Let’s make everything secure.
With the advent of free SSL and Heroku finally offering free SSL endpoints, it’s about time we made it ridiculously easy to get an SSL cert for any Heroku application and keep it up to date.
This is alpha software. It may work, or it may not. We use it in production at Substrakt but your milage may vary until 1.0.
Created by Substrakt.
What it does
- Generates a private key.
- Validates domain ownership using DNS verification for a set of domains including the root. (Only works with CloudFlare currently!)
- Generates a CSR.
- Generates a LetsEncrypt certificate.
- Enables the http-sni feature on a specified Heroku application.
- Adds or updates the certificate with the newly generated one.
How it works
- User or robot makes an API request to this application.
- Magic happens.
- Site is secure.
As we’re currently in alpha, there are some severe limitations.
- Heroku apps must be in the common runtime.
http-sniis not supported in private spaces, yet. This shouldn’t be a problem for 99% of applications.
- DNS must be managed by CloudFlare.
- Renewals do not happen automatically. (Not sure if this is in the scope of this application or whether or not the application itself should handle renewals?)
- We’re using an unreleased Heroku API endpoint and
http-sniis beta. If it changes or is removed, this application will simply cease to work.
- It doesn’t currently add the CNAME records to CloudFlare once the SSL certificate has been generated. (Possibly out of scope?)
- It’s a bit slow (around 1min per validated subdomain) due to the nature of DNS resolution. Not sure how to resolve this yet.
- It does not force the secured application to only accept requests via SSL. This is because we use a variety of frameworks so we must remain framework agnostic.
- Run the application. Either do it yourself or deploy to Heroku for free.
- Hit the following endpoint:
domain_nameis the domain name without subdomains. (e.g.
subdomainsis a comma delimited list of subdomains to cover. Usually this is just
www, but could also be anything else such as
0depending if this is a test or not. When debug is on, non-valid certificates are generated.
heroku_app_nameis the name of the application on Heroku.
auth_tokenis the value of
Pull requests and issues are very much welcome at this early stage.