Automated Certificate Management
Last updated 21 March 2017
With Automated Certificate Management (ACM), Heroku automatically manages TLS certificates for all apps that have Hobby and Professional dynos on the Common Runtime. Certificates handled by ACM automatically renew before they expire, and new certificates are created automatically whenever you add or remove a custom domain. All applications with paid dynos include ACM for free.
Automated Certificate Management uses Let’s Encrypt, the free, automated, and open certificate authority for managing your application’s TLS certificates. Let’s Encrypt is run for the public benefit by the Internet Research Security Group (ISRG).
Enable Automated Certificate Management
ACM is enabled by default for all applications created after March 21, 2017 that are running on Hobby or Professional dynos. The following steps are for applications currently running on Free dynos, and for applications created before that date.
If your app is currently running on Free dynos, Automated Certificate Management is enabled automatically when you upgrade your app to use Hobby or Professional dynos:
$ heroku ps:resize web=1:Hobby
If your app is already running on Hobby or Professional dynos, you can enable ACM by running the following command:
$ heroku certs:auto:enable
When you enable this, you need to ensure your DNS is pointed at its new DNS target. If it’s pointed at
*.herokussl.com, Heroku is unable to verify your certificate. Run
heroku domains to verify the DNS target.
View your certificate status
It takes approximately 10 - 15 minutes to fully generate a TLS certificate for custom domains on your application. You can view the status of the certificate that is generated for all of your custom domains by running:
$ heroku certs:auto
If your certificate is currently being generated, you may see different states next to the custom domains on your application.
|OK||Everything looks normal.|
|Verified||Heroku verified all of your custom domain’s DNS and is in the process of generating the certificate.|
|Waiting||Heroku is currently waiting to process your certificate.|
|Failing||Heroku is unable to verify your DNS. We will keep trying to verify for another 6 hours. Please see this this troubleshooting section on how to address this.|
|Failed||Heroku is unable to verify your DNS. We have stopped trying to verify this domain. See [Troubleshooting](#troubleshooting) for help addressing this error.|
Providing your own TLS certificate
If you’d prefer to use a different type of TLS certificate, such as one from a different CA, a wildcard certificate, or an EV certificate, you can easily do so.
Simply upload your own certificate, following the steps listed in the Heroku SSL Dev Center article.
Providing your own certificate disables ACM for your application. If you want to re-enable ACM, you can run:
$ heroku certs:auto:enable
Turning off Automated Certificate Management
You can easily turn Automated Certificate Management off by running:
$ heroku certs:auto:disable
Migrating from SSL Endpoint
Due to limitations on how we verify your domain to generate a TLS certificate, you will need to manually upload a certificate before you are able to turn Automated Certificate Management on for your application, or else you risk serving unencrypted traffic. Please see this Dev Center article on how to manually upload your certificate.
heroku certs:auto shows “Failing” or “Failed” for any domain when you run
heroku certs:auto, it means Heroku was unable to verify DNS for a given domain. You need to verify that it is pointed to the correct DNS target as specified in
heroku domains. If your DNS is pointed at older DNS settings, such as
*.herokussl.com, Heroku will not be able to generate a certificate.
If ACM is unable to create a certificate for your domain, you receive a notification after three days of attempts. In most cases, this error occurs because DNS is not properly configured for your domain. After you resolve your DNS issue, run the following command to instruct ACM to try again:
$ heroku certs:auto:refresh
This removes your domain’s certificate and turns off ACM for your application. Removing your certificate with
heroku certs:remove also turns off ACM.
- Automated Certificate Management does not support applications that have over 100 custom domains.
- Automated Certificate Management does not support applications that have wildcard custom domains.
- Automated Certificate Management does not support the SSL Endpoint add-on.
- Automated Certificate Management is currently available for apps on the Common Runtime only. It is not yet available in Private Spaces.