Heroku And SSL: Fixing “This site’s security certificate is not trusted!” on Android and other devices
I recently received a report of SignalLeaf being “blacklisted” by Chrome. After a bit of panic, and asking twitter to see if the site was having issues, I got confirmation that Android phones and other devices / browsers were getting a security warning about the SSL certificate I had installed on SignalLeaf.
This sent me in to a bit more of a panic, as I had no clue what was wrong or how to fix it. Time to start googling error messages and random combinations of words related to the services I’m using…
DNSimple, Heroku, RapidSSL And Certificate Chains
I use DNSimple for my domain name hosting (if you’re not using DNSimple, I feel sorry for you, having to put up with other services). I also use Heroku for hosting SignalLeaf. This is an epic combination of awesome when it comes to buying and setting up an SSL certificate. So awesome, in fact, that Heroku uses DNSimple as the canonical example of how to set up SSL in their help pages.
When you buy an SSL certificate through DNSimple, it is issued through a service called RapidSSL. This is a legit service, and the certs that you get are as good as any other cert. The “issue” that I ran in to, is that RapidSSL is not yet trusted on every browser and device around the world. They have not been around forever, and are not as big as some other certificate authorities, so they don’t have trusted status everywhere (yet). But like I said, they are legit and they are certified by GeoTrust to prove their legit status.
Because RapidSSL is not a big name certificate authority, and because they are not yet trusted by every browser and device, yet, you need to install a set of intermediate certificates on your server, when you set up a RapidSSL certificate. This certificate “chain” provides the authority that older browsers and devices need, in order to completely trust RapidSSL certificates.
Setting Up A Certificate Chain On Heroku
The Heroku help files show the basics of how to set up a chain of certificates, by creating a “.pem” file – this is a group of certificates that form a certificate chain, concatenated in to a single file. Heroku also recommends grabbing a specific PEM bundle for RapidSSL, but it doesn’t really say what to do with it.
After some additional digging and some help from the DNSimple people (have I mentioned how awesome they are?), I figured out that you need to install the PEM file with your certificate. Assuming you have a “server.crt” for your actual certificate, a “bundle.pem” file for the RapidSSL bundle, and a “server.key” for your server’s secret key, the command you want to run is this:
heroku certs:add server.crt bundle.pem server.key --app my-app-name
This will install the actual SSL certificate along with the RapidSSL bundle.pem file (from the link above), and verify everything with your server’s SSL key. (The
--app my-app-name option is only needed if you are running this command from a folder that is not already tied to a Heroku app instance.)
Updating A Certificate Chain On Heroku
If you’ve already installed your certificate but you need to update the chain or the certificate itself, run certs:update instead of add.
heroku certs:update server.crt bundle.pem server.key –app my-app-name
This will update your app with the right certs and chain. Heroku will warn you that this is potentially destructive, so be sure you have the right certs lined up. Confirm the update and you should see an instant trust on your site certificates.
Fixing The “Key could not be read since it’s protected by a passphrase” Issue
Along the way to fixing my SSL certificate, I ran in to this error message. I found a StackOverflow question that said this happens when you have an older version of the Heroku Toolbelt installed. It turns out I had an old one on my system Ruby version. I had installed the original Ruby Gems version of the Toolbelt a few years ago. For various reasons, my default Ruby version changed a while back, but I reset it to the system ruby recently. Doing this caused the old Heroku Toolbelt to be the one in use on my system. To fix that problem, I had to uninstall the old toolbelt:
gem uninstall heroku-toolbelt
and then install the latest version of the toolbelt (through Homebrew in my case)
brew install heroku
Once I had the right version of the Heroku Toolbelt installed, the error went way and I was able to install the certificate chain.
This Is Still Easier Than It Used To Be
For as many problems as I had getting this fixed, this is still 1,000 times easier than it used to be. I remember the days when buying an SSL certificate cost several hundred dollars and required a verification process on your business in the United States. It took weeks, certificates were mailed to you (not email… actual mail), and installation / configuration of SSL often took hours or days. If you got something wrong in the initial configuration, you would have to start over.
These days, with DNSimple and Heroku, buying and setting up an SSL certificate took me less than 1 hour total. It was only because of a mistake that I made and not understanding the need for intermediate certificates that I had these problems. Even with these problems and the few hours of research and troubleshooting, I am more than happy to have paid a small fee for the SSL certificate, and the monthly fee to host on Heroku with SSL.