I need to install VeriSign SSL certs on a Heroku app.
The requirements for using these certs are:
Dedicated IP address.
A CSR generated on the web server with the domain name.
Is it possible to achieve the above, either directly through the Heroku platform or via custom addons.
You should follow the Heroku SSL Endpoint Guide. Don't worry about the IP address, it comes courtesy of the Heroku SSL endpoint. I also don't think you need to create the certificate signing request on the server, once the certificate is created, you can use it where you want.
Related
Does anyone know how to easily setup https for a rest api in google compute engine ? I have currently a static ip and the api works over http but in the browser when I call it I get mixed content error because the client is server over https (firebase hosting)
Is it possible to setup https with only a static ip (and not a domain name) ?
-Jani
Is it possible to setup https with only a static ip (and not a domain
name) ?
Yes, it is possible, but since 2016 you cannot purchase an SSL certificate with a public IP address. You can use a self-signed certificate but you will have even more browser issues. Not recommended.
Possible Options:
Use your domain name (or purchase one) and use Let's Encrypt for SSL which is free and is one of your better options.
Use a different service such as Cloud Run, Cloud Functions, Firebase or App Engine which offers SSL and does not require a domain name that you own as you can use Google's endpoint.
Attach a Google Load Balancer in front of your Compute Engine instance and configure a front end with a Google Managed SSL certificate. However, this will require a domain name.
If you do not want to use your own domain name, then option #2 is your only choice.
To setup https for a rest api in google compute engine:
1- You have to buy a domain
2- You have to buy an SSL certificate
3- create a load balance resource in Google Cloud to which I assign the domain and the certificate
4- You can install the certificate to the server directly
If you want to use https over IP instead of domain, please follow click here
My app is a Laravel app, running on Nginx, provisioned by Forge, and SSL certificates are provided by CloudFlare.
It is hosted at a URL like https://www.myapp.com
My app’s customers are businesses, and already own their domains:
https://www.customer1.com
https://www.customer2.com
https://www.customer3.com
etc.
I want my customers to run MyApp from the sub-domains of their choice:
https://some-name.customer1.com
https://some-other-name.customer2.com
https://any-name-they-want.customer3.com
etc.
My customers should not install anything — MyApp still runs on myapp.com, not on their servers
My customers should only (if possible) modify their DNS, probably add a CNAME like "some-name” that points to “myapp.com”
I followed this amazing article: Dynamic custom domain routing in Laravel.
but I can't get it to work in an https (with SSL) environment -- the browser returns:
This site can’t provide a secure connection
some-name.customer1.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
The client and server don't support a common SSL protocol version or cipher suite.
How should Nginx and/or SSL certificates be configured?
This is still a question which is not very simple.
However, Caddy does generate SSLs automatically (if replacing Nginx with Caddy is an option for you).
You can check the documentation for more.
I am hosting Tableau Server on Amazon Web Services (AWS) EC2. My domain name is ec2-xx-xx-xxx-xx.xx-xxxx-x.xxxxxxx.amazonaws.com. I would like to convert http to https, so I want to get a SSL certificate. When I asked a certificate authority (CA), they told me that my domain includes "amazonaws.com", so I couldn't get a SSL certificate. I then tried to get a SSL certificate from AWS, I received an error message.
Error message.png
This was due to the fact that I couldn't request a certificate for Amazon-owned domain name ending in "amazonaws.com".
Does anyone know how to deal with this issue?
Sincerely,
Kazumi
Looks like you need to understand the basics of the process of purchasing a domain name, assigning an IP address to the domain name, purchasing an SSL certificate etc.
Below steps are the easiest and the cheapest way to make your endpoint be served by SSL on AWS infrastructure:
Purchase a domain name eg. knozawa.com from AWS Route 53
Create a new SSL certificate free of cost using AWS
Certification Manager (ACM)
Add your EC2 instance which hosts the Tableau server behind an ELB. The ELB
should be configured to accept traffic over port 443 only. Select
the certificate created using ACM to serve for SSL traffic over port
443.
Go to Route 53, and created a hosted zone entry like
tableau.knozawa.com and add the ELB alias to the entry.
And you are done! You can now access your Tableau installation on your own domain name, serving traffic over SSL on the link https://tableau.knozawa.com
This will probably cost you and additional USD 12.00/year for the domain name, $10-$20 per month for ELB based on traffic.
I am working to setup my application to watch calendar events through Google's Calendar API. In doing so I must setup a "Push" endpoint on my server that has a valid SSL certificate (not self-signed).
My production environment is running on Heroku so setting up an SSL cert was easy using Expidited SSL. I have two CNames setup in GoDaddy, one for my production application and one for my development environment tunneled through ngrok. I'm using the paid ngrok feature of white labeled domain tunneling (dev.mydomain.com).
Host Points To
www saga-1234.herokussl.com
dev ngrok.com
The problem is that my ssl certificate is recognized when you hit the production application (www.mydomain.com), but it uses ngrok's certificate when you visit the development application (dev.mydomain.com).
How can I setup my ngrok tunnel to use my ssl certificate?
Ngrok's white labeled domain does not support HTTPS if you are using your own domain. Simply because it serves it's own certificate, where you need to serve your domain's. That's why you are getting certificate mismatch issue.
Here's what you could do to watch calendar events on your dev machine:
Point ngrok.mydomain.com to another server, let's say a new EC2
micro instance
Point wildcard CNAME to ngrok.mydomain.com
Compile ngrok server and client to use your certificate (rather than
ngrok.com)
Run the ngroku-server on EC2 instance
On your dev machine config the client to use ngrok.mydomain.com instead of ngroku.com
Run ngrok -subdomain=dev 80
Your local dev machine's 80 port should be accessible via https://dev.mydomain.com
This is really cool and is very helpful when debugging Google's webhooks, which require valid HTTPS and a verified root domain name.
Another interesting trick is to use CloudFlare's universal SSL to have a valid https://dev-machine.mydomain.com pointing to your dev machine without purchasing a certificate. The steps are exactly the same except that you need to issue your own certificate for ngrok client-server communications and use CloudFlare's Flex SSL for dev-machine.yourdomain.com.
ngrok has a new feature that tunnels and terminates SSL. Thus you can use your own domain and HTTPS. No need to open ports in your router or PC. They call it TLS Tunneling. The following is a link to a GitHub repos that describes how to do it.
How to use your own domain to access your home PC over the internet. Use HTTPS without raising SSL errors.
I am planning to add a SSL certificate to my app on Heroku. For that, I am planning to buy a wildcard ssl certificate. A requirement for that certificate is that I need to have a "dedicated IP address".
Afaik, I don't think I have a dedicated IP address as I am hosting my code with Heroku and I don't think I can be guaranteed an IP address of that machine.
Am I missing anything? Should I be looking at another kind of SSL certificate?
Thanks!
If your domain name is registered and pointing to Heroku as Heroku's documentation advises, then you should be able to get an SSL certificate for that domain name. Your SSL certificate authority should not require you to enter in an IP address. I can only speculate that it might say you need a "dedicated IP address" in order to discourage people from trying to get an SSL certificate for their residential cable modem, etc.