[英]How can I use a LetsEncrypt SSL cert in my Heroku Node Express app?
I have a Node Express app running on Heroku that I want to encrypt with a free-of-charge SSL cert from LetsEncrypt. 我有一个在Heroku上运行的Node Express应用程序,我希望使用LetsEncrypt的免费SSL证书进行加密。 However, the methods I've seen require opening up ports 443 and 80 to allow the ACME process to work.
但是,我看到的方法需要打开端口443和80以允许ACME进程工作。
Heroku only gives you one port, and doesn't let you choose which port. Heroku只给你一个端口,不允许你选择哪个端口。 So how can I use LetsEncrypt?
那么我该如何使用LetsEncrypt呢?
I spent a bunch of time figuring this out yesterday. 昨天我花了很多时间搞清楚这一点。 First time in a long time there were no answers on StackOverflow for something I was trying to do!
很久以来第一次在StackOverflow上找不到我想做的事情的答案!
Heroku now supports LetsEncrypt natively! Heroku现在本地支持LetsEncrypt! So this workaround is no longer needed.
因此不再需要此解决方法。
Instructions here: 说明:
https://devcenter.heroku.com/articles/automated-certificate-management https://devcenter.heroku.com/articles/automated-certificate-management
For new apps, you don't have to do anything, it's turned on by default. 对于新应用,您无需执行任何操作,默认情况下已启用此功能。 For apps created before March 21 2017, you can turn it on with this Heroku cli command:
heroku certs:auto:enable
对于2017年3月21日之前创建的应用程序,您可以使用此Heroku cli命令打开它:
heroku certs:auto:enable
Thanks @Spain Train 谢谢@Spain Train
Ideally, LetsEncrypt allows for an automated certificate renewal process. 理想情况下,LetsEncrypt允许自动证书续订过程。 That's harder to do on Heroku, so this answer describes how to use a manual process.
这在Heroku上很难做到,所以这个答案描述了如何使用手动过程。 Using a Heroku environment var, you'll be able to update your certs manually fairly easily going forward - no code changes.
使用Heroku环境var,您将能够非常轻松地手动更新证书 - 无需更改代码。
Credit for this answer goes largely to two nice blog posts: https://medium.com/@franxyzxyz/setting-up-free-https-with-heroku-ssl-and-lets-encrypt-80cf6eac108e#.67pjxutaw 这个答案很大程度上归功于两篇不错的博文: https : //medium.com/@franxyzxyz/setting-up-free-https-with-heroku-ssl-and-lets-encrypt-80cf6eac108e#.67pjxutaw
and 和
https://medium.com/should-designers-code/how-to-set-up-ssl-with-lets-encrypt-on-heroku-for-free-266c185630db#.ldr9wrg2j https://medium.com/should-designers-code/how-to-set-up-ssl-with-lets-encrypt-on-heroku-for-free-266c185630db#.ldr9wrg2j
There's a GitHub project which apparently supports automated certs updates on Heroku. 有一个GitHub项目显然支持Heroku上的自动化证书更新。 I'll update this answer when I've tried it out:
我试用后会更新这个答案:
https://github.com/dmathieu/sabayon https://github.com/dmathieu/sabayon
Add this middleware to your Express app. 将此中间件添加到Express应用程序中。 Be sure to add it BEFORE any middleware that redirects http to https, because this endpoint must be http.
确保在将http重定向到https的任何中间件之前添加它,因为此端点必须是http。
// Read the Certbot response from an environment variable; we'll set this later:
const letsEncryptReponse = process.env.CERTBOT_RESPONSE;
// Return the Let's Encrypt certbot response:
app.get('/.well-known/acme-challenge/:content', function(req, res) {
res.send(letsEncryptReponse);
});
sudo certbot certonly --manual
sudo certbot certonly --manual
sudo ls /etc/letsencrypt/live/www.example.com
to see if the files exist. sudo ls /etc/letsencrypt/live/www.example.com
以查看文件是否存在。 Run heroku certs:add
if your site doesn't have a cert. 运行
heroku certs:add
如果您的站点没有heroku certs:add
。 If updating, run heroku certs:update
. 如果更新,请运行
heroku certs:update
。
sudo heroku certs:update --app your-heroku-app-name /etc/letsencrypt/live/www.example.com/fullchain.pem /etc/letsencrypt/live/www.example.com/privkey.pem
You can also validate your domain ownership to Let's Encrypt with DNS instead of HTTP. 您还可以将域名所有权验证为让我们使用DNS加密而不是HTTP。
With certbot
, specify DNS as your preferred challenge: 使用
certbot
,将DNS指定为首选挑战:
sudo certbot certonly --manual --preferred-challenges dns
After a couple of prompts, certbot will tell you to deply a DNS TXT record to validate your domain: 在几次提示之后,certbot会告诉您保留DNS TXT记录以验证您的域名:
Please deploy a DNS TXT record under the name
_acme-challenge.www.codesy.io with the following value:
CxYdvM...5WvXR0
Once this is deployed,
Press ENTER to continue
Your domain registrar probably has its own docs for deploying a TXT record. 您的域名注册商可能拥有自己的部署TXT记录的文档。 Do that, and go back to
certbot
and press ENTER - Let's Encrypt will check the TXT record, sign the cert, and certbot
will save it for you to upload to heroku. 这样做,然后返回到
certbot
并按ENTER键 - 让我们加密将检查TXT记录,签署证书, certbot
将保存它以便您上传到heroku。
See my detailed blog post for more . 有关详情,请参阅我的详细博文 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.