Erik on Rails

Update: I was getting warnings on some browsers, and so I updated this post to include the gd_bundle.crt file when generating the .pem, as suggested here.

The first thing to do is go to GoDaddy and purchase a Standard SSL Certificate. This costs $30/year.

Then, starting from your app folder…

mkdir ../ssl-cert
cd ../ssl-cert
openssl genrsa -des3 -out host.key 2048

Enter a passphrase and remember it, because we’ll have to remove it later. That will generate a key file. Next we need to generate the certificate request:

openssl req -new -key host.key -out host.csr

You’ll have to enter your passphrase here and answer a few questions. Enter something like this:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Diego
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:secure.yourapp.com
Email Address []:info@yourapp.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

I think it’s important you enter the domain you want to use the certificate on as Your Name. And Heroku’s Hostname Based Custom SSL only works on a subdomain like secure.yourapp.com or www.yourapp.com. If you want to use it on yourapp.com you have to pony up the $100/month for the IP-based solution.

Next, copy the contents of host.csr and paste them into GoDaddy’s form. Instructions to get to the form for requesting a certificate
are here. They will give you a zip file to download. Copy it into your ../ssl-cert folder, and do:

unzip secure.yourapp.com.zip
cat secure.yourapp.com.crt gd_bundle.crt host.key > host.pem

Now we have to remove the passphrase:

openssl rsa -in host.pem -out nopassphrase.pem
openssl x509 -in host.pem >>nopassphrase.pem
openssl rsa -in host.key -out nopassphrase.key

And then activate SSL on heroku:

cd ../yourapp
heroku ssl:add ../ssl-cert/nopassphrase.pem ../ssl-cert/nopassphrase.key
heroku addons:add custom_domains:basic
heroku domains:add secure.yourapp.com
heroku addons:add ssl:hostname

That last line will sign you up for a $20/month charge from Heroku. ECommerce ain’t cheap. Finally, you need to go to your DNS provider and create a CNAME pointing secure.yourapp.com at the Amazon EC2 domain that Heroku will have emailed you. It will be something.amazonaws.com.

After all of that, you should be able to go to https://secure.yourapp.com and see the nice little lock in the URL bar, with no scary warnings for your users. In my case, I’m still apparently serving some insecure items on the page (images, maybe?) but that’s a much lesser warning than the “get out of here now!” warning users get when you don’t have a proper certificate set up.

I find myself repeatedly committing changes and pushing them to Heroku, so I wrote this little shell script so I can do it in one command:

#!/bin/bash
git add .
git commit -m "$1"
git push heroku master

This way I can just run hero “made some changes” and my changes are committed and heroku is updated.

I’ve got a Sintra app that was working fine locally, but giving this confounding error when on Heroku:

/usr/local/lib/ruby/site_ruby/1.8/rubygems.rb:280:in `activate': can't activate addressable (~> 2.0.2, runtime) for ["dm-core-0.9.11"], already activated addressable-2.1.1 for ["data_objects-0.9.11", "dm-core-0.9.11"] (Gem::LoadError)

The problem was that Heroku by default installs a relatively old version of DataMapper (0.9.something). The solution was just to specify some specific gersions of things in a specific order in my gem manifest (.gems):

addressable --version 2.1.1
data_objects --version 0.10.1
do_postgres --version 0.10.1
dm-validations --version 0.10.2
dm-timestamps --version 0.10.2
dm-core --version 0.10.2
sinatra-authentication --version 0.2.3

Crazy that I have to go to such lengths, but it works!