- You must have a heroku app deployed on the hobby tier. This is NOT the free tier and costs ~7/month
- i'm assuming you have homebrew installed. It will be need to install the Certbot client
- i'm also assuming you have the heroku CLI tools installed
first up, run this to install the certbot client
brew install certbot
start the certbot script in manual mode
sudo certbot certonly --manual
Enter the url(s) you want to create certificates for
--------- STOP! READ THIS!----------
*You need to complete a route validation (explained below) before continuing or else the script will fail and you'll need to start over.
The next step is to create a route for verification. You need to verify you're the owner of the server to get a certificate. The Certbot script will provide you a unique id that you will need to send in response to a request on the route '/.well-known/acme-challenge/:id' where :id is a random string Certbot will send.
you can see in the below route i'm responding with whatever is sent in the url request (:id) combind with my unique id provided by Certbot.
I'm using nodeJS so I created a route like this
app.get('/.well-known/acme-challenge/:id', function(req, res, next) {
res.send(req.params.id+'.'+YOUR_PROVIDED_CERTBOT_ID);
});
After you created the route succesfully test and deploy to Heroku.
Once you've deployed to Heroku and the build is completed succesfully come back to the terminal window and press enter to contiue the Certbot script. You should see a success message.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/YOUR_URL_HERE.COM/fullchain.pem. Your cert will
expire on 2017-05-11. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
Now you have the certs, SWEET!
Next, you'll need to deploy them to Heroku.
Heroku has recently changed their policy on SSL support, below is a quote from their site.
"Heroku SSL is included for free on any app that uses paid dynos: Hobby, Standard-1X, Standard-2X, Performance-M and Performance-L. This service uses Server Name Indication (SNI), an extension of the TLS protocol, which allows for Heroku to terminate SSL on its router."
heroku certs:add --app <YOUR_HEROKU_APP_NAME_HERE> /etc/letsencrypt/live/inchworm.io/fullchain.pem /etc/letsencrypt/live/inchworm.io/privkey.pem
After you enter this command using the heroku toolbelt, heroku will prompt you to change your dns records with the new nameservers they provide.
Once you change those records you're done!
If you're having any problems check out the heroku docs here.
Just a heads up for anyone that lands here trying to add an SSL cert to their Heroku app using the free dyno tier, it does not work. Heroku have restricted uploading your SSL cert to only paid dynos. Very disappointing.