This add-on is operated by Expedited Security
SSL Certificates As A Service.
Last updated 23 March 2019
Table of Contents
While you can manually purchase and install a SSL certificate from almost any provider that will work with Heroku, the process requires aligning versions and configurations of your local OpenSSL, CSR setup, certificate chaining and domain registration.
It’s trivially easy to mess up an early step in the process and not realize anything has gone wrong until you are presented with an extremely vague error message during a later stage of the installation.
The Expedited SSL add-on combines all of the manual steps into a repeatable process that can be executed very rapidly so that no details are missed, and that insures your site is correctly protected.
Expedited SSL works with all Heroku stacks, application languages and development environments.
Provisioning and configuring the add-on
Add the add-on to your application
Expedited SSL can be attached to a Heroku application via the CLI:
A list of all plans available can be found here.
$ heroku addons:create expeditedssl -----> Adding expeditedssl to sharp-mountain-4005... done, v18 (free)
Once Expedited SSL has been added, you will need to configure it for your specific app-instance.
From your app’s Resource Page, click the ‘Expedited SSL’ link under the ‘Add-ons’ section.
You’ll be asked to allow the Expedited SSL add-on access to your Heroku instance. This is a security measure to keep configuration access to your application as restricted as possible.
The add-on needs access to:
- Check that the Heroku SSL Endpoint is configured
- Read what Domains are attached to your application
- Install the actual SSL Certificate
- Verify that DNS Settings are correct post installation
After you have granted access to the add-on, you’ll answer a few questions about what domain and what admin information you’d like associated with the SSL Certificate.
NOTE: Expedited SSL works with your Heroku SSL Endpoint. If one is not already a part of your application, one will be added at its base monthly cost.
Approve SSL generation request
Successfully completing the Certificate Request form will trigger an email to be sent to one of your domain contacts (emails listed on the domain registration).
This email will contain a link to a confirmation form where you must click ‘I Approve’.
This approval process is similar to a password-reset email where the ability to read email from a domain associated account is considered proof that you really do control the domain.
DNS configuration checks
After the SSL Certificate is installed, we’ll check that the domain you specified is now pointing to the correct Heroku SSL Endpoint and that no leftover DNS Settings are interfering with your new configuration.
Monitoring & logging
Stats and the current state of Expedited SSL can be displayed via the CLI.
$ heroku expeditedssl:command example output
Expedited SSL activity can be observed within the Heroku log-stream: <!– by describe add-on logging recognition, if any. –>
$ heroku logs -t | grep 'expeditedssl pattern'
If you don’t receive the emails within an hour of completing the actions you should check your spam folder as the repetitive nature of the emails frequently gets them incorrectly marked as ‘spam’.
If you are using GMail, the emails typically are auto-sorted into the ‘Updates’ or ‘Promotions’ tabs.
If you still are unable to receive the email, please contact firstname.lastname@example.org
Migrating between plans
Due to the immutable nature of issued SSL Certificates, it is not possible to migrate between the single and wildcard plans.
Removing the add-on
Expedited SSL can be removed via the CLI.
This will remove the SSL Certificate from your application
$ heroku addons:destroy expeditedssl -----> Removing expeditedssl from sharp-mountain-4005... done, v20 (free)
Before removing Expedited SSL, you should switch your DNS Settings back to their non-SSL settings.