DevOps Heroku: Add a SSL Endpoint
So you have a multi-tenant application with each tenant needing to serve its own experience over https using its own certificate. Heroku, AWS and other providers make it straightforward for a single SSL certificated but what if you want to serve several tenants each with its own unique certificate? Lets just consider Heroku. Multiple SSL Endpoints and Multiple SSL Certificates in One Heroku Application provide key information on accomplishing this goal. However there are sublteties involved in using the Heroku command line interface that can lead you pointing your domains to the wrong place. As the links indicate to accomplish this on Heroku you will need to have a master application my-prod-app and several stand in empty shell applications for your SSL endpoints. The manipulation of domains and certs within these applications is critical. Lets take one SSL endpoint and follow the process through those final Heroku CLI commands. Our app should respond to requests from https://myclientapp.com. We will create an app called my-client-endpoint. We will follow this process that eventually gives us a key and a crt file that was returned by our ssl certificate signing authority. Lets say these files are named mylcient.key and myclient.crt respectively. Incidently when you get the crt file back from the signing authority chances are good you will get back a zip with more than one crt file. These are the primary certificate and any applicable chained certificates. Simply append those files together using cat (example uses contents of zip supplied from GoDaddy):
cat 6abf2aed2e69c650.crt > myclient.crt
cat gd_bundle-g2-g1.crt >> myclient.crt
Now we are ready for the command line. Add the cert with the target of the command being the endpoint application:
heroku certs:add myclient.crt myclient.key --type endpoint --app my-client-endpoint
Lets check that the cert is all good:
heroku certs --app my-client-endpoint
Name Endpoint Common Name(s) Expires Trusted Type
───────────── ─────────────────────────── ────────────────────────────────────────── ──────────────────── ─────── ────────
tokiyama-24531 tokiyama-24531.herokussl.com myclientapp.com, www.myclient.com 2030-05-04 19:03 UTC True Endpoint
Now we need to use the endpoint to add the domain in a cli command with the target of the master application:
heroku domains:add myclientapp.com --app my-prod-app
heroku domains:add www.myclientapp.com --app my-prod-app
Now lets look at the domains from the perspective of the master application
heroku domains --app my-prod-app
=== my-prod-app Heroku Domain
my-prod-app.herokuapp.com
=== my-prod-app Custom Domains
Domain Name DNS Target
───────────────────────────────── ──────────────────────────────────────────────
myclientapp.com myclientapp.herokussl.com
www.myclientapp.com myclientapp.herokussl.com
Now all that is left to do is some work for our client, myclientapp.com. Then need to go do some admin work on their domain provider interface. Namely to add a CNAME record pointing myclientapp.com to this target tokiyama-24531.herokussl.com (generated from the add certificate Heroku CLI command). All done.