如何在我的Heroku Node Express应用程序中使用LetsEncrypt SSL证书? [英] How can I use a LetsEncrypt SSL cert in my Heroku Node Express app?
问题描述
我有一个在Heroku上运行的Node Express应用程序,我想使用LetsEncrypt的免费SSL证书进行加密。但是,我看到的方法需要打开端口443和80,以允许ACME进程工作。
I have a Node Express app running on Heroku that I want to encrypt with a free-of-charge SSL cert from LetsEncrypt. However, the methods I've seen require opening up ports 443 and 80 to allow the ACME process to work.
Heroku只给你一个端口,不允许你选择哪个端口。那么我如何使用LetsEncrypt?
Heroku only gives you one port, and doesn't let you choose which port. So how can I use LetsEncrypt?
我昨天花了很多时间弄清楚这一点。第一次很长一段时间,StackOverflow没有任何答案,我正在努力尝试!
I spent a bunch of time figuring this out yesterday. First time in a long time there were no answers on StackOverflow for something I was trying to do!
推荐答案
更新:
Heroku现在支持LetsEncrypt本机!所以这个解决方法已经不再需要了。
Update:
Heroku now supports LetsEncrypt natively! So this workaround is no longer needed.
这里说明:
https://devcenter.heroku.com/articles/automated-certificate-management
对于新的应用程序,您不必执行任何操作,默认情况下会打开。
对于在2017年3月21日之前创建的应用程序,您可以使用这个Heroku cli命令打开它:
heroku certs:auto:enable
For new apps, you don't have to do anything, it's turned on by default.
For apps created before March 21 2017, you can turn it on with this Heroku cli command:
heroku certs:auto:enable
感谢@Spain火车
理想情况下,LetsEncrypt允许自动证书更新过程。这在Heroku上更难做,所以这个答案描述了如何使用手动过程。使用Heroku环境变量,您将能够很容易地手动更新您的证书,无需更改代码。
Ideally, LetsEncrypt allows for an automated certificate renewal process. That's harder to do on Heroku, so this answer describes how to use a manual process. Using a Heroku environment var, you'll be able to update your certs manually fairly easily going forward - no code changes.
对于这个答案的信用很大程度上是两个漂亮的博文:
https://medium.com/@franxyzxyz/setting-up-free-https-with- heroku-ssl-and-let-encrypt-80cf6eac108e#.67pjxutaw
和
https://medium.com/should-designers- code / how-to-set-up-ssl-with-let-encrypt-on-heroku-for-free-266c185630db#.ldr9wrg2j
Credit for this answer goes largely to two nice blog posts:
https://medium.com/@franxyzxyz/setting-up-free-https-with-heroku-ssl-and-lets-encrypt-80cf6eac108e#.67pjxutaw
and
https://medium.com/should-designers-code/how-to-set-up-ssl-with-lets-encrypt-on-heroku-for-free-266c185630db#.ldr9wrg2j
有一个GitHub项目,显然支持Heroku上的自动化证书更新。我会在我尝试以后更新此答案:
https:// github .com / dmathieu / sabayon
There's a GitHub project which apparently supports automated certs updates on Heroku. I'll update this answer when I've tried it out:
https://github.com/dmathieu/sabayon
将此中间件添加到您的Express应用程序。在将http重定向到https的任何中间件之前,请确保添加它,因为此端点必须是http。
Add this middleware to your Express app. Be sure to add it BEFORE any middleware that redirects http to https, because this endpoint must be http.
// Read the Certbot response from an environment variable; we'll set this later:
const letsEncryptReponse = process.env.CERTBOT_RESPONSE;
// Return the Let's Encrypt certbot response:
app.get('/.well-known/acme-challenge/:content', function(req, res) {
res.send(letsEncryptReponse);
});
使用certbot创建证书文件:
Create the certificate files using certbot:
- 启动certbot:
sudo certbot certonly --manual
提示时输入站点URL(www。 example.com)
certbot将以格式显示挑战响应字符串
xxxxxxxxxxxxxxxxxxx.yyyyyyyyyyyyyyyy
LEAVE CERTBOT WAITING IN THIS STATE。不要按进入或退出。 - 转到Heroku信息中心并查看应用设置:
https://dashboard.heroku.com/apps/your-heroku-app-name/settings
在配置变量下,单击显示配置值'
编辑CERTBOT_RESPONSE var的值以匹配步骤a中的挑战响应。 - 等待heroku应用重新启动。
- 通过访问
测试设置 http:/ /www.example.com/.well-known/acme-challenge/whatever
注意HTTP,NOT HTTPS
应显示挑战响应字符串。如果发生这种情况,请继续下一步。如果没有,请做任何事情来获取该URL以返回CR字符串,然后再继续,否则您将需要重复此整个过程。 - 返回Certbot,然后按Enter继续。
如果全部按计划进行,certbot将告诉您所有工作,并显示创建的证书的位置。您将在下一步中使用此位置。请注意,由于os权限,您可能无法检查文件夹的内容。如果有疑问,sudo ls /etc/letsencrypt/live/www.example.com查看文件是否存在。
- Start certbot:
sudo certbot certonly --manual
Enter the site url when prompted (www.example.com)
certbot will display a Challenge Response string in the format
xxxxxxxxxxxxxxxxxxx.yyyyyyyyyyyyyyyyyy
LEAVE CERTBOT WAITING IN THIS STATE. Do not press enter yet or exit. - Go to the Heroku dashboard and view app settings:
https://dashboard.heroku.com/apps/your-heroku-app-name/settings
Under Config Variables, click 'Reveal Config Vars'
Edit the CERTBOT_RESPONSE var's value to match the Challenge Response from step a. - Wait for the heroku app to restart.
- Test the setting by visiting
http://www.example.com/.well-known/acme-challenge/whatever
NOTE THE HTTP, NOT HTTPS
It should display the Challenge Response string. If this happens, go on to the next step. If not, do whatever it takes to get that URL to return the CR string before proceeding, or you will need to repeat this entire process. - Return to Certbot and press Enter to continue.
If all goes as planned, certbot will tell you everything worked and display the location of the created certs. You'll use this location in the next step. Note that you might not be able to inspect the contents of the folder due to os permissions. If in doubt,sudo ls /etc/letsencrypt/live/www.example.comto see if the files exist.
更新Heroku实例以使用新的证书:
运行 heroku certs:add 如果您的网站没有证书。如果更新,请运行 heroku certs:update 。
sudo heroku certs:update --app your-heroku-app-name /etc/letsencrypt/live/www.example.com/fullchain.pem /etc/letsencrypt/live/www.example.com/privkey.pem
Update the Heroku instance to use the new certs:
Run heroku certs:add if your site doesn't have a cert. If updating, run heroku certs:update.
sudo heroku certs:update --app your-heroku-app-name /etc/letsencrypt/live/www.example.com/fullchain.pem /etc/letsencrypt/live/www.example.com/privkey.pem
这篇关于如何在我的Heroku Node Express应用程序中使用LetsEncrypt SSL证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
