Heroku and SSL

I’ve recently had the joy of setting up SSL on heroku for tonightish. It was fairly straight forward, or as straight forward as anything dealing with DNS and SSL can be. The one big problem I ran into was that installing just our cert into heroku seemed to make browsers happy but api traffic, specifically Java, returned:

1
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

This was really confusing since the browsers could see, and show me, the chain of trust.

Then I found this blog post and remembered seeing SSL certificate labeled as self signed at the end of heroku certs:add output. You can also see this by running

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
heroku certs
``` 
after you've loaded your cert into heroku and noting the fourth column says its not trusted. 
*Trusted*<br/>
*-------*<br/>
*False*<br/>
 But I also remembered the heruko docs saying <a href="https://devcenter.heroku.com/articles/ssl-endpoint#common-problems">it was usually ok</a> and only a problem with "Mozilla browsers".  But sure enough following the steps in the post to cat your cert along with the rest of the cert chain into a single crt file solved my problem.
So incase the above post disappears here's the really important part from it:<br/>
What you need to do is bundle all the certificates into one file and give that to Heroku. Importantly, your site’s certificate must be the first one. 
Here’s how I did that:<br/>

$ cat STAR_mydomain_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > STAR_mydomain_com_bundle.crt

1
2
then updating heroku with this new hybrid cert and api traffic was happy<br/>

heroku certs:update cert_bundle.crt mykey.key –app myapp

1
2
3
you'll notice the **SSL certificate is verified by a root authority**
in the last line of the output below instead of **SSL certificate is self signed**

heroku certs:update fullCertChain.crt ../server_bare.key –app quiet-inlet-5383

Updating SSL Endpoint iwate-92.herokussl.com for quiet-inlet-43… done
Updated certificate details:
Common Name(s): tonightish.com
www.tonightish.com

Expires At: 2013-11-14 23:59 UTC
Issuer: /OU=Domain Control Validated/OU=EssentialSSL/CN=www.tonightish.com
Starts At: 2012-11-14 00:00 UTC
Subject: /OU=Domain Control Validated/OU=EssentialSSL/CN=www.tonightish.com
SSL certificate is verified by a root authority.
```