[英]How do you install a LetsEncrypt SSL Certificate on Heroku
Since Heroku is read-only and does not allow sudo, what do I need to do to be able to install the LetsEncrypt.org certificate on their server for my app? 由于Heroku是只读的并且不允许sudo,我需要做什么才能在我们的应用程序的服务器上安装LetsEncrypt.org证书?
If I have already set config.force_ssl = true
does that matter? 如果我已经设置了
config.force_ssl = true
那重要吗?
I read the blog post in the first answer here, but I didn't want to pollute my code-base with ACME urls & logic. 我在这里的第一个答案中阅读了博客文章,但我不想用ACME网址和逻辑来污染我的代码库。 So I did something similar, but used DNS domain validation ...
所以我做了类似的事情,但使用了DNS域验证...
With certbot, specify DNS as your preferred challenge: 使用certbot,将DNS指定为首选挑战:
sudo certbot certonly --manual --preferred-challenges dns
After a couple of prompts, certbot will tell you to deply a DNS TXT record to validate your domain: 在几次提示之后,certbot会告诉您保留DNS TXT记录以验证您的域名:
Please deploy a DNS TXT record under the name
_acme-challenge.www.codesy.io with the following value:
CxYdvM...5WvXR0
Once this is deployed,
Press ENTER to continue
Your domain registrar probably has its own docs for deploying a TXT record. 您的域名注册商可能拥有自己的部署TXT记录的文档。 Do that, and go back to certbot and press ENTER - Let's Encrypt will check the TXT record, sign the cert, and certbot will save it for you to upload to heroku.
这样做,然后回到certbot并按ENTER键 - 让我们加密将检查TXT记录,签署证书,certbot将保存它以供您上传到heroku。
See my own blog post for more detail . 有关详细信息,请参阅我自己的博文 。
Here are two bash functions that you can use to automate the process for you 以下是两个bash函数,您可以使用它们为您自动执行该过程
function makessl {
sudo certbot certonly --manual --rsa-key-size 4096 --preferred-challenges dns -d ${1}
sudo heroku certs:add --type=sni /etc/letsencrypt/live/${1}/fullchain.pem /etc/letsencrypt/live/${1}/privkey.pem
}
function renewssl {
sudo certbot certonly --manual --rsa-key-size 4096 --preferred-challenges dns -d ${1}
sudo heroku certs:update /etc/letsencrypt/live/${1}/fullchain.pem /etc/letsencrypt/live/${1}/privkey.pem
}
They take an arguement for the domain name and as long as you run them from within your
heroku app folder
you will not have to specify an--app NAME
他们会对域名进行争论,只要您在
heroku app folder
运行它们,就不必指定--app NAME
Example:
makessl www.domain.com
示例:
makessl www.domain.com
Example:
renewssl www.domain.com
示例:
renewssl www.domain.com
Combine this is @Eric 's answer and you're good to go: 结合这是@Eric的答案,你很高兴:
heroku certs:auto:enable
FYI, Heroku now offers automated certificate management w/ Let's Encrypt if you run a paid dyno. 仅供参考,Heroku现在提供带有Let's Encrypt的自动化证书管理,如果您运行付费dyno。 You can enable it with:
您可以启用它:
heroku certs:auto:enable
More info: 更多信息:
https://devcenter.heroku.com/articles/automated-certificate-management https://devcenter.heroku.com/articles/automated-certificate-management
It was written before Heroku implemented native support for LetsEncrypt. 它是在Heroku实现对LetsEncrypt的原生支持之前编写的。 Leaving the rest for posterity, but this is no longer necessary.
留下余子给后人,但这不再是必要的。 Use @Eric's answer now.
立即使用@ Eric的答案 。
You can use certbot in manual mode to generate the challenge response, modify your site to return that response, then finally complete the certbot manual process. 您可以在手动模式下使用certbot生成质询响应,修改站点以返回响应,然后最终完成certbot手动过程。
See this blog post by Daniel Morrison , or the linked answer under Certificate Updates below, for more details. 有关详细信息,请参阅Daniel Morrison撰写的此博客文章 ,或下面的证书更新下的链接答案。
As @Flimm mentioned, and as is mentioned in the linked blog post, you'll have to update this every 3 months until Heroku provides better support for LetsEncrypt. 正如@Flimm提到的那样,正如链接博客文章中提到的那样,你必须每3个月更新一次,直到Heroku为LetsEncrypt提供更好的支持。 You can make that process smoother (no code changes to upload) using an environment variable as described in this answer (Node/Express but the concepts are the same): https://stackoverflow.com/a/40199581/37168
您可以使用环境变量使该过程更顺畅(无需更改代码),如本答案中所述(Node / Express,但概念相同): https : //stackoverflow.com/a/40199581/37168
There is a GitHub project that can automate all of this for you by setting your Heroku environment variables. 有一个GitHub项目可以通过设置Heroku环境变量来自动完成所有这些。 It's a tiny webapp you install as another Heroku app that in turn configures your primary app.
这是一个小型的webapp,你安装为另一个Heroku应用程序,反过来配置你的主要应用程序。 I haven't tried it yet but am planning to use it instead of updating my cert next time: https://github.com/dmathieu/sabayon
我还没有尝试过,但我计划下次使用它而不是更新我的证书: https : //github.com/dmathieu/sabayon
The default recommendation of Heroku is SSL using Server Name Indication (SNI), which is free. Heroku的默认建议是使用服务器名称指示(SNI)的SSL,这是免费的。 Since you already obtained your certificate and key, you can add them by:
由于您已经获得了证书和密钥,因此可以通过以下方式添加它们:
heroku certs:add <cert>.pem <key>.key
If you need to support legacy browser clients which do not support SNI use the Herkou SSL Endpoint addon which costs $20/mo: 如果您需要支持不支持SNI的旧版浏览器客户端,请使用价格为20美元/月的Herkou SSL端点插件:
Add that addon by running 通过运行添加该插件
heroku addons:create ssl:endpoint
And then add your LetsEncrypt.org certificates: 然后添加您的LetsEncrypt.org证书:
heroku certs:add <cert>.pem <key>.key
最好的方法是将新的ssl域(以https开头)分配给您的域,该域自动覆盖非http域
I created a certbot plugin that uses the Heroku CLI to automate authentication and installation of Let's Encrypt certificates: https://github.com/gboudreau/certbot-heroku 我创建了一个certbot插件,它使用Heroku CLI自动验证和安装Let的加密证书: https : //github.com/gboudreau/certbot-heroku
I only have an example that uses the php-nginx Heroku buildpack, but reading that example and finding the equivalent for other buildpacks should be easy enough. 我只有一个使用php-nginx Heroku buildpack的例子,但阅读该示例并找到其他buildpack的等价物应该很容易。 Pull Requests are welcome to help others!
欢迎提出拉请求帮助他人!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.