How can I use a LetsEncrypt SSL cert in my Heroku Node Express app?
Update:
Heroku now supports LetsEncrypt natively! So this workaround is no longer needed.
Instructions here:
https://devcenter.heroku.com/articles/automated-certificate-management
For new apps, you don't have to do anything, it's turned on by default.For apps created before March 21 2017, you can turn it on with this Heroku cli command:heroku certs:auto:enable
Thanks @Spain Train
Background
Ideally, LetsEncrypt allows for an automated certificate renewal process. That's harder to do on Heroku, so this answer describes how to use a manual process. Using a Heroku environment var, you'll be able to update your certs manually fairly easily going forward - no code changes.
Credit for this answer goes largely to two nice blog posts:https://medium.com/@franxyzxyz/setting-up-free-https-with-heroku-ssl-and-lets-encrypt-80cf6eac108e#.67pjxutaw
and
https://medium.com/should-designers-code/how-to-set-up-ssl-with-lets-encrypt-on-heroku-for-free-266c185630db#.ldr9wrg2j
There's a GitHub project which apparently supports automated certs updates on Heroku. I'll update this answer when I've tried it out:
https://github.com/dmathieu/sabayon
Using LetsEncrypt on Heroku with a Node Express app
Get the Express server ready:
Add this middleware to your Express app. Be sure to add it BEFORE any middleware that redirects http to https, because this endpoint must be http.
// Read the Certbot response from an environment variable; we'll set this later:const letsEncryptReponse = process.env.CERTBOT_RESPONSE;// Return the Let's Encrypt certbot response:app.get('/.well-known/acme-challenge/:content', function(req, res) { res.send(letsEncryptReponse);});Create the certificate files using certbot:
- Start certbot:
sudo certbot certonly --manual
Enter the site url when prompted (www.example.com)
certbot will display a Challenge Response string in the format
xxxxxxxxxxxxxxxxxxx.yyyyyyyyyyyyyyyyyy
LEAVE CERTBOT WAITING IN THIS STATE. Do not press enter yet or exit. - Go to the Heroku dashboard and view app settings:
https://dashboard.heroku.com/apps/your-heroku-app-name/settings
Under Config Variables, click 'Reveal Config Vars'
Edit the CERTBOT_RESPONSE var's value to match the Challenge Response from step a. - Wait for the heroku app to restart.
- Test the setting by visitinghttp://www.example.com/.well-known/acme-challenge/whatever
NOTE THE HTTP, NOT HTTPS
It should display the Challenge Response string. If this happens, go on to the next step. If not, do whatever it takes to get that URL to return the CR string before proceeding, or you will need to repeat this entire process. - Return to Certbot and press Enter to continue.
If all goes as planned, certbot will tell you everything worked and display the location of the created certs. You'll use this location in the next step. Note that you might not be able to inspect the contents of the folder due to os permissions. If in doubt,sudo ls /etc/letsencrypt/live/www.example.comto see if the files exist.
Update the Heroku instance to use the new certs:
Run heroku certs:add if your site doesn't have a cert. If updating, run heroku certs:update.sudo heroku certs:update --app your-heroku-app-name /etc/letsencrypt/live/www.example.com/fullchain.pem /etc/letsencrypt/live/www.example.com/privkey.pem
You can also validate your domain ownership to Let's Encrypt with DNS instead of HTTP.
With certbot, specify DNS as your preferred challenge:
sudo certbot certonly --manual --preferred-challenges dnsAfter a couple of prompts, certbot will tell you to deply a DNS TXT record to validate your domain:
Please deploy a DNS TXT record under the name_acme-challenge.www.codesy.io with the following value:CxYdvM...5WvXR0Once this is deployed,Press ENTER to continueYour domain registrar probably has its own docs for deploying a TXT record. Do that, and go back to certbot and press ENTER - Let's Encrypt will check the TXT record, sign the cert, and certbot will save it for you to upload to heroku.