Let's Encrypt on Heroku with DNS Domain Validation

Posted by groovecoder on 03 Jan 2017 Go to original comments

We needed to renew and update our certificate for www.codesy.io, and I’ve been wanting to use Let’s Encrypt for a while. I had read and tried some other guides for using Let’s Encrypt on Heroku, but none of them cover DNS domain validation. The steps are roughly:

Install certbot
Use certbot to generate a manual cert
Deploy a TXT record to your DNS
Upload signed certificate to Heroku
Update your DNS Target

Install certbot

First, you’ll need certbot:

brew install certbot

Note: The certbot site contains install instructions for other systems.

Use certbot to generate a manual cert

With certbot you will need to generate a cert to manually install to the Heroku server, and specify DNS as your preferred challenge:

sudo certbot certonly --manual --preferred-challenges dns

Note: certbot needs sudo to put resulting files into /etc/

certbot will ask you the domain for which you want a certificate …

Certbot Domain Prompt Screenshot

… and if you’re OK with your IP being logged as having requested the certificate …

Certbot IP Prompt Screenshot

… and will finally tell you what DNS TXT record to deploy:

Please deploy a DNS TXT record under the name
_acme-challenge.www.codesy.io with the following value:

CxYdvM...5WvXR0

Once this is deployed,
Press ENTER to continue

Note: Don’t press ENTER until you have deployed your TXT record

Deploy a TXT record to your DNS

Your domain registrar likely has its own docs for adding a TXT record. Here are some links to a few:

GoDaddy
Hover
Google Domains (docs by Microsoft!)
Amazon Route 53 (See Basic Resource Record Sets)

Upload signed certificate to Heroku

Go back to certbot and press ENTER. It will create signed certificate files in your /etc/letsencrypt directory.

SSL is now included on all paid dynos on Heroku. The $7/mo. for a hobby dyno is still cheaper than $20/mo. for the old SSL Endpoint add-on. So, to change to a hobby dyno, go to your app’s Resources panel and click “Change…”

Heroku Dyno Resources Screenshot

Then, use heroku certs:add to add your Let’s Encrypt fullchain and privkey files.

sudo heroku certs:add --type=sni /etc/letsencrypt/live/www.codesy.io/fullchain.pem /etc/letsencrypt/live/www.codesy.io/privkey.pem

Note: Again, heroku needs sudo to access files in /etc/

You can also copy+paste your certificates’ contents in your app’s settings dashboard - under “Domains and certificates”, click “Configure SSL”.

Update your DNS Target

Finally, update your DNS CNAME record for your domain to point to the certificate-domain.herokudns.com. In our case, it was www.codesy.io.herokudns.com

Hover DNS Screenshot

Enjoy your Let’s Encrypt-verified site!

Codesy Verified Screenshot

Question or comment about this post? Tell me on GitHub.

Let's Encrypt on Heroku with DNS Domain Validation / groovecoder by groovecoder is licensed under a Creative Commons Attribution-ShareAlike CC BY-SA

← Take 5 minutes to help web developers and earn Stack Overflow rep

Use TrackMeNot to Provide Online Cover for Activists →

groovecoder

203 Non-Authoritative Information