1342983 - Move contributejson.org to the SNI SSL endpoint at Heroku

Status: RESOLVED FIXED

(Infrastructure & Operations Graveyard :: WebOps: Other, task)

Description

[Paul [:pmac] McLanahan]

The process is detailed here:

https://devcenter.heroku.com/articles/ssl#migrate-from-ssl-endpoint-to-heroku-ssl

There is also good info in the blocked bug 1331583.

The name of the heroku app in question is "contribute-json".

Let me know if you have any further questions, and thanks!

Comment 1

[Joey Krejci [:joeyk]]

Hey :pmac I attempted to read through the comments in bug 1331583 and I think it confused me even more, what exactly needs to be done here? Are we uploading our own certs or using Heroku's? I cant seem to figure out what exactly needs to be done here. Please fill me in with a little more detail when you get the chance, thanks!

Comment 2

[Paul [:pmac] McLanahan]

We are using our own certs, Heroku doesn't yet provide a way to get certs from them (i.e. let's encrypt integration). It's just a new SNI-based SSL endpoint for them. The old way (that we're currently using) is $20/mo for them to host our cert because they spin up a dedicated ELB at AWS for the cert. This new thing is the new way, but uses SNI so it doesn't work for very old browsers. All we need is to follow the instructions in the Heroku article I linked in comment #0. I'd do it, but I don't have the cert. It's basically just:

1. heroku certs:add example.crt example.key --type sni

2. set the value of the CNAME record for www.contributejson.org to "www.contributejson.org.herokudns.com"

3. verify it all works

Above the "migrate" section of that article is more detail on the certs and testing.

Hope this clears some things up. If you'd rather you can encrypt and send me the certs using my GPG key (https://keybase.io/pmac) and I can add them to Heroku. I think I'll still need help with the DNS though.

Comment 3

[Joey Krejci [:joeyk]]

Hey :pmac, I've got quite a lot on my plate so if I could just send you the encrypted certs and then we can schedule a time to flip the DNS change that would be great! I'll get those certs sent over to you and we can discuss the DNS change date since we will need to file a routine change request for that.

Comment 4

[Paul [:pmac] McLanahan]

:joeyk did indeed send me the certs and I've successfully added them to the Heroku application. I verified it is serving the correct cert with the openssl tool[0] (from the heroku docs linked above). Next step is to update the CNAME for www.contributejson.org in the DNS record to point to the new endpoint[1]. After that is done and propagated I can remove the old SSL addon[2] from the app and we can save $$.

Thanks again!

[0] openssl s_client -connect www.contributejson.org.herokudns.com:443 -servername www.contributejson.org
[1] www.contributejson.org.herokudns.com
[2] https://devcenter.heroku.com/articles/ssl#remove-ssl-endpoint-add-on-after-24-hours

Comment 5

[Joey Krejci [:joeyk]]

Hey :pmac am I good to flip the DNS at any time? If so I will put in a change request for today at 2pm PST if that works for you? Let me know, thanks!

Comment 6

[Paul [:pmac] McLanahan]

Yes. You may flip the DNS switch at any time. Thanks!

Comment 7

[Joey Krejci [:joeyk]]

Change Request: CHG0011379
DNS Flipped: 

FQDN 		Target 	
www.contributejson.org 	CNAME 	www.contributejson.org.herokudns.com

Comment 8

[Joey Krejci [:joeyk]]

:pmac are we good to close this bug out?

Comment 9

[Paul [:pmac] McLanahan]

I think so. It seems to be working well. I'll disable the old SSL addon tomorrow. The work in this bug is done though. Thanks again!

Comment 10

[Joey Krejci [:joeyk]]

(In reply to Paul [:pmac] McLanahan from comment #9)
> I think so. It seems to be working well. I'll disable the old SSL addon
> tomorrow. The work in this bug is done though. Thanks again!

Cool deal, thanks man!