sergio
July 11, 2017, 4:26pm
1
I have my own .crt and .key file in my priv/keys/ folder.
priv/keys/production.crt
priv/keys/production.key
I have these two files in my git repository, and I’m calling it from my prod.exs file.
However, I’m getting an eacces error and my app crashes.
16:20:08.079 [error] Failed to start Ranch listener MyApp.Web.Endpoint.HTTPS in :ranch_ssl:listen([certfile: ‘/app/_build/prod/lib/my_app/priv/keys/production.crt’, keyfile: ‘/app/_build/prod/lib/my_app/priv/keys/production.key’, port: 443]) for reason :eacces (permission denied)
Does anyone know how to use custom keys/certs for Heroku SSL?
outlog
July 11, 2017, 5:01pm
2
Heroku uses a reverse proxy in front of you application server.
So you have to add the certs etc to heroku and not to your phoenix app, believe they offer automated ssl certs nowadays, so consider just using that.
otherwise read this one on how to add the certs https://devcenter.heroku.com/articles/ssl
1 Like
Potential security concern?
1 Like
sergio
July 11, 2017, 5:19pm
4
Definitely! I removed them, I just wanted to test something out.
sergio
July 11, 2017, 5:21pm
5
I think I have it handled now, the https URL works if I remove this from my endpoint configuration:
force_ssl: [rewrite_on: [:x_forwarded_proto]]
The problem is that http works as well.
If I add it back in, I get this when I visit http and https:
my-app.com redirected you too many times.
Does anything jump out at you guys?
# prod.exs
config :my_app, MyApp.Web.Endpoint,
on_init: {MyApp.Web.Endpoint, :load_from_system_env, []},
http: [port: {:system, "PORT"}],
url: [scheme: "https", host: "myapp.com", port: 443],
force_ssl: [rewrite_on: [:x_forwarded_proto]],
cache_static_manifest: "priv/static/cache_manifest.json",
secret_key_base: System.get_env("SECRET_KEY_BASE")
outlog
July 11, 2017, 6:02pm
6
I assume host: "myapp.com", and my-app.com is identical(no hyphen) and configured correctly…
then it could be an issue with your dns setup, are you using the root domain (eg no www) - and is the dns correctly setup for ALIAS/ANAME? if your dns does root redirect (to www) make sure it’s to https.
sergio
July 11, 2017, 6:03pm
7
Yes those values are set correctly, good catch. I just changed the name here for privacy.
It does seem like a DNS issue. I’ll check that out.
svilen
July 11, 2017, 6:04pm
8
I do have exactly the same config for an app running on Heroku.
Could there be some sort of http>https redirection happening on a DNS-level? I would check your DNS provider in case there are some redirection rules being applied.
Edit: Ah, I’m too slow — looks like you figured that out already…
sergio
July 11, 2017, 6:13pm
9
It was a DNS setting that ultimately fixed the issue.
Would-be Googler’s, make sure you redirect from http to http at the DNS level when hosting on Heroku.
outlog
July 11, 2017, 6:18pm
10
sergio:
…
not sure that is sound advice.
I believe you have your dns provider doing root redirection to www?
To dynamically redirect to the host of the current request,:host must be set nilhttp://www.phoenixframework.org/docs/configuration-for-ssl
so trying setting host: to nil or removing it all together from the config. (or use “www.myapp.com ” though “myapp.com ” should work as well)
1 Like
sergio
July 11, 2017, 9:13pm
11
You were right. I added back the force_ssl and configured my DNS properly.
1 Like
svilen
July 12, 2017, 10:43am
12
FWIW I use Cloudflare and have a rule to always redirect http > https for my Heroku app, works with no issues.
Using cloudflare means that many people will not be able to access your site though, it is blocked in a lot of places (as has been talked about on these forums since Elixir’s site goes through cloudflare, hence why I mirror it). Fastly too.
