Heroku SSL for Phoenix application

I have my own .crt and .key file in my priv/keys/ folder.


I have these two files in my git repository, and I’m calling it from my prod.exs file.

However, I’m getting an eacces error and my app crashes.

16:20:08.079 [error] Failed to start Ranch listener MyApp.Web.Endpoint.HTTPS in :ranch_ssl:listen([certfile: ‘/app/_build/prod/lib/my_app/priv/keys/production.crt’, keyfile: ‘/app/_build/prod/lib/my_app/priv/keys/production.key’, port: 443]) for reason :eacces (permission denied)

Does anyone know how to use custom keys/certs for Heroku SSL?

Heroku uses a reverse proxy in front of you application server.

So you have to add the certs etc to heroku and not to your phoenix app, believe they offer automated ssl certs nowadays, so consider just using that.

otherwise read this one on how to add the certs https://devcenter.heroku.com/articles/ssl

1 Like

Potential security concern?

1 Like

Definitely! I removed them, I just wanted to test something out.

I think I have it handled now, the https URL works if I remove this from my endpoint configuration:

force_ssl: [rewrite_on: [:x_forwarded_proto]]

The problem is that http works as well.

If I add it back in, I get this when I visit http and https:

my-app.com redirected you too many times.

Does anything jump out at you guys?

# prod.exs
config :my_app, MyApp.Web.Endpoint,
  on_init: {MyApp.Web.Endpoint, :load_from_system_env, []},
  http: [port: {:system, "PORT"}],
  url: [scheme: "https", host: "myapp.com", port: 443],
  force_ssl: [rewrite_on: [:x_forwarded_proto]],
  cache_static_manifest: "priv/static/cache_manifest.json",
  secret_key_base: System.get_env("SECRET_KEY_BASE")

I assume host: "myapp.com", and my-app.com is identical(no hyphen) and configured correctly…

then it could be an issue with your dns setup, are you using the root domain (eg no www) - and is the dns correctly setup for ALIAS/ANAME? if your dns does root redirect (to www) make sure it’s to https.

Yes those values are set correctly, good catch. I just changed the name here for privacy.

It does seem like a DNS issue. I’ll check that out.

I do have exactly the same config for an app running on Heroku.

Could there be some sort of http>https redirection happening on a DNS-level? I would check your DNS provider in case there are some redirection rules being applied.

Edit: Ah, I’m too slow — looks like you figured that out already… :laughing:

It was a DNS setting that ultimately fixed the issue.

Would-be Googler’s, make sure you redirect from http to http at the DNS level when hosting on Heroku.

not sure that is sound advice.

I believe you have your dns provider doing root redirection to www?

To dynamically redirect to the host of the current request,:host must be set nil

so trying setting host: to nil or removing it all together from the config. (or use “www.myapp.com” though “myapp.com” should work as well)

1 Like

You were right. I added back the force_ssl and configured my DNS properly.

1 Like

FWIW I use Cloudflare and have a rule to always redirect http > https for my Heroku app, works with no issues.

Using cloudflare means that many people will not be able to access your site though, it is blocked in a lot of places (as has been talked about on these forums since Elixir’s site goes through cloudflare, hence why I mirror it). Fastly too.