I’m using AppHarbor to host an ASP.NET site I built a few years ago. This year I started charging for it, so I needed SSL on my domain. Of all the hosts I’ve used for .NET (shared, private, Amazon, Azure, self-hosting) AppHarbor is my favorite but there’s one MASSIVE problem… they don’t do SSL.
OK, I should clarify. They do offer SNI SSL, piggyback SSL, and IP based SSL – but none of these are decent options for a checkout page. They make your website look shady or inept and wind up confusing the user for no reason.
It’s worth mentioning that I’m using Stripe for credit card processing. Having worked with PayPal, I can tell you that Stripe is absurdly easy to setup. Technically I think you don’t even need SSL on your site since you never handle the credit card data, but Stripe rightfully recommends SSL in case you mess up. It also gives your user confidence in the security of their information.
Heroku, SSL Certificates, and GoDaddy
Someone gave me a good tip – use Heroku to host
secure.mysite.com and do all your credit card stuff there. This ended up being super easy, but there were a few gotchas that came from having a GoDaddy host.
The Real Docs
Here are the docs I used to figure everything out:
Step 1/8) Create Your Heroku App
I’m assuming you’ve done this. If not, create a heroku app and make sure it’s working right.
Step 2/8) Prepare Your App For SSL
If you haven’t already, tell your Heroku app that it should respond to your custom domain:
heroku domains:add secure.mysite.com
Also, add SSL support to your app ($20/month):
heroku addons:add ssl
Step 3/8) Create Your Certificate Signing Request
In short, do everything Heroku says here
I created a directory in my rails app called ‘certs’ and did everything there.
Step 4/8) Buy Your Certificate on GoDaddy
If you go straight to GoDaddy and buy a certificate, it’s $70. If you search google for “GoDaddy SSL Certificate” then you get a massive discount. Yesterday I got one for $12.
I guess it’s worth mentioning that you need to purchase your domain name.
Now, when you’re setting up your certificate in GoDaddy, it will ask you to paste in your CSR (Certificate Signing Request). You created this file in the last step and it’s called
server.csr. Open it and copy/past the text, which should look similar to this:
-----BEGIN CERTIFICATE REQUEST----- MIIBnTCCAQYCAQAwXTELMAkGA1UEBhMCU0cxETAPBgNVBAoTCE0yQ3J5cHRvMRIw EAYDVQQDEwlsb2NhbGhvc3QxJzAlBgkqhkiG9w0BCQEWGGFkbWluQHNlcnZlci5l eGFtcGxlLmRvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAr1nYY1Qrll1r uB/FqlCRrr5nvupdIN+3wF7q915tvEQoc74bnu6b8IbbGRMhzdzmvQ4SzFfVEAuM MuTHeybPq5th7YDrTNizKKxOBnqE2KYuX9X22A1Kh49soJJFg6kPb9MUgiZBiMlv tb7K3CHfgw5WagWnLl8Lb+ccvKZZl+8CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB AHpoRp5YS55CZpy+wdigQEwjL/wSluvo+WjtpvP0YoBMJu4VMKeZi405R7o8oEwi PdlrrliKNknFmHKIaCKTLRcU59ScA6ADEIWUzqmUzP5Cs6jrSRo3NKfg1bd09D1K 9rsQkRc9Urv9mRBIsredGnYECNeRaK5R1yzpOowninXC -----END CERTIFICATE REQUEST-----
Now GoDaddy has to approve your certificate. Mine took about 2 minutes, but I’ve had some types of certificates take days.
Step 5/8) Download Your Certificate
Once GoDaddy approves your certificate, download it.
They’ll let you choose your type of server – choose “Apache”.
The zip will contain two files: gd_bundle.crt and secure.mysite.com.crt
Step 6/8) Combine the certificates
Here’s the part that the Heroku docs don’t explain. If you follow their instructions, you basically upload the certificate. Heroku will accept the certificate, but when you browse to the site your browser will show a warning that the certificate is not trusted.
So you basically need to combine the two .crt files using the following command. It is very important that gd_bundle.crt is listed last in your combine command:
cat secure.mysite.com.crt gd_bundle.crt > combined.crt
Step 7/8) Upload The Certificate To Heroku
Now you’ll basically finish following the Heroku instructions using your new ‘combined.crt’ certificate. The server.key file comes from step 3 and combined.crt comes from step 6.
heroku certs:add combined.crt server.key
Step 8/8) Updating Your CName
Here’s the other step that I had to discover. When you add a custom domain to Heroku (step 2) they tell you to create a CNAME record for your domain from “secure.mysite.com” to something like “myappname.heroku.com”. But for SSL, you’ll want something different like “tokyo-2121.herokussl.com”.
To figure out where your SSL CNAME should point, try this Heroku command:
Your *.herokussl.com url should be listed.
It takes a few minutes for everything to start working.