Automated Certificate Management
Last updated July 16, 2021
Table of Contents
With Automated Certificate Management (ACM), Heroku automatically manages TLS certificates for apps with Hobby and Professional dynos on the Common Runtime, and for apps in Private Spaces that enable the feature.
Certificates handled by ACM automatically renew one month before they expire, and new certificates are created automatically whenever you add or remove a custom domain. All applications with paid dynos include ACM for free.
Automated Certificate Management uses Let’s Encrypt, the free, automated, and open certificate authority for managing your application’s TLS certificates. Let’s Encrypt is run for the public benefit by the Internet Security Research Group (ISRG).
Setup
Common Runtime
ACM is enabled by default for all Common Runtime apps created after March 21, 2017 that run on Hobby or Professional dynos. The following steps are for apps currently running on Free dynos, and for apps created before that date.
If your app is currently running on Free dynos, Heroku enables ACM automatically when you upgrade your app to use Hobby or Professional dynos:
$ heroku ps:resize web=hobby
If your app is already running on Hobby or Professional dynos, enable ACM with the following command:
$ heroku certs:auto:enable
When you enable ACM, ensure that your DNS is pointed at its new DNS target. If it’s pointed at *.herokuapp.com or *.herokussl.com, Heroku is unable to verify your certificate. Run heroku domains to verify the DNS target.
Private Spaces
If your app doesn’t currently have TLS certs, simply enable ACM and wait for the certificate to be provisioned:
$ heroku certs:auto:enable
If you already have manually uploaded TLS certs and want to migrate to ACM, follow the process outlined below.
1. Determine the name of your manually uploaded cert
$ heroku certs
Name Endpoint Common Name(s) Expires Trusted Type
──────────── ─────────────────────────────────────────────────────── ────────────────────── ──────────────────── ─────── ─────────────────
nagano-91606 <haiku>.<haiku>.herokuspace.com <common-name> 2018-08-13 11:05 UTC True SNI
2. Enable ACM for your app
$ heroku certs:auto:enable
Enabling Automatic Certificate Management... done
=== Your certificate will now be managed by Heroku. Check the status by running heroku certs:auto.
3. Wait for the ACM cert to be issued
Make sure to wait for this step to complete before proceeding. If you don’t, your app might experience downtime.
$ watch heroku certs:auto
4. Remove the manually added cert
Specify the cert name you found in step 1:
$ heroku certs:remove --name nagano-91606
View your certificate status
It usually takes between 45 and 60 minutes to generate a TLS certificate for your app’s custom domains. You can view the status of the generated certificate by running the following command:
$ heroku certs:auto
The process is complete when the certificate’s status is Cert Issued.
If your certificate’s status is DNS Verified, the process is not finished yet. Heroku has verified your domain status and is still in the process of submitting it to Let’s Encrypt.
All possible certificate generation statuses are listed below:
| Status | Description |
|---|---|
| Cert Issued | A certificate has been issued for the domain. |
| In Progress | Heroku is verifying your custom domain’s DNS. |
| DNS Verified | Heroku verified your custom domain’s DNS and is in the process of generating the certificate. |
| Waiting | Heroku is currently waiting to process your certificate. |
| Failing | Heroku is unable to verify your DNS. We will keep trying to verify for up to an hour. See Troubleshooting for help addressing this error. |
| Failed | Heroku is unable to verify your DNS. We have stopped trying to verify this domain. See Troubleshooting for help addressing this error. |
Providing your own TLS certificate
If you’d prefer to use a different type of TLS certificate, such as one from a different CA, a wildcard certificate, or an EV certificate, you can easily do so.
Simply upload your own certificate, following the steps listed in Heroku SSL.
Providing your own certificate disables ACM for your application. If you want to re-enable ACM, you can run the following command:
$ heroku certs:auto:enable
Turning off Automated Certificate Management
Do not turn off ACM with the intent of turning it back on immediately. This can cause your account to reach a rate limit with Let’s Encrypt.
You can turn off ACM by running the following command:
$ heroku certs:auto:disable
This removes your domain’s certificate and turns off ACM for your application. Removing your certificate with heroku certs:remove also turns off ACM.
Migrating existing applications
Migrating from Heroku SSL and Private Spaces with your own certificate
Automated Certificate Management uses the same DNS configuration as Heroku SSL (SNI) support. Enabling ACM for Private Space apps also doesn’t require DNS changes. Although it might take some time to verify your DNS configuration, your app will continue to serve your existing SSL certificate while verification is taking place. Your app should continue to remain available at your custom domain throughout the process.
Migrating from SSL Endpoint
Enabling Automated Certificate Management even while an SSL Endpoint is in use will generate an additional ACM certificate on your app for all Custom Domains. After the ACM certificate is successfully provisioned as described by this article, you can then update your Domains’ DNS to the Heroku SSL DNS target in order for requests to use the ACM issued certificate.
Since DNS propagation may take many hours, we recommend that you wait at least 24 hours before removing your SSL Endpoint add-on. You may also want to use a tool such as dnschecker.org to ensure that most of the world sees the updated DNS value before removing it. It is not possible to restore an SSL Endpoint add-on.
Troubleshooting
Do not turn off ACM in an attempt to fix or speed up the ACM process. This can cause your account to reach a rate limit with Let’s Encrypt.
