d <your-domain> to achieve it or is this something else?

Thank you

I just made a wrapper for getting certificates on Cloud-Foundry - which might just work with Heroku. It uses the Heroku python buildpack.

@n370, manual is a direct alternative to webroot, so yes, you do need to modify that.

@riking @btakita - [nuked previous / useless edits]
Okay - so it looks like running manual does in fact give me this interactive prompt. I should be able to do the deploy and force my webserver to return a string, for that path, to pass the challenge.

The webroot method as outlined here ( Using the webroot domain verification method ) doesn’t have an interactive component though. Doesn’t seem to be a way to pause the thing until I can do the deploy.

Edit 3: Okay, so I think I can get it working fine with -manual! Wheee! Now, still have that remaining question about working with -webroot which ya’ll mentioned allows for autorenewal and is easier to manage…

1 Like

The webroot method does substantially the same thing as the manual method, but it does it automatically: it creates the file for you so you don’t have to create it yourself. You have to tell it (with -w) where on your system it can create files that the existing webserver will serve.

Sorry if I’m misunderstanding, but the Heroku filesystem is remote; it’s not local. Is there an additional setting or thing going on here I should be aware of?

@btakita thanks for persevering with @jhass and posting the answer (for those of us that don’t live and breathe encryption). Much appreciated.

Here I thought Let’s Encrypt was about friendly and easier encryption and yet the second thing I read on the site is @jhass’s toxic messages. Disappointing.

An informative (and respectful) guide is available here:

http://collectiveidea.com/blog/archives/2016/01/12/lets-encrypt-with-a-rails-app-on-heroku/

Great walkthrough to set up a Node/Express app on Heroku with Let’s Encrypt: https://stackoverflow.com/questions/40199580/how-can-i-use-a-letsencrypt-ssl-cert-in-my-heroku-node-express-app

I created a certbot plugin that uses the Heroku CLI to automate authentication and installation of LE certificates: https://github.com/gboudreau/certbot-heroku
I only have an example that uses the php-nginx Heroku buildpack, but reading that example and finding the equivalent for other buildpacks should be easy enough.
Pull Requests are welcome to help others! :slight_smile:

I recommend trying Sabayon - https://github.com/dmathieu/sabayon. You set it up as a separate app on Heroku and it runs on a scheduler and automatically gets your cert, installs it on the necessary Heroku app and re-issues the certificate when needed.

Was very easy to setup and worked like a charm.