Please use Heroku Automated Certificate Management instead
Heroku plugin which makes it easy to maintain an SNI SSL endpoint with a certificate obtained via LetsEncrypt. Integrate it into your CI to get auto-renewal.
$ heroku plugins:install letsencrypt-heroku-plugin
- Make sure REDIS_URL is set in your Heroku app:
$ heroku addons:create heroku-redis
- Within your app, implement ACME challenge:
TODO: move this to a gem, create examples for Rack / Express / Koa
# routes.rb - assuming you're on Rails
Rails.application.routes.draw do
get '/.well-known/acme-challenge/*key' => proc { |env| [200, {}, [Redis.new(url: ENV["REDIS_URL"]).get(env['PATH_INFO']) || ""]] }
end
- Run the plugin on your local machine:
$ heroku letsencrypt:run
To get auto-renewal, run this plugin on daily basis from your CI (e.g. via Semaphore scheduled builds)
-
Authorize your CI to access your Heroku app by setting
HEROKU_API_KEY
environment variable to your API key from your Heroku account page. -
Configure app name by setting
HEROKU_APP
environment variable or using-a
CLI option
By default, the plugin will only issue a new certificate if the current certificate expires
in 7 days or less. You can tune this behavior by setting EXPIRATION_THRESHOLD
to a different number of days.
You can force certificate re-creation using --force
CLI option.
NOTE: There is a rate limit on the API (~5 certificates per week).
Set LETSENCRYPT_SERVER
environment variable to staging
when experimenting to overcome this limitation.
Remember: staging certificates are not generally trusted and should be only used for experiments.
Set HEROKU_DEBUG
and/or LETSENCRYPT_DEBUG
env variables to 1
to see Heroku API logs and ACME details.
You might need to reset certbot cache in case you experimented with staging LetsEncrypt server first
and then switched to production LetsEncrypt server. On MacOS, just delete ~/letsencrypt
folder.
- linting
- (?) ES6 modules
- le-store-in-memory to avoid caching issues and rm -rf ~/letsencrypt
- multiple domains per app
- wildcard domains
- checking whether domains list changed / matches current alt names on the certificate
- packaged server implementations (Rails / Rack / Express / Koa / ....)
- validating DNS setup (CNAME checks / interactive guide)
- CI setup
- Vladimir Yartsev
- Alex Netrebsky
Thanks to https://github.com/gboudreau for inspiration.