Setup A GoDaddy SSL Certificate on Heroku

By Josh Wright on January 2013 in tips

Background

I'm using AppHarbor to host an ASP.NET site I built a few years ago. This year I started charging for it, so I needed SSL on my domain. Of all the hosts I've used for .NET (shared, private, Amazon, Azure, self-hosting) AppHarbor is my favorite but there's one MASSIVE problem... they don't do SSL.

OK, I should clarify. They do offer SNI SSL, piggyback SSL, and IP based SSL - but none of these are decent options for a checkout page. They make your website look shady or inept and wind up confusing the user for no reason.

It's worth mentioning that I'm using Stripe for credit card processing. Having worked with PayPal, I can tell you that Stripe is absurdly easy to setup. Technically I think you don't even need SSL on your site since you never handle the credit card data, but Stripe rightfully recommends SSL in case you mess up. It also gives your user confidence in the security of their information.

Heroku, SSL Certificates, and GoDaddy

Someone gave me a good tip - use Heroku to host secure.mysite.com and do all your credit card stuff there. This ended up being super easy, but there were a few gotchas that came from having a GoDaddy host.

The Real Docs

Here are the docs I used to figure everything out:

Step 1/8) Create Your Heroku App

I'm assuming you've done this. If not, create a heroku app and make sure it's working right.

Step 2/8) Prepare Your App For SSL

If you haven't already, tell your Heroku app that it should respond to your custom domain:

heroku domains:add secure.mysite.com

Also, add SSL support to your app ($20/month):

heroku addons:add ssl

Step 3/8) Create Your Certificate Signing Request

In short, do everything Heroku says here

I created a directory in my rails app called 'certs' and did everything there.

Step 4/8) Buy Your Certificate on GoDaddy

If you go straight to GoDaddy and buy a certificate, it's $70. If you search google for "GoDaddy SSL Certificate" then you get a massive discount. Yesterday I got one for $12.

I guess it's worth mentioning that you need to purchase your domain name.

Now, when you're setting up your certificate in GoDaddy, it will ask you to paste in your CSR (Certificate Signing Request). You created this file in the last step and it's called server.csr. Open it and copy/past the text, which should look similar to this:

Now GoDaddy has to approve your certificate. Mine took about 2 minutes, but I've had some types of certificates take days.

Step 5/8) Download Your Certificate

Once GoDaddy approves your certificate, download it.

They'll let you choose your type of server - choose "Apache".

The zip will contain two files: gd_bundle.crt and secure.mysite.com.crt

Step 6/8) Combine the certificates

Here's the part that the Heroku docs don't explain. If you follow their instructions, you basically upload the certificate. Heroku will accept the certificate, but when you browse to the site your browser will show a warning that the certificate is not trusted.

So you basically need to combine the two .crt files using the following command. It is very important that gd_bundle.crt is listed last in your combine command:

cat secure.mysite.com.crt gd_bundle.crt > combined.crt

Step 7/8) Upload The Certificate To Heroku

Now you'll basically finish following the Heroku instructions using your new 'combined.crt' certificate. The server.key file comes from step 3 and combined.crt comes from step 6.

heroku certs:add combined.crt server.key

Step 8/8) Updating Your CName

Here's the other step that I had to discover. When you add a custom domain to Heroku (step 2) they tell you to create a CNAME record for your domain from "secure.mysite.com" to something like "myappname.heroku.com". But for SSL, you'll want something different like "tokyo-2121.herokussl.com".

To figure out where your SSL CNAME should point, try this Heroku command:

heroku certs

Your *.herokussl.com url should be listed.

It takes a few minutes for everything to start working.

God speed.