如何在Heroku上安装LetsEncrypt SSL证书
[英]How do you install a LetsEncrypt SSL Certificate on Heroku
问题描述
Since Heroku is read-only and does not allow sudo, what do I need to do to be able to install the LetsEncrypt.org certificate on their server for my app? 
由于Heroku是只读的并且不允许sudo,我需要做什么才能在我们的应用程序的服务器上安装LetsEncrypt.org证书?
If I have already set config.force_ssl = true does that matter? 如果我已经设置了config.force_ssl = true那重要吗?
6 个解决方案
解决方案1
4 已采纳 2017-01-03 14:23:45
I read the blog post in the first answer here, but I didn't want to pollute my code-base with ACME urls & logic. 我在这里的第一个答案中阅读了博客文章,但我不想用ACME网址和逻辑来污染我的代码库。 So I did something similar, but used DNS domain validation ... 所以我做了类似的事情,但使用了DNS域验证...
With certbot, specify DNS as your preferred challenge: 使用certbot,将DNS指定为首选挑战:
sudo certbot certonly --manual --preferred-challenges dns
After a couple of prompts, certbot will tell you to deply a DNS TXT record to validate your domain: 在几次提示之后,certbot会告诉您保留DNS TXT记录以验证您的域名:
Please deploy a DNS TXT record under the name
_acme-challenge.www.codesy.io with the following value:
CxYdvM...5WvXR0
Once this is deployed,
Press ENTER to continue
Your domain registrar probably has its own docs for deploying a TXT record. 您的域名注册商可能拥有自己的部署TXT记录的文档。 Do that, and go back to certbot and press ENTER - Let's Encrypt will check the TXT record, sign the cert, and certbot will save it for you to upload to heroku. 这样做,然后回到certbot并按ENTER键 - 让我们加密将检查TXT记录,签署证书,certbot将保存它以供您上传到heroku。
See my own blog post for more detail . 有关详细信息,请参阅我自己的博文 。
Here are two bash functions that you can use to automate the process for you 以下是两个bash函数,您可以使用它们为您自动执行该过程
function makessl {
sudo certbot certonly --manual --rsa-key-size 4096 --preferred-challenges dns -d ${1}
sudo heroku certs:add --type=sni /etc/letsencrypt/live/${1}/fullchain.pem /etc/letsencrypt/live/${1}/privkey.pem
}
function renewssl {
sudo certbot certonly --manual --rsa-key-size 4096 --preferred-challenges dns -d ${1}
sudo heroku certs:update /etc/letsencrypt/live/${1}/fullchain.pem /etc/letsencrypt/live/${1}/privkey.pem
}
They take an arguement for the domain name and as long as you run them from within your
heroku app folderyou will not have to specify an--app NAMEheroku app folder运行它们,就不必指定--app NAMEExample:
makessl www.domain.commakessl www.domain.comExample:
renewssl www.domain.comrenewssl www.domain.com
Combine this is @Eric 's answer and you're good to go: 结合这是@Eric的答案,你很高兴:
heroku certs:auto:enable
解决方案2
4 2017-03-28 14:46:15
FYI, Heroku now offers automated certificate management w/ Let's Encrypt if you run a paid dyno. 仅供参考,Heroku现在提供带有Let's Encrypt的自动化证书管理,如果您运行付费dyno。 You can enable it with: 您可以启用它:
heroku certs:auto:enable
More info: 更多信息:
https://devcenter.heroku.com/articles/automated-certificate-management https://devcenter.heroku.com/articles/automated-certificate-management
解决方案3
1 2016-12-19 22:20:48
Edit: This answer no longer applies. 编辑:此答案不再适用。
It was written before Heroku implemented native support for LetsEncrypt. 它是在Heroku实现对LetsEncrypt的原生支持之前编写的。 Leaving the rest for posterity, but this is no longer necessary. 留下余子给后人,但这不再是必要的。 Use @Eric's answer now. 立即使用@ Eric的答案 。
Installing the initial certificate 安装初始证书
You can use certbot in manual mode to generate the challenge response, modify your site to return that response, then finally complete the certbot manual process. 您可以在手动模式下使用certbot生成质询响应,修改站点以返回响应,然后最终完成certbot手动过程。
See this blog post by Daniel Morrison , or the linked answer under Certificate Updates below, for more details. 有关详细信息,请参阅Daniel Morrison撰写的此博客文章 ,或下面的证书更新下的链接答案。
Certificate updates 证书更新
As @Flimm mentioned, and as is mentioned in the linked blog post, you'll have to update this every 3 months until Heroku provides better support for LetsEncrypt. 正如@Flimm提到的那样,正如链接博客文章中提到的那样,你必须每3个月更新一次,直到Heroku为LetsEncrypt提供更好的支持。 You can make that process smoother (no code changes to upload) using an environment variable as described in this answer (Node/Express but the concepts are the same): https://stackoverflow.com/a/40199581/37168 您可以使用环境变量使该过程更顺畅(无需更改代码),如本答案中所述(Node / Express,但概念相同): https : //stackoverflow.com/a/40199581/37168
Sabayon 沙巴翁
There is a GitHub project that can automate all of this for you by setting your Heroku environment variables. 有一个GitHub项目可以通过设置Heroku环境变量来自动完成所有这些。 It's a tiny webapp you install as another Heroku app that in turn configures your primary app. 这是一个小型的webapp,你安装为另一个Heroku应用程序,反过来配置你的主要应用程序。 I haven't tried it yet but am planning to use it instead of updating my cert next time: https://github.com/dmathieu/sabayon 我还没有尝试过,但我计划下次使用它而不是更新我的证书: https : //github.com/dmathieu/sabayon
解决方案4
0 2016-11-11 12:05:12
The default recommendation of Heroku is SSL using Server Name Indication (SNI), which is free. Heroku的默认建议是使用服务器名称指示(SNI)的SSL,这是免费的。 Since you already obtained your certificate and key, you can add them by: 由于您已经获得了证书和密钥,因此可以通过以下方式添加它们:
heroku certs:add <cert>.pem <key>.key
If you need to support legacy browser clients which do not support SNI use the Herkou SSL Endpoint addon which costs $20/mo: 如果您需要支持不支持SNI的旧版浏览器客户端,请使用价格为20美元/月的Herkou SSL端点插件:
Add that addon by running 通过运行添加该插件
heroku addons:create ssl:endpoint
And then add your LetsEncrypt.org certificates: 然后添加您的LetsEncrypt.org证书:
heroku certs:add <cert>.pem <key>.key
解决方案5
0 2016-12-09 15:40:55
最好的方法是将新的ssl域(以https开头)分配给您的域,该域自动覆盖非http域
解决方案6
0 2017-01-11 02:58:16
I created a certbot plugin that uses the Heroku CLI to automate authentication and installation of Let's Encrypt certificates: https://github.com/gboudreau/certbot-heroku 我创建了一个certbot插件,它使用Heroku CLI自动验证和安装Let的加密证书: https : //github.com/gboudreau/certbot-heroku
I only have an example that uses the php-nginx Heroku buildpack, but reading that example and finding the equivalent for other buildpacks should be easy enough. 我只有一个使用php-nginx Heroku buildpack的例子,但阅读该示例并找到其他buildpack的等价物应该很容易。 Pull Requests are welcome to help others! 欢迎提出拉请求帮助他人!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.