Heroku And SSL: Fixing “This site’s security certificate is not trusted!” on Android and other devices

I recently received a report of SignalLeaf being “blacklisted” by Chrome. After a bit of panic, and asking twitter to see if the site was having issues, I got confirmation that Android phones and other devices / browsers were getting a security warning about the SSL certificate I had installed on SignalLeaf.

SSL Cert Issue 3 SSL Cert Issue 1

This sent me in to a bit more of a panic, as I had no clue what was wrong or how to fix it. Time to start googling error messages and random combinations of words related to the services I’m using…

DNSimple, Heroku, RapidSSL And Certificate Chains

I use DNSimple for my domain name hosting (if you’re not using DNSimple, I feel sorry for you, having to put up with other services). I also use Heroku for hosting SignalLeaf. This is an epic combination of awesome when it comes to buying and setting up an SSL certificate. So awesome, in fact, that Heroku uses DNSimple as the canonical example of how to set up SSL in their help pages.

When you buy an SSL certificate through DNSimple, it is issued through a service called RapidSSL. This is a legit service, and the certs that you get are as good as any other cert. The “issue” that I ran in to, is that RapidSSL is not yet trusted on every browser and device around the world. They have not been around forever, and are not as big as some other certificate authorities, so they don’t have trusted status everywhere (yet). But like I said, they are legit and they are certified by GeoTrust to prove their legit status.

Because RapidSSL is not a big name certificate authority, and because they are not yet trusted by every browser and device, yet, you need to install a set of intermediate certificates on your server, when you set up a RapidSSL certificate. This certificate “chain” provides the authority that older browsers and devices need, in order to completely trust RapidSSL certificates. 

Setting Up A Certificate Chain On Heroku

The Heroku help files show the basics of how to set up a chain of certificates, by creating a “.pem” file – this is a group of certificates that form a certificate chain, concatenated in to a single file. Heroku also recommends grabbing a specific PEM bundle for RapidSSL, but it doesn’t really say what to do with it.

After some additional digging and some help from the DNSimple people (have I mentioned how awesome they are?), I figured out that you need to install the PEM file with your certificate. Assuming you have a “server.crt” for your actual certificate, a “bundle.pem” file for the RapidSSL bundle, and a “server.key” for your server’s secret key, the command you want to run is this:

heroku certs:add server.crt bundle.pem server.key --app my-app-name

This will install the actual SSL certificate along with the RapidSSL bundle.pem file (from the link above), and verify everything with your server’s SSL key. (The --app my-app-name option is only needed if you are running this command from a folder that is not already tied to a Heroku app instance.)

Updating A Certificate Chain On Heroku

If you’ve already installed your certificate but you need to update the chain or the certificate itself, run certs:update instead of add.

heroku certs:update server.crt bundle.pem server.key –app my-app-name

This will update your app with the right certs and chain. Heroku will warn you that this is potentially destructive, so be sure you have the right certs lined up. Confirm the update and you should see an instant trust on your site certificates.

Fixing The “Key could not be read since it’s protected by a passphrase” Issue

Along the way to fixing my SSL certificate, I ran in to this error message. I found a StackOverflow question that said this happens when you have an older version of the Heroku Toolbelt installed. It turns out I had an old one on my system Ruby version. I had installed the original Ruby Gems version of the Toolbelt a few years ago. For various reasons, my default Ruby version changed a while back, but I reset it to the system ruby recently. Doing this caused the old Heroku Toolbelt to be the one in use on my system. To fix that problem, I had to uninstall the old toolbelt:

gem uninstall heroku-toolbelt

and then install the latest version of the toolbelt (through Homebrew in my case)

brew install heroku

Once I had the right version of the Heroku Toolbelt installed, the error went way and I was able to install the certificate chain.

This Is Still Easier Than It Used To Be

For as many problems as I had getting this fixed, this is still 1,000 times easier than it used to be. I remember the days when buying an SSL certificate cost several hundred dollars and required a verification process on your business in the United States. It took weeks, certificates were mailed to you (not email… actual mail), and installation / configuration of SSL often took hours or days. If you got something wrong in the initial configuration, you would have to start over. 

These days, with DNSimple and Heroku, buying and setting up an SSL certificate took me less than 1 hour total. It was only because of a mistake that I made and not understanding the need for intermediate certificates that I had these problems. Even with these problems and the few hours of research and troubleshooting, I am more than happy to have paid a small fee for the SSL certificate, and the monthly fee to host on Heroku with SSL. 


Post Footer automatically generated by Add Post Footer Plugin for wordpress.

About Derick Bailey

Derick Bailey is an entrepreneur, problem solver (and creator? :P ), software developer, screecaster, writer, blogger, speaker and technology leader in central Texas (north of Austin). He runs SignalLeaf.com - the amazingly awesome podcast audio hosting service that everyone should be using, and WatchMeCode.net where he throws down the JavaScript gauntlets to get you up to speed. He has been a professional software developer since the late 90's, and has been writing code since the late 80's. Find me on twitter: @derickbailey, @mutedsolutions, @backbonejsclass Find me on the web: SignalLeaf, WatchMeCode, Kendo UI blog, MarionetteJS, My Github profile, On Google+.
This entry was posted in DNSimple, Heroku, SignalLeaf, SSL. Bookmark the permalink. Follow any comments here with the RSS feed for this post.
  • Carl

    Good lesson learned, always check the chain!
    In the future, you can check with this:
    https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp

    I know the link above says that your current chain won’t work with older browsers, but, it is talking about ancient truly ones. So, trust the green check mark, keep your chain, and don’t encourage old browsers. Also, remember by 2017, you’ll need to move to a SHA-2 cert, so don’t forget to update the chain by then (along with the cert)

    • http://mutedsolutions.com Derick Bailey

      i haven’t heard of the SHA-2 thing… got a link to info on that? fortunately these certs are only 1 year, so it will be easy to update them as needed.

  • Matt Darby

    Bingo. Thanks!

  • Tyler

    Great intel, thanks so much!

    For others: you need to make sure everything is in the proper order for heroku certs:add server.crt bundle.pem server.key –app my-app-name, otherwise it won’t bundle properly and you’ll continue getting errors on mobile

  • Nicolas Mondollot

    thanks!