Well, it has been many moons since the last blog post, but I figured this one was worth writing about since it caused me much heart burn. If I can help save someone else time and heart burn, it is worth the writing. Anwyay, I am just going to go through some quick steps on adding or updating your Heroku SSL Endpoint after the very popular Heartbleed vulnerability was discovered. My night started out in a bit of a panic after reading more about the Heartbleed issues, then ended up in pure frustration and a bit of insanity. Heroku as many others had suggested that re-keying and issuing your certificates was a strong way to mitigate the vulnerabilities in Heartbleed. I began to regenerate the key and csr files as usual.
Here's the command to generate your new private key.
openssl genrsa -des3 -out server.pass.key 2048
Just set a simple password that can be used again in the following steps.
openssl rsa -in server.pass.key -out server.key
Now you should have your private key "server.key", it's now time to generate your CSR. What is a CSR? It is a certtificate signing request, that you submit to your SSL provider, like Godaddy, DNSimple or RapidSSL. To generate your CSR run the following:
openssl req -nodes -new -key server.key -out server.csr
You will be asked a series of questions, make sure that your Common Domain/Organization & Country Code matches exactly what you have used during the purchase of your SSL certificate. Now you should have a CSR, just submit it during the re-issuing process for your provider. Typically they will send you an email after the CSR was accepted and approved. Take your downloaded certificate and intermediate files. In Godaddy's case, they supply a gd_intermediate file.
Now that you have all your files, you will want to use the Heroku Toolbelt to add or update the certificates.
If you are updating your certificate, this will not change the Heroku SSL endpoint.
certs:update server.crt gd_bundle-g2-g1.crt server.key
If you are adding a certificate, you will see you newly generated SSL endpoint.
certs:add server.crt gd_bundle-g2-g1.crt server.key
Now here is the part of the trouble I had. I had done these steps, did some testing and things looked good. Then we had gotten a call with someone having SSL errors, but it was weird, because we hadn't heard anything from anyone else. The SSL warning's we're due to the certificate not being trusted by root user. For some reason, this only effected a very very small percentage of users. We had to have this fixed ASAP. The next steps I took, was a maze of different combinations of comibining files, signing in different orders, and even getting an additional certificate from another company. No luck, the issue persisted, luckily I was able to find one computer and a browser that could constatnly reproduce the problem, it just happened to be a virtual machine running Ubuntu and Firefox. After hours of scratching my head and pulling my hair out, I tried something that is mentioned in the Heroku documentation called --bypass. The bypass switch will ensure that the certificates are unaltered in the Heroku installation process. I had seen it over and over again as I read the documentation, but never thought it would make a difference. It certainly does make a world of a difference.
For updating with bypass
certs:update server.crt gd_bundle-g2-g1.crt server.key --bypass
For adding
certs:add server.crt gd_bundle-g2-g1.crt server.key --bypass
You should see your status of the installation for the SSL certificate from here. Just sit back and relax now, because your SSL certificate should be properly installed. Why Heroku messes with the certificates that you upload is beyond me, but it is great they have a bypass option.