适用于受控用户组的Heroku SSL证书

Question

I have a Rails app hosted on Heroku and it runs on its own custom domain. To provide more security, I have enabled the setting force_ssl so all traffic is HTTPS. With a custom domain however, the browser shows a certificate warning about an untrusted website.

I can solve that by purchasing a certficate and enable the SSL endpoint add-on on Heroku. This costs money however, the add-on itself is 20 dollar a month. The application is for a limited, controlled group of users in my company, so in my opionion a paid certificate is not necessary. What are my options here? Is it possible to create a certificate myself and give it to all the users to add to their browser?

Answer 1

Whilst the browser shows a warning the connection will infact still be SSL. The warning means that the certificate being used in this case mismatches the domain so is a warning to the user about something not being quite right. If it's a controlled group of users then I think as long as you tell them this then it shouldn't be such a shock and they can safely click on.

That, or maybe revert to the *.herokuapp.com domain that your application will have and which will work with the wildcard SSL certificate that Heroku have already installed.

Either of those options seem much less hassle (to me) than worrying about self signing certificates and having your users install it

....or purchase the actual cert and pay $20 a month.

Answer 2

A good option would have been to use a self-signed SSL certificate, but Heroku doesn't support that on their stack.

You can either instruct your users to access your app through appname.herokuapp.com , which always has SSL enabled (via Heroku's wildcard SSL for that domain), and comes at no additional cost.

The only other option is to go with $20/month for a proper SSL cert for your domain.