Lets encrypt for heroku

https://letsencrypt.org/ Is free and Heroku supports it using ACM but only for paid dynos. Use cloudflare.com for free ssl, and we point directly to https herokuapp (no need to setup dns on heroku). On Crypto tab on Cloud Flare select FULL (not Flexible) SSL. You can check the Always use HTTPS (Redirect all requests with scheme “http” to “https”. This applies to all http requests to the zone) or create Page rules that redirects from http to https. There could be a problem when we using http on Rails and submitting the form on https, heroku logs will give

HTTP Origin header (https://www.premesti.se) didn't match request.base_url (http://www.premesti.se)
Completed 422 Unprocessable Entity in 6ms
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

On Page rules add redirect non www to www.

https://premesti.se/* -> https://www.premesti.se/$1

# Also we you did not use  `Always use HTTPS` you can add rules that redirects
http://premesti.se/* -> https://www.premesti.se/$1
http://www.premesti.se/* -> https://www.premesti.se/$1
dig premesti.se
# should have
premesti.se.		78	IN	A
premesti.se.		78	IN	A

curl premesti.se -I
# should have
HTTP/1.1 301 Moved Permanently
Location: https://www.premesti.se/

curl https://premesti.se -I
# should have
HTTP/1.1 301 Moved Permanently
Location: https://www.premesti.se/

Old way

Following this tutorial here are some screenshots from Startssl how I registered www.kontakt.in.rs.


StartSSL is not working since they issues certs for sites that did not check. Here is example only for reference.

Go to the www.startssl.com and on left menu find: StartSSL Products > StartSSL Free . Before you can get the keys, you need to authenticate yourself. Go to Certificate Control Panel. There are links for login using existing keys, but we will use signup.

Signup and install browser certificate

Sign up form

than you will receive a code in email, and it should be pasted on

Somplete registration

Wait until they authorize your email account

Notice for review

Once your account is approved and you receive email, click on link provided and copy verification code

Verify approved request

Generate private key

Generate private key

Install certificate

Install certificate

Congratulations for browser certificate

Congratulations for browser certificate

Validation wizard for domain

Pick web ssl

Chose web ssl

Enter domain name

Enter domain name

Choose email

Choose email

Verify email

Verify email



Certificates wizard

Pick web ssl

chose web ssl

Enter password

Enter password

Save ssl.key

save ssl.key

Pick domain

Select domain

Add subdomain www

Add subdomain www



Additinal check

Additional check

Final cert files

After you got email that certificate is ready, go to toolbox and download it

Download certificate

We need two additional files:

  • StartCom Root CA (ca.pem)
  • StartSSL’s Class 1 Intermediate Server CA (sub.class1.server.ca)

which you can find in Toolbox section.

Since server needs unencrypted version we need to create that (so it won’t ask for password)

openssl rsa -in ssl.key -out private.key 

Copy those four files to server

scp {ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt} YOURSERVER:~ 

Local test

You can test localy in virtual box, we will use ports 8080 and 8081

vagrant init
sed -i '/base/c \  config.vm.box = "ubuntu/trusty64"\
  config.vm.network "forwarded_port", guest: 80, host: 8080\
  config.vm.network "forwarded_port", guest: 443, host: 8081\
' Vagrantfile
vagrant up
vagrant ssh

Install ssl on apache2

sudo apt-get update # get right sources
sudo apt-get -y install apache2
sudo a2enmod ssl
sudo mkdir /etc/apache2/ssl
cd /vagrant
sudo cp {ca.pem,private.key,sub.class1.server.ca.pem,ssl.crt} /etc/apache2/ssl
# copy configuration for http
cat /etc/apache2/sites-enabled/000-default.conf | sudo tee -a /etc/apache2/sites-enabled/000-default.conf
# add ssl configuration
sudo sed -i '1c <VirtualHost *:443>' /etc/apache2/sites-enabled/000-default.conf
sudo sed -i '/VirtualHost...443/a SSLEngine on\
  SSLProtocol all -SSLv2\
  SSLCertificateFile /etc/apache2/ssl/ssl.crt\
  SSLCertificateKeyFile /etc/apache2/ssl/private.key\
  SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem \
' /etc/apache2/sites-enabled/000-default.conf
sudo service apache2 restart
sudo tail -f /var/log/apache2/error.log

Install on ngxin

sudo apt-get update # get right sources
sudo apt-get -y install nginx
sudo mkdir /etc/nginx/ssl
sudo sed -i '/listen.80.default_server/a \\tlisten 443 ssl;\
\tssl_certificate /etc/nginx/ssl/ssl.crt;\
\tssl_certificate_key /etc/nginx/ssl/private.key;\
' /etc/nginx/sites-enabled/default
sudo cp /vagrant/private.key /vagrant/ssl.crt /etc/nginx/ssl
sudo service nginx restart
sudo tail -f /var/log/nginx/error.log

Temporary change www.kontakt.in.rs to point to localhost and go to http://www.kontakt.in.rs:8080 https://www.kontakt.in.rs:8081

echo -e "\twww.kontakt.in.rs" | sudo tee -a /etc/hosts

You should see certificate on apache

final apache cert

and green lock on ngxin

final nginx cert

Don’t forget to remove temporary dns in hosts

sudo sed -i '/www.kontakt.in.rs/c #\twww.kontakt.in.rs' /etc/hosts

On ubuntu, you can rename ssl.crt to ssl.crt.p12 (or ssl.crt.key) and double click will show you details of certificate.

For heroku you can follow https://gist.github.com/meskyanichi/3354578

If in windows 7 can not open www.xda-developers.com because of invalid certificate, The certificate cannot be verified up to a trused certification authority… This server could not prove that it is www.xda-developers.com its secity certificate is not trusted by your computer’s operating system…