42
votes

Is it possible to have many SSL certificates in the single Heroku Application ?

We have multiple domain names of different types and TLD's pointing to our application and need to secure each domain name. Preferably without redirecting to a different secure URL.

5
See answer here: stackoverflow.com/questions/13328586/…. Should work on the Heroku Cedar stack just fine.schmielson
Unfortunately this didn't resolve our requirements. We have multiple domain names belonging to multiple companies. A SAN/UCC certificate is only available for domain names owned by the same entity/company/individual. We created an iFrame in the background as a quick-fix but we have since moved our platform to our own infrastructure.Dallas Clark

5 Answers

93
votes

There is a way to have multiple SSL endpoints routing traffic to the same app.

An SSL endpoint works by terminating the SSL connection and injecting the unencrypted traffic back in to the normal Heroku routing layer.

You can take advantage of this by creating a new app with a new SSL endpoint to terminate the SSL connection and route the traffic to your existing app:

  1. Add your domain name to your app:

    $ heroku domains:add ssl.example.com

  2. Create a new app:

    $ heroku create endpoint-for-example-com

  3. Add the SSL endpoint add-on ($20/mo):

    $ heroku addons:create ssl:endpoint --app endpoint-for-example-com

  4. Add your certificate to your new app:

     $ heroku certs:add server.crt bundle.pem server.key --app endpoint-for-example-com --type endpoint
     Resolving trust chain... done
     Adding SSL Endpoint to endpoint-for-example-com... done
     endpoint-for-example-com now served by kagawa-1482.herokussl.example.com
    
  5. Use the ssl endpoint assigned to your new app (e.g. kagawa-1482.herokussl.example.com) as the CNAME host for the domain name you wish to secure. This is normally done in your domain's DNS configuration.

The new app does not need any dynos, but there will be a charge of $20 / month for the SSL endpoint add-on.

Notes:

  • This solution is not documented by Heroku, so it's possible that they would remove or change this behaviour in the future. Heroku have confirmed that this is safe for production use.
  • Be sure to create your endpoints in the same region as your primary app.
  • It might take a while for your DNS changes to take effect.
6
votes

Recently heroku has added automatic LetsEncrypt TLS certificates for paid dynos, hobby and up. This will work across any number of domains and subdomains automatically. This method only works if you don't need wildcard subdomains.

heroku

Additionally you can manage the LE certification yourself across multiple domains and subdomains, with certbot

certbot certonly --standalone -d example.com -d www.example.com -d test.net

You can refer to this heroku doc for uploading custom certificates.

4
votes

While not the exact same as OP's question, I was able to achieve this on Heroku with a single SAN (Subject Alternative Name) certificate for about $25/year.

I generated a CSR with multiple subject alternative names (subjectAltName) in OSX by:

  1. Copying /System/Library/OpenSSL/openssl.cnf to the current directory, and amending the relevant sections ([req] and [v3_req]):

    [req]
    req_extensions = v3_req
    
    [v3_req]
    subjectAltName=DNS:www.example1.com,DNS:www.example2.com,DNS:www.example3.com
    
  2. Then I used this new .cnf when generating the CSR:

    openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -config openssl.cnf
    
  3. I purchased the cert from SSLs.com. Their Comodo "PositiveSSL Multi-Domain" is $25.99/yr as of this writing and support from 3-100 domains (domains over 3 cost something like $12).

  4. I concatenated the CA bundle and .crt that I was sent into a single .crt (in that order) and added it to Heroku. All 3 domains were added to the app and pointed to the same CNAME, and all resolve over https:// as expected.

Much cheaper than $240/yr for an additional endpoint, if this is a viable route for anyone interested.

Relevant links:

-2
votes

I'm dealing with this myself. Heroku suggests getting a SAN/UCC certificate, which lets you list multiple several domains. Just did it with GoDaddy and it's working fine so far.

https://devcenter.heroku.com/articles/ssl-endpoint#serving-multiple-domains

-4
votes

We have multiple domain names belonging to multiple companies. A SAN/UCC certificate is only available for domain names owned by the same entity/company/individual. We created an iFrame in the background as a quick-fix but we have since moved our platform to our own infrastructure.