Let’s Encrypt and Heroku

Obtain and deploy a free TLS/SSL certificate for your Heroku apps

Since Heroku announced that SSL was included in all paid dinos, I have been thinking about of getting an SSL certificate for the pet projects I already have on Heroku, ThePriceMonkey Spain and ThePriceMonkey UK.

I’ve been looking for a cheap multidomain SSL certificate, because I’m going to launch some more countries, each on its own subdomain. Suddenly I ended up on the Let’s Encrypt home page: the free, automated, and openCertificate Authority. So here we go!


1. Install Let’s Encrypt client on your system

I’m going to do this by cloning the Let’s Encrypt repository, but you can get Certbot if you prefer that.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

This command should return the information that indicates that you can start using Let’s Encrypt client.


2. Obtain the certificate for your domain

Ask Let’s Encrypt for the certificate

./letsencrypt-auto certonly —-manual —-email email@example.com -d www.example.com

Verify your domain (Add the challenge to the app)

A message like this will appear after accepting the conditions

Make sure your web server displays the following content at
http://www.example.com/.well-known/acme-challenge/6arQTCxjNzFJby8V9K48sDcTVzDQVP before continuing:
6arQTCxjNzFJby8V9K48sDcTVzDQVP.VFay3hjk8qzE3bwcVP4EqxiZht9gmT
Press ENTER to continue

ATTENTION: You must add the challenge response to your app before continue and then the certificate will be created.

The cert creation proccess

Then you will get something like this on your terminal:

IMPORTANT NOTES:
— Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/
www.example.com/fullchain.pem. Your
cert will expire on 2017–02–16
. To obtain a new or tweaked version
of this certificate in the future, simply run letsencrypt-auto
again. To non-interactively renew *all* of your certificates, run
“letsencrypt-auto renew”
— If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Note that you can generate the certificates for all your subdomains just by adding it to the letsencrypt-auto command:

letsencrypt-auto certonly —-manual —-email email@example.com -d www.example.com -d us.example.com -d uk.example.com

3. Add certs to Heroku app

Send certs to Heroku using Heroku Cli

Now that you have the certs, it’s time to send it to the Heroku app. Note that I used sudo to grant permissions to /etc/letsencrypt/live.

sudo heroku certs:add 
/etc/letsencrypt/live/www.example.com/fullchain.pem
/etc/letsencrypt/live/www.example.com/privkey.pem

Update DNS

If everything went ok, you will see a message like this.
Just go to your domain name provider and update the CNAME record.

Your certificate has been added successfully.
Update your application’s DNS settings as follows
Domain Record Type DNS Target
─────────────────── ─────────── ───────────────────────────────────
www.example.com CNAME www.example.com.herokudns.com

Attention

Remember that Let’s Encrypt certificates has a ninety-days lifetime, so you must renew the certificate before it expires. You will get a remember from Let’s Encrypt if you provide the email in the certificate creation.