Heroku SSL issue

Question

I am wondering if this is an issue on our end or Heroku's end. I installed the SSL add-on ($20/month) and got an SSL cert through my universities IT department (changed the name of some details but you get the idea). I followed the steps listed here: https://devcenter.heroku.com/articles/ssl-endpoint

I am getting an error in chrome that says "Your connection is not private" NET::ERR_CERT_COMMON_NAME_INVALID. Then it also says This server could not prove that it is mydomain.edu; its security certificate is from *.herokuapp.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

I've checked my CSR and it has the mydomain.edu as the CN, I've checked the email that came from my schools IT and the email says mydomain.edu.

When I check the heroku certs command I get the following:

$ heroku certs
Endpoint                   Common Name(s)              Expires               Trusted
-------------------------  --------------------------  --------------------  -------
tokyo-13550.herokussl.com  mydomain.edu                2019-04-14 23:59 UTC  True

The only issue I can see wrong is the CNAME record. I believe the endpoint changed when I added SSL:

$ heroku certs:add cert.cer private.key --app myapp
Resolving trust chain... done
Adding SSL Endpoint to myapp... done
myapp now served by tokyo-13550.herokussl.com
Certificate details:
Common Name(s): mydomain.edu
Expires At:     2019-04-14 23:59 UTC
Issuer:         /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
Starts At:      2016-04-14 00:00 UTC
Subject:        /C=US/postalCode=myzip/ST=mystate/L=mycity/street=myaddress/O=myorginization/OU=Certificate Management/CN=mydomain.edu
SSL certificate is verified by a root authority.

I initially was running the app without SSL and we setup a CNAME record with this endpoint:

us-east-1-a.route.herokuapp.com 

I believe that if we update the CNAME record from the US to the Tokyo one then the SSL issue will be solved, my IT department believes I installed the cert wrong or it is using the old cert since it says *.herokuapp.com instead of referencing mydomain.edu.

Answer 1

Heroku's decisions regarding dynos, scalability, and high-availability have direct impact on how you may configure and operate your service. Those decisions have particular impact when it comes to SSL and HTTPS.

First, if you really did acquire a cert for mydomain.edu without a subdomain, you should read this reference for configuring root domains, and inquire with your University staff if they have support for this. (I would expect they do not.) The rest of this advice will assume that you are attempting to secure a subdomain.

The error you are getting indicates that the CNAME has not been updated. All apps at herokuapp.com use an SSL cert owned, managed, and provisioned by Heroku for their customers use. Inspecting the CNAME record should be sufficient to show that the domain in question is delegating to this "public" tier of SSL provisioning.

The documentation to which you should specifically refer is here. When you provision the paid SSL endpoint service at Heroku, it alters your applications' runtime environment such that it is no longer serviced by the same network that powers the public tier. As such, you do receive a new domain to CNAME to provide SSL service. You can explain to your IT staff that the process puts your application on a new machine.

Because you elide the domain name in question, we can't verify ourselves that you have installed the certificate correctly, but you appear to have followed the documentation to me.

Answer 2

In case anyone else runs into something similar it was the CNAME that needed to be updated. The IT person I was working with tried hardcoding the new CNAME in his /etc/hosts file and was getting the correct SSL Cert