[WIP] let's encrypt heroku integration

Question

[WIP] let's encrypt heroku integration

phoet opened this issue 7 years ago · 13 comments

phoet commented 7 years ago

in order to support full SSL via heroku, there need to be some changes to the dns setup.

i'm currently checking it out for the onruby.eu domains so that we can use them as a blueprint for all other domains.

Answer 1 · 2017-12-28T12:59:20.000Z

point the CNAME to DOMAIN.herokudns.com so for www.onruby.eu it is www.onruby.eu.herokudns.com

Answer 2 · 2017-12-28T13:15:06.000Z

please take care of your custom domain DNS settings as seen above

→ heroku certs:auto
=== Automatic Certificate Management is enabled on onruby

Certificate details:
Common Name(s): berlin.onruby.eu
                bonn.onruby.eu
                bremen.onruby.eu
                cologne.onruby.eu
                dresden.onruby.eu
                hamburg.onruby.eu
                innsbruck.onruby.eu
                karlsruhe.onruby.eu
                leipzig.onruby.eu
                madridrb.onruby.at
                madridrb.onruby.eu
                munich.onruby.eu
                railsgirlshh.onruby.eu
                saar.onruby.eu
                www.onruby.at
                www.onruby.eu
Expires At:     2018-03-28 12:09 UTC
Issuer:         /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Starts At:      2017-12-28 12:09 UTC
Subject:        /CN=berlin.onruby.eu
SSL certificate is verified by a root authority.

Domain                  Status
──────────────────────  ────────────
rugsaar.de              Failing
dresden.onruby.de       Failing
innsbruck.onruby.eu     DNS Verified
railsgirlshh.onruby.de  Failing
colognerb.de            Failing
onruby.de               Failing
bonn.onruby.de          Failing
innsbruck-rb.at         Failing
madridrb.onruby.eu      DNS Verified
madridrb.onruby.at      Failing
cologne.onruby.de       Failing
berlin.onruby.de        Failing
leipzig.onruby.de       Failing
www.onruby.eu           DNS Verified
karlsruhe.onruby.de     Failing
rug-b.de                Failing
saar.onruby.eu          DNS Verified
onruby.at               Failing
railsgirlshh.onruby.eu  DNS Verified
bremen.onruby.de        Failing
innsbruck-ruby.at       Failing
berlin.onruby.eu        DNS Verified
hamburg.onruby.eu       DNS Verified
www.koelschrb.de        Failing
madridrb.com            Failing
www.madridrb.com        Failing
onruby.eu               Failing
hamburg.onruby.de       Failing
www.rugsaar.de          Failing
munich.onruby.de        Failing
cologne.onruby.eu       DNS Verified
madridrb.onruby.de      Failing
bremen.onruby.eu        DNS Verified
leipzig.onruby.eu       DNS Verified
bonn.onruby.eu          DNS Verified
www.innsbruck-ruby.at   Failing
koelschrb.de            Failing
www.onruby.de           Failing
innsbruck.onruby.de     Failing
karlsruhe.onruby.eu     DNS Verified
www.colognerb.de        Failing
www.innsbruck-rb.at     Failing
munich.onruby.eu        DNS Verified
www.rug-b.de            Failing
dresden.onruby.eu       DNS Verified
innsbruck.onruby.at     DNS Verified
www.onruby.at           Failing
saar.onruby.de          Failing

Answer 3 · 2017-12-28T15:46:35.000Z

@bumi are you in control of colognerb.de?
@phoet I think koelschrb.de does not exist anymore and can be deleted.

Answer 4 · 2018-01-02T18:35:57.000Z

@jhilden railslove handles colognerb.de guess you have access to the DNS entries or @kangguru can help.

Answer 5 · 2018-01-04T08:25:07.000Z

yep i do, changed the settings, site seems to be down now 😱 although i haven't checked before the change.

Answer 6 · 2018-01-05T19:51:26.000Z

from my phone, it looks like the *.cologne.rb has no or bad DNS information. I think the root works, but subdomain configuration is broken.

the site works fine through cologne.onruby.de

Answer 7 · 2018-01-12T11:21:02.000Z

mh, any idea?

https://devcenter.heroku.com/articles/ssl#change-your-dns-for-all-domains-on-your-app

dig www.colognerb.de cname +short
colognerb.de.herokudns.com.

sounds ok to me

Answer 8 · 2018-01-12T11:44:59.000Z

sorry, i think it must be with the subdomain www.colognerb.de.herokudns.com

changing dns is always such a PITA because of the caching and ttls :(

Answer 9 · 2018-01-12T12:11:21.000Z

yea, should have spotted that myself. now it works:tm:

Answer 10 · 2018-05-16T08:37:36.000Z

DNS resolution still often does not work when people just type in colognerb.de (without the www).

$ curl -v colognerb.de
* Rebuilt URL to: colognerb.de/
* Could not resolve host: colognerb.de
* Closing connection 0
curl: (6) Could not resolve host: colognerb.de

Some browsers will automatically redirect to the www version, but it seems that it does not work for everybody.

This is what we have configured:

Answer 11 · 2018-05-16T09:31:57.000Z

@jhilden AFAIK you either have to setup CNAME flattening which is not supported by all DNS providers, or setup a redirect from the root to www.

Answer 12 · 2019-02-01T13:54:04.000Z

heroku certs do not really cut it here...

i decided to handle everything through cloudflare instead.

if you want your domain to run with SSL support, please configure

dana.ns.cloudflare.com
will.ns.cloudflare.com

as your external DNS servers.

in case you already have a cloudflare setup, just CNAME your domain to onruby.herokuapp.com like

with Always Use HTTPS on and SSL in Full mode.

Answer 13 · 2019-05-15T12:56:58.000Z

cloudflare is ready to go, we just need the domainserver to be properly configured like so #360 (comment)