Verification errors
If heroku certs:auto shows Failing or Failed for any domain when you run heroku certs:auto, it means Heroku was unable to verify DNS for a given domain. You need to verify that it is pointed to the correct DNS target as specified in heroku domains. The DNS targets will be in the format <your-domain>.herokudns.com.
If your DNS is pointed at older DNS settings, such as *.herokuapp.com or *.herokussl.com, Heroku will not be able to generate a certificate.
If ACM is unable to create a certificate for your domain, you receive a notification after three days of attempts. In most cases, this error occurs because DNS is not properly configured for your domain. After you resolve your DNS issue, run the following command to instruct ACM to try again:
$ heroku certs:auto:refresh
Failure reasons
There are a number reasons why issuing a certificate might fail. A failure reason may be included in a notification email or in the CLI.
CN exceeding 64 character limit
Domain names can not exceed 64 characters.
Incorrect DNS settings
Your DNS record is not set up properly.
Review this document and ensure that your DNS records are set up correctly.
If your domain fails DNSSEC (DNS Security Extensions) verification, you can encounter this error.
You can also encounter this error if your Private Space app does not have a web dyno running.
Unable to resolve DNS for domain
The error is typically encountered when a DNS name hasn’t yet propagated to DNS providers. Heroku’s ACM feature checks for the availability of your domain in Google’s DNS (8.8.8.8).
Please check that your domain is available in Google’s DNS and that there are no typos in your entry.
CDN not returning HTTP challenge
Heroku ACM is attempting to to verify that the HTTP challenge file is being returned, but is encountering a 404 error. This typically happens when you are pointing your domain at a CDN, rather than the Heroku provided DNS target, and the HTTP challenge file does not exist on the CDN.
This typically happens with AWS CloudFront.
DNS redirect not forwarding path
Heroku ACM is attempting to to verify that the HTTP challenge file is being returned, but your DNS provider is not returning the full path of the file location.
If your DNS provider does not support forwarding paths, you may need to change DNS providers. Some providers, such as Google Domains, offer the ability to turn on or off path forwarding — by default this is turned “off” for Google Domains.
Incorrect CNAME target
This error is encountered when your DNS record specifies app-name.herokuapp.com as the target for the CNAME rather than the provided DNS target. Update your DNS record to point at the correct DNS target.
To get the correct DNS target, run heroku domains.
Rate limited
ACM failed because there have been too many requests to issue a certificate for the domain(s) on this app within a 7-day interval. Heroku support is unable to bypass this rate limit, because it is set by Let’s Encrypt. You may encounter a rate limit when you enable and disable ACM on your app repeatedly.
Note that ACM for domains on other apps are not affected by this error (i.e., a rate limit on one app does not impact ACM on another app with a different domain).
You can figure out when the rate limit will end by running:
$ heroku certs:auto
After the rate limit period has ended, you can try issuing a certificate again by running:
$ heroku certs:auto:refresh
DNS provider timed out
Heroku attempted to verify your DNS record, but your DNS provider timed out. Run heroku certs:auto:refresh to try again.
Strict TLS in CDN not supported
You are attempting to use Cloudflare with ACM, but don’t have it configured correctly.
Heroku recommends against using ACM with Cloudflare, because Cloudflare provides SSL certificates. To disable ACM on your app, run heroku certs:auto:disable.
For more information, check out Cloudflare’s “Configuring Cloudflare and Heroku over HTTPS” documentation.
DNS provider doesn’t support CAA
Let’s Encrypt returned an error that your DNS provider does not support Certificate Authority Authorization (CAA) records.
Contact your DNS provider for more information on CAA support. Learn more about CAA records.
CAA record prevents issuance
The CAA record prevents certificates from being issued by Let’s Encrypt.
Add a CAA record that allows Let’s Encrypt to issue certificates for the domain. Learn more about CAA records.
Domain record does not exist
Let’s Encrypt has returned a NXDOMAIN error, which means the domain record does not exist in your DNS provider.
To fix this error, please make sure that your domain name was entered correctly and the DNS record for the domain contains the right CNAME.
Domain considered unsafe
Let’s Encrypt checks domains against Google’s Safe Browsing API and will not issue certificates for domains considered unsafe.
Check the status of your domain by visiting this URL: http://www.google.com/safebrowsing/diagnostic?site=http://yourdomainhere.com/
Let’s Encrypt domain blocklist
You have requested a certificate for a domain on Let’s Encrypt’s domain blocklist. Typically, well-known domains are on this blocklist as an additional security measure to prevent unauthorized certificate creation.
Contact Let’s Encrypt on their Community Support forum.
Alternatives to ACM
If you want to automatically renew a wildcard certificate or use a different CA, Heroku add-ons such as SSL FastTrack or ExpeditedSSL might serve your use case.
Known limitations
- Custom Domains can not be longer than 64 characters.
- ACM does not support applications that have over 100 custom domains (this limitation will soon be removed with new ACM system).
- ACM does not support applications that have wildcard custom domains.
- ACM does not support the SSL Endpoint add-on.
- ACM doesn’t work for apps in Private Spaces that used Trusted IPs to block access.
- Private Space apps must have at least one running
webdyno for initial validation and renewals to work - When ACM is enabled the Let’s Encrypt HTTP challenge URLs (
/.well-known/acme-challenge/*) are handled by the Heroku Platform, redirected away from your app. If you require use of these paths on your app you must disable ACM. - ACM does not support IPv6 AAAA DNS records