SSL with Heroku hosting and Gandi domains

1
votes

I'm trying to set up SSL Automated Certificate Management with Heroku. I have my domain with Gandi and am having troubles setting the DNS target.

How Heroku says it should be set up:

Domain Name       DNS Target

mydomain.com      mydomain.com.herokudns.com
www.mydomain.com  www.mydomain.com.herokudns.com

So ideally in Gandi I would have

Name   Type   Value

www    CNAME  www.mydomain.com.herokudns.com
@      CNAME  mydomain.com.herokudns.com

However, you cannot assign a root domain to a CNAME record, so the second line there wouldn't work.

Another way to do it could then be to use an A record

Name   Type   Value

www    CNAME  www.mydomain.com.herokudns.com
@      A      1.2.3.4 (IP Address of my site)

But again this doesn't work because the IP address of Heroku hosted sites can change. So I thought I found a work around, by forwarding mydomain.com to www.mydomain.com through Gandi's web forwarding. For my DNS Records I just have:

Name   Type   Value

www    CNAME  www.mydomain.com.herokudns.com

So now the website works, I can access it by going to www.mydomain.com or mydomain.com, but now my SSL certification isn't working!

My site still says "Your connection to this site is not secure"

When I check the status on Heroku I get:

Domain            Status
───────────────   ───────
www.mydomain.com  OK
mydomain.com      Failing

I basically just learned most of how DNS works today, so I could be doing this completely wrong.

Any help is appreciated!

4
sslherokudns

4 Answers

2
votes

It's possible (and cheaper) to use heroku ssl certificate with gandi... You just need to be sure to set up a subdomain everytime. I believe naked subdomain or wildcards are not supported by heroku automated certs because of the let's encryption restrictions. As soon as the statues are ok for all of your subdomains, dont forget to force_ssl in your app, so every http request will be redirected to https. U can do it like this:

# config/environments/{staging,production}.rb
config.force_ssl = true

VERY IMPORTANT! Don't forget to remove or edit any unsercured links to external assets. Otherwise browsers will jugde the page with those links unsecured as described in the Modzilla support page about mixed content.

Once all of this is done, U see the satifying green lock on every pages of your app :D.

0
votes

Ok, so apparently it is impossible to use Heroku's SSL certificate with Gandi, so I ended up going with Gandi's SSL certificate instead. If anyone needs a tutorial here's a great one by Le Wagon https://vimeo.com/209534466

0
votes

Just a follow up for this question with my experience. I purchased a domain name from Gandi and use permanent web forwarding to forward the domain name to my heroku application. I also add custom domain(the one I bought) to heroku console.

Domain Name        DNS Record Type  DNS Target
─────────────────  ─────────────── ───────────────────────
xshogi.com.tw      ALIAS or ANAME   xshogi.com.tw.herokudns.com
www.xshogi.com.tw  CNAME            www.xshogi.com.tw.herokudns.com

I could not successfully adopt heroku ACM to configure my domain even though I had paid for hobby plan.

I followed the tutorial video that Johnnybib posted.

  1. create server.crs and server.key in project with openssl req -nodes -newkey rsa:2048 -sha256 -keyout server.key -out server.csr
  2. go to purchase SSL certificate page in Gandi
  3. cat server.csr and paste it to Gandi console
  4. pay and wait for authentication done to finish this bill
  5. download .crt and .pem certificate and concatenate them together into all.crt
  6. use heroku certs:add --app xshogi all.crt server.key

Also, remember to change CNAME www from webredir.vip.gandi.net. to xshogi.com.tw.herokudns.com.

All set up and wait for a short while, I can curl https://www.xshogi.com.tw. I can also connect to https://www.xshogi.com.tw in browser and the URL does not change to https://xshogi.herokuapp.com.

0
votes

You can actually use heroku's SSL serts.
What you can do in Gandi is redirect to https://www.yoursite.com :) Considering that you changed your DNS settings to the ones heroku provided.