Multiple SSL Certificates in One Heroku Application
Is it possible to have many SSL certificates in the single Heroku Application ?
We have multiple domain names of different types and TLD\'s pointing to our applicati
-
I'm dealing with this myself. Heroku suggests getting a SAN/UCC certificate, which lets you list multiple several domains. Just did it with GoDaddy and it's working fine so far.
https://devcenter.heroku.com/articles/ssl-endpoint#serving-multiple-domains
讨论(0) -
There is a way to have multiple SSL endpoints routing traffic to the same app.
An SSL endpoint works by terminating the SSL connection and injecting the unencrypted traffic back in to the normal Heroku routing layer.
You can take advantage of this by creating a new app with a new SSL endpoint to terminate the SSL connection and route the traffic to your existing app:
Add your domain name to your app:
$ heroku domains:add ssl.example.comCreate a new app:
$ heroku create endpoint-for-example-comAdd the SSL endpoint add-on ($20/mo):
$ heroku addons:create ssl:endpoint --app endpoint-for-example-comAdd your certificate to your new app:
$ heroku certs:add server.crt bundle.pem server.key --app endpoint-for-example-com --type endpoint Resolving trust chain... done Adding SSL Endpoint to endpoint-for-example-com... done endpoint-for-example-com now served by kagawa-1482.herokussl.example.comUse the ssl endpoint assigned to your new app (e.g.
kagawa-1482.herokussl.example.com) as the CNAME host for the domain name you wish to secure. This is normally done in your domain's DNS configuration.
The new app does not need any dynos, but there will be a charge of $20 / month for the SSL endpoint add-on.
Notes:
This solution is not documented by Heroku, so it's possible that they would remove or change this behaviour in the future.Heroku have confirmed that this is safe for production use.- Be sure to create your endpoints in the same region as your primary app.
- It might take a while for your DNS changes to take effect.
讨论(0) -
While not the exact same as OP's question, I was able to achieve this on Heroku with a single SAN (Subject Alternative Name) certificate for about $25/year.
I generated a CSR with multiple subject alternative names (
subjectAltName) in OSX by:Copying
/System/Library/OpenSSL/openssl.cnfto the current directory, and amending the relevant sections ([req]and[v3_req]):[req] req_extensions = v3_req [v3_req] subjectAltName=DNS:www.example1.com,DNS:www.example2.com,DNS:www.example3.comThen I used this new .cnf when generating the CSR:
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -config openssl.cnfI purchased the cert from SSLs.com. Their Comodo "PositiveSSL Multi-Domain" is $25.99/yr as of this writing and support from 3-100 domains (domains over 3 cost something like $12).
I concatenated the CA bundle and .crt that I was sent into a single .crt (in that order) and added it to Heroku. All 3 domains were added to the app and pointed to the same CNAME, and all resolve over https:// as expected.
Much cheaper than $240/yr for an additional endpoint, if this is a viable route for anyone interested.
Relevant links:
- https://stackoverflow.com/a/8520510/630614
- http://apetec.com/support/GenerateSAN-CSR.htm
讨论(0) -
Recently heroku has added automatic LetsEncrypt TLS certificates for paid dynos, hobby and up. This will work across any number of domains and subdomains automatically. This method only works if you don't need wildcard subdomains.
Additionally you can manage the LE certification yourself across multiple domains and subdomains, with certbot
certbot certonly --standalone -d example.com -d www.example.com -d test.netYou can refer to this heroku doc for uploading custom certificates.
讨论(0) -
We have multiple domain names belonging to multiple companies. A SAN/UCC certificate is only available for domain names owned by the same entity/company/individual. We created an iFrame in the background as a quick-fix but we have since moved our platform to our own infrastructure.
讨论(0)
加载中...
- 热议问题