Closed
Bug 1300770
Opened 8 years ago
Closed 8 years ago
SSL Cert for standu.ps
Categories
(Infrastructure & Operations :: SSL Certificates, task)
Infrastructure & Operations
SSL Certificates
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: pmac, Assigned: joeyk)
References
()
Details
(Whiteboard: [kanban:https://webops.kanbanize.com/ctrl_board/2/3382])
http://www.standu.ps is a Mozilla run service for async status updates from IRC (or other places). We'd like to secure it. Please generate a cert including:
standu.ps
www.standu.ps
The cert will be added to the app running at Heroku.
Thanks
|
Assignee | |
Comment 1•8 years ago
|
||
Submitted cert for review with DigiCert. Should hear back soon, then will send over to :pmac
|
|
Assignee | |
Comment 2•8 years ago
|
||
:pmac Emailed you encrypted .pem and .crt. Let me know if you need anything else, sorry about the delay!
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 3•8 years ago
|
||
Hooray! Thanks again! I'll update when it's successfully installed.
|
|
Reporter | |
Comment 4•8 years ago
|
||
Attempted the install, but got an error:
$ heroku certs:add -r prod www_standu_ps.crt www_standu_ps.pem
Resolving trust chain... !!!
▸ No valid, non-passphrase-protected keys given.
Any ideas?
Status: RESOLVED → REOPENED
Flags: needinfo?(jkrejci)
Resolution: FIXED → ---
|
|
Assignee | |
Comment 5•8 years ago
|
||
(In reply to Paul [:pmac] McLanahan from comment #4)
> Attempted the install, but got an error:
>
> $ heroku certs:add -r prod www_standu_ps.crt www_standu_ps.pem
> Resolving trust chain... !!!
> ▸ No valid, non-passphrase-protected keys given.
>
> Any ideas?
:pmac Currently in Nubis training now, I think it might have to do with the keys. I can check on Monday unless you need it done today? Let me know.
Flags: needinfo?(jkrejci)
:pmac, can you verify that 'www_standu_ps.pem' starts with -----BEGIN PRIVATE KEY, and that 'www_standu_ps.crt' contains TWO (not ONE) ----BEGIN certificate lines?
|
|
Assignee | |
Comment 7•8 years ago
|
||
:atoll Already took care of with :pmac via IRC, just waiting on his response before I close the bug.
Sweet! What was the resolution? (We don't do many Heroku deploys, so anything that helps us improve that process..)
|
|
Reporter | |
Comment 9•8 years ago
|
||
:atol, it was actually the opposite. the .crt file contains one BEGIN CERTIFICATE, and the .pem file contains two BEGIN CERTIFICATE lines. :joeyk sent me a key file after that. I'm about try try it.
|
|
Reporter | |
Comment 10•8 years ago
|
||
Okay. Using the .key file and the .pem file with the heroku command from comment #4 looks like it will work. Unfortunately I lack sufficient privileges on the heroku app to enable SSL :(
I'll get back to you with the result once I find someone to elevate my privs.
|
||
Comment 11•8 years ago
|
||
I bumped up :pmac to Heroku admin temporarily, and will downgrade once he's done. Heroku was unwilling to permit a more granular permissions assignment, which I assume relates to our lack of Enterprise.
|
|
||
Comment 12•8 years ago
|
||
He installed the cert, but Heroku promptly started returning 505 HTTP version not supported, which is completely nuts. Access downgraded, no further action taken for now.
:pmac, indicate what precise command you ran and the full output of it here for later debug?
|
|
Reporter | |
Comment 13•8 years ago
|
||
Requested information:
=====================
$ heroku certs:add -r prod www_standu_ps.key www_standu_ps.pem
Resolving trust chain... done
Adding SSL certificate to ⬢ standups... done
Certificate details:
Common Name(s): www.standu.ps
standu.ps
Expires At: 2017-09-20 12:00 UTC
Issuer: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
Starts At: 2016-09-15 00:00 UTC
Subject: /C=US/ST=California/L=Mountain View/O=Mozilla Corporation/CN=www.standu.ps
SSL certificate is verified by a root authority.
=== The following common names already have domain entries
www.standu.ps
standu.ps
=== Your certificate has been added successfully. Update your application's DNS settings as follows
Domain Record Type DNS Target
───────────── ─────────── ───────────────────────────
standu.ps ALIAS/ANAME standu.ps.herokudns.com
www.standu.ps CNAME www.standu.ps.herokudns.com
=====================
I believe the errors are due to Heroku using SNI for this SSL endpoint of theirs. It seems to work well for me when I set one of the IPs for www.standu.ps.herokudns.com in my /etc/hosts file and visiting the site in Firefox. I filed bug 1305199 to update the DNS, which I think will work fine. The HTTP endpoint at the new CNAME at least seems good, which will at least mean parity with the current situation (which is no SSL at all).
|
|
Reporter | |
Comment 14•8 years ago
|
||
More info I forgot to include in my previous comment:
I'm following this doc:
https://devcenter.heroku.com/articles/ssl
This is a new free SSL option from Heroku and uses SNI instead of a dedicated IP (ELB) for the app.
|
|
Reporter | |
Comment 15•8 years ago
|
||
I'm going to call this one done. In my testing the new cert is good and installed successfully in the Heroku app. The last step is bug 1305199. Thanks again!
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•