Skip to content

Instantly share code, notes, and snippets.

@mculp

mculp/gist:4661524

Last active March 11, 2017 13:56
Show Gist options
  • Save mculp/4661524 to your computer and use it in GitHub Desktop.
Save mculp/4661524 to your computer and use it in GitHub Desktop.
Download ZIP
Heroku, DNSimple, and very rare SSL trust issues
Raw
gistfile1.md

Background story

Perhaps 1 out of 100 visitors to Connect for a Cause were getting an 'untrusted certificate' error, where if you clicked the Technical Details button, it said the error code was sec_error_unknown_issuer

Usually, if your certificate isn't trusted, it isn't trusted. You usually don't get 99% of your traffic through without any warning. I kept telling people that I thought their browser may had cached something from an earlier time when we (read: they) had a legitimate issue with the certificate. Then, I was playing around on my linux box, and I hit the site, and boom -- This Connection is Untrusted.

So, right when I took over at Connect, I bought a wildcard cert from DNSimple and followed the Heroku SSL Endpoint Documentation to add the certificate and key I was given through the DNSimple web application to my heroku domains. Easy enough, and things were working for me and everyone else I know.

Then I'd get a complaint about an SSL trust issue -- "nah man, your shit's just 301 perma-cached from when we (read: they) had the screwed up cert. Try another browser." Funny thing is, it would go away for most people after refreshes, and it'd work in their other browsers, so I was convinced there wasn't an actual issue. Then I saw it for myself.

Credit @bhelx for this third-party certificate checking link that convinced me something was wrong.

How to fix it

  1. Whenever you buy a wildcard certificate from DNSimple, you will receive a zip file containing a few Comodo intermediary certificates that have to be concatenated in a certain order. Locate this zip file, and extract it all to a new directory inside your heroku app. I called mine APP_ROOT/certs. That'll work.

  2. Grab your private key from the DNSimple web app. Save it as a .key file in the directory you created in step 1.

  3. Heroku released a library that helps with the concatenation of the intermediary certificates. Install it to your heroku toolbelt with heroku plugins:install https://github.com/heroku/heroku-ssl-doctor.git

  4. Go to your heroku app and run heroku certs:update certs/* -- if for some reason, you come across this gist and you've never installed the certs before, you'd probably need to run heroku certs:add certs/* instead.

  5. Now you can delete your certs directory or whatever. You probably don't want to check that into source control.

That's it!

Go back to the third-party cert checker and see if you're good to go. I was!

Credits

  • @bhelx for being smart
  • Starving Developer for having this same problem, but apparently the ssl doctor script didn't work for him either. Check out this link if the heroku script doesn't work for you. :P
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment