[WIP] let's encrypt heroku integration

[phoet]

in order to support full SSL via heroku, there need to be some changes to the dns setup.

i'm currently checking it out for the onruby.eu domains so that we can use them as a blueprint for all other domains.

[phoet]

point the CNAME to DOMAIN.herokudns.com so for www.onruby.eu it is www.onruby.eu.herokudns.com

[phoet]

please take care of your custom domain DNS settings as seen above

• @thilo rug-b.de
• @SweeD rugsaar.de
• @jhilden colognerb.de koelschrb.de
• @rubiii onruby.de
• @kikito madridrb.com

→ heroku certs:auto
=== Automatic Certificate Management is enabled on onruby

Certificate details:
Common Name(s): berlin.onruby.eu
                bonn.onruby.eu
                bremen.onruby.eu
                cologne.onruby.eu
                dresden.onruby.eu
                hamburg.onruby.eu
                innsbruck.onruby.eu
                karlsruhe.onruby.eu
                leipzig.onruby.eu
                madridrb.onruby.at
                madridrb.onruby.eu
                munich.onruby.eu
                railsgirlshh.onruby.eu
                saar.onruby.eu
                www.onruby.at
                www.onruby.eu
Expires At:     2018-03-28 12:09 UTC
Issuer:         /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Starts At:      2017-12-28 12:09 UTC
Subject:        /CN=berlin.onruby.eu
SSL certificate is verified by a root authority.

Domain                  Status
──────────────────────  ────────────
rugsaar.de              Failing
dresden.onruby.de       Failing
innsbruck.onruby.eu     DNS Verified
railsgirlshh.onruby.de  Failing
colognerb.de            Failing
onruby.de               Failing
bonn.onruby.de          Failing
innsbruck-rb.at         Failing
madridrb.onruby.eu      DNS Verified
madridrb.onruby.at      Failing
cologne.onruby.de       Failing
berlin.onruby.de        Failing
leipzig.onruby.de       Failing
www.onruby.eu           DNS Verified
karlsruhe.onruby.de     Failing
rug-b.de                Failing
saar.onruby.eu          DNS Verified
onruby.at               Failing
railsgirlshh.onruby.eu  DNS Verified
bremen.onruby.de        Failing
innsbruck-ruby.at       Failing
berlin.onruby.eu        DNS Verified
hamburg.onruby.eu       DNS Verified
www.koelschrb.de        Failing
madridrb.com            Failing
www.madridrb.com        Failing
onruby.eu               Failing
hamburg.onruby.de       Failing
www.rugsaar.de          Failing
munich.onruby.de        Failing
cologne.onruby.eu       DNS Verified
madridrb.onruby.de      Failing
bremen.onruby.eu        DNS Verified
leipzig.onruby.eu       DNS Verified
bonn.onruby.eu          DNS Verified
www.innsbruck-ruby.at   Failing
koelschrb.de            Failing
www.onruby.de           Failing
innsbruck.onruby.de     Failing
karlsruhe.onruby.eu     DNS Verified
www.colognerb.de        Failing
www.innsbruck-rb.at     Failing
munich.onruby.eu        DNS Verified
www.rug-b.de            Failing
dresden.onruby.eu       DNS Verified
innsbruck.onruby.at     DNS Verified
www.onruby.at           Failing
saar.onruby.de          Failing

[jhilden]

@bumi are you in control of colognerb.de?
@phoet I think koelschrb.de does not exist anymore and can be deleted.

[bumi]

@jhilden railslove handles colognerb.de guess you have access to the DNS entries or @kangguru can help.

[kangguru]

yep i do, changed the settings, site seems to be down now 😱 although i haven't checked before the change.

[phoet]

from my phone, it looks like the *.cologne.rb has no or bad DNS information. I think the root works, but subdomain configuration is broken.

the site works fine through cologne.onruby.de

[kangguru]

mh, any idea?

https://devcenter.heroku.com/articles/ssl#change-your-dns-for-all-domains-on-your-app

dig www.colognerb.de cname +short
colognerb.de.herokudns.com.

sounds ok to me

[phoet]

sorry, i think it must be with the subdomain www.colognerb.de.herokudns.com

changing dns is always such a PITA because of the caching and ttls :(

[kangguru]

yea, should have spotted that myself. now it works:tm:

[jhilden]

DNS resolution still often does not work when people just type in colognerb.de (without the www).

$ curl -v colognerb.de
* Rebuilt URL to: colognerb.de/
* Could not resolve host: colognerb.de
* Closing connection 0
curl: (6) Could not resolve host: colognerb.de

Some browsers will automatically redirect to the www version, but it seems that it does not work for everybody.

This is what we have configured:

[phoet]

@jhilden AFAIK you either have to setup CNAME flattening which is not supported by all DNS providers, or setup a redirect from the root to www.

[phoet]

heroku certs do not really cut it here...

i decided to handle everything through cloudflare instead.

if you want your domain to run with SSL support, please configure

dana.ns.cloudflare.com
will.ns.cloudflare.com

as your external DNS servers.

in case you already have a cloudflare setup, just CNAME your domain to onruby.herokuapp.com like

with Always Use HTTPS on and SSL in Full mode.

[phoet]

cloudflare is ready to go, we just need the domainserver to be properly configured like so #360 (comment)