This add-on is operated by Remora
SSL Certs Purchased and Installed Quick and Easy – No Endpoint Required
Last updated March 15, 2021
Table of Contents
Adding SSL to your application is now a simple, painless process thanks to SSL FastTrack. We handle the SSL certificate provisioning, the private key generation, as well as all the other steps needed to securely acquire an SSL certificate.
Getting started with SSL FastTrack is easy, and you should have a certificate for your domain within a matter of minutes.
SSL FastTrack requires two things of your app. First, the app must have at least one custom domain. Second, the app needs to be running web dyno(s) at the Hobby tier or above.
Your app must be running either Hobby or Professional web dynos. Currently, Free web dynos are not supported by Heroku for use with a custom SSL certificate.
About SNI with SSL
Because SSL FastTrack leverages SNI for SSL termination, there are some restrictions in browser compatibility in rare instances. SNI stands for Server Name Indication (SNI), and it is an extension of the TLS protocol, which is widely supported in modern browsers. If you have questions about SNI and older browser compatibility, please check the minimum supported browser versions section in Heroku’s SSL Dev Center article.
Provisioning SSL FastTrack
Add the add-on to your application
To see what SSL FastTrack plans are available, visit our Heroku Elements page.
To provision the add-on, simply run this command:
For a single domain-validated cert:
$ heroku addons:create sslfasttrack:single --app <app_name> Creating <app_name>-12345... done, (free) Adding <app_name>-12345 to <app_name>... done Setting SSLFASTTRACK_ID and restarting <app_name>... done, v3 Use `heroku addons:docs sslfasttrack` to view documentation.
For a wildcard (*.domain.com) cert:
$ heroku addons:create sslfasttrack:wildcard --app <app_name> Creating <app_name>-12345... done, (free) Adding <app_name>-12345 to <app_name>... done Setting SSLFASTTRACK_ID and restarting <app_name>... done, v3 Use `heroku addons:docs sslfasttrack` to view documentation.
Once finished, you’ll be able to complete the remainder of the process via the Heroku Dashboard or by running:
$ heroku addons:open sslfasttrack --app <app_name> Opening https://addons-sso.heroku.com/apps/...
You must grant access for the add-on to access your application. This allows us to perform the work necessary for provisioning and installing your SSL certificate.
The Prerequisites page verifies your app is ready for a custom SSL certificate.
Select URL for SSL
You must select the primary SSL URL for your application. If the URL you wish to run SSL on is not listed, be sure and add it to your application via the Settings screen.
SSL FastTrack is not currently allowed on apex (also known as root or naked) domains. To complete the SSL install, you must be able to CNAME your DNS record to a Heroku-provided subdomain. Due to how DNS works, CNAME entries are not compliant with apex domains. We recommend using a subdomain attached to your Heroku app for your SSL-secured address. If you do not currently have a subdomain on your app that you would like to use, we suggest adding one via the app’s dashboard and then refreshing the SSL FastTrack “Select URL” page to pick up the new subdomain.
For security purposes, SSL certificates require domain ownership verification. This can be done using one of two options.
Option one is verification by an email address associated with your domain registration. The list of addresses will be comprised of emails from when your domain was registered along with an approved set of common admin emails. Depending on your registration, you may not recognize or have access to any of them. If you don’t recognize any of them, we suggest you try option two.
Option two is verification by creation of a DNS CNAME entry for your domain. Using this option is generally easier, provided you are comfortable creating CNAME records for your domain.
Just remember, the domain ownership verification process is part of what makes SSL SECURE and prevents someone not authorized from mimicking you online.
Once a verification method has been chosen, we are unable to change it.
Depending on the verification method chosen, this step will require you to either look for an email or create a DNS entry.
If you chose email verification, the certificate authority will send an email to the address selected in the previous step. You must open the email, click the attached link, and click the “I Approve” button on the site that opens.
If you chose DNS verification, you will be presented with details on the CNAME record that must be created for your domain.
Once the verification process is complete, the certificate will be generated and our system will install it. Click the “Check Status” button and we will verify the certificate has been issued and installed.
It typically only takes a few minutes after verifying the order for the Check Status button to show the certificate is issued. If it takes more than 15 minutes, your order has likely been flagged by the certificate authority for manual review which can take up to 12 hours to complete. We save your progress throughout the installation process so you can return and check later. If urgent, send us an email at firstname.lastname@example.org and we can request that the CA expedite your review.
Once your certificate has been installed, you must update your DNS settings. We display the DNS entry currently set and what you need to update your settings to.
Once updated, click the Verify DNS button to continue and we will re-check your settings to verify they are correct.
DNS changes can take time to update over the Internet. We check against the authoritative name servers for your domain to minimize this time, but in rare cases it could take an hour or more depending on your registrar and domain settings.
Migrating Between Plans
Due to the nature of how SSL works, it’s not possible to migrate between different levels of plans.
Removing SSL FastTrack
To remove the add-on, run this command:
$ heroku addons:destroy sslfasttrack --app <app_name> ! WARNING: Destructive Action ! This command will affect the app: <app_name> ! To proceed, type "<app_name>" or re-run this command with --confirm <app_name>
This will remove your SSL certificate. You may need to install a new certificate or update your DNS settings depending on your application to continue access.
If you have questions, please contact us by opening a support ticket at help.heroku.com. Any non-support related issues or feedback are welcome at SSLFastTrack.com or by emailing email@example.com.