Note: This article was post was originally published before CloudFlare added free SSL . It is easy to integrate and I switched over all my apps to using it instead of CloudFront.
Heroku's SSL plan isn't cheap ($20 per month or $240 per year plus $49 for a certificate). Thankfully, using a CDN that supports custom SSL/TLS and CNAME aliases as a proxy reduce your costs to near zero. It also has the added benefit of providing a cache layer if desired.
Disclaimer Assess your liability and browser requirements whenever making SSL/TLS setup decisions.
Note If you are running in an environment without
pbpaste alias them to the
alias pbcopy='xsel --clipboard --input' alias pbpaste='xsel --clipboard --output'
StartSSL is one of the few certificate authorities that will let you get a free certificate that works in all the browsers. The service is satisfactory for the price (although RapidSSL might be a good option if you can afford it).
Now that you have an account open your terminal and run:
openssl genrsa 2048 > private.pem openssl req -new -key private.pem -out csr.pem -subj '/CN=ksylvest.com/O=Kevin Sylvestre/C=US/ST=California' pbcopy < csr.pem
Then from your browser (everything you need is copied to your clipboard) go:
Then from your terminal again run:
pbpaste > ssl.crt
Then from your browser go to Tool Box and StartCom CA Certificates and download StartCom Root CA (PEM encoded) as ca.pem and Class 1 Intermediate Server CA as sub.class1.server.ca.pem. Once the files download run:
cat sub.class1.server.ca.pem ca.pem > bundle.pem
brew install awscli
Once you've installed the interface use the Access Key ID and Secret Access Key from your account and authorize the CLI. Then:
aws iam upload-server-certificate --server-certificate-name ksylvest --certificate-body file://ssl.crt --private-key file://private.pem --certificate-chain file://bundle.pem --path /cloudfront/
Now create a new Cloud Front distribution with the following settings:
Once a distribution is created (it can take half an hour) you should be able to access your site using the provided URL. Once the distribution comes into effect simply CNAME desired subdomain. CNAMEs are not supported on 'naked' domains by default so either redirect to www or find a DNS provider that supports them (try cloudflare or dnsimple or amazon).
Lastly once you have tested your certificate under the new proxy you can setup your application to redirect to HTTPS in CloudFront if desired (securing all requests).