18. Simple steps to making site secure with SSL and Heroku

We already deployed our RoR app to Heroku in this post.

Let’s set up SSL with Heroku and our Rails application.

I’ve actually wasted several hours sorting out SSL manually, going and buying a new certificate, verifying domain etc. and when I got to the last step, I realized Heroku can do this out of the box for you for free! (provided you’re on at least hobby dyno).

So perhaps this will save someone some time – note these instructions are only if you’re using Heroku.

If you go to Heroku guide on sorting ssl you will see what we’re going to be doing here.

The several steps are, execute this command:

heroku certs:auto:enable

This is almost it!

You may have a error, like I did, for having a wildcard in domain name

You can verify using

heroku domains

which will show that I originally setup domain with a wildcard like this: *.yazii.co.uk

I then execute

 heroku domains:remove *.yazii.co.uk 
 heroku domains:add www.yazii.co.uk 

then you can execute the command to generate ssl again:

heroku certs:auto:enable

You can then check the progress:

heroku certs:auto
 === Automatic Certificate Management is enabled on yazii
 

 Domain           Status   Reason                                     Last Updated
 ───────────────  ───────  ─────────────────────────────────────────  ──────────────────
 www.yazii.co.uk  Failing  Unable to resolve DNS for www.yazii.co.uk  less than a minute 

The reason this is failing is because I added a new domain, which has a different URL to previous one. So I just need to go to GoDaddy domain management and modify it there

First get the DNS target with heroku domains

Then insert it with your domain management tool, here’s example with GoDaddy.

After a short while, execute the command to check again:

 heroku certs:auto
 === Automatic Certificate Management is enabled on yazii
 

 Certificate details:
 Common Name(s): www.yazii.co.uk 

And things should be now working as expected!

Finally, you’ll need to make your app use this ssl, in Rails its very easy.

Find the production.rb configuration file and enable force_ssl

  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  config.force_ssl = true

commit and push that to your server.

Now if you visit your website, in my case yazii.co.uk you will find that it will be shown as secure!

And this was way easier than some of the manual methods involved. Kudos to Heroku for automating it.