Posted on Dec 6, 2012 | 0 comments
The process of getting a wildcard SSL cert from GoDaddy installed on AppHarbor took me much longer than it should have. I’m a web dev, so SSL stuff is pretty new to me. Usually a Google search will fix me right up but no one had outlined the entire process from beginning to end so I had to patch it together. Here’s how it works… hope this saves you some time.
First, I had to generate a CSR (certificate signing request) on my local machine’s IIS. This part is where I got tripped up for a while because I didn’t realize that I had to do it on my local machine so I kept looking for how to do this on AppHarbor. Once I realized I had to generate it locally, it was pretty easy. Follow the instructions given by GoDaddy for IIS 7 or IIS 5 or 6. If you’re using a wildcard SSL, pay special attention to those instructions. Also, leave the Console1 window open where you add the intermediate certificate. You’ll need it later.
Then, I had to find the generated CSR file… I have IIS 7 and Windows 7 and it ended up in this folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
Open your CSR in Notepad or TextPad.
Head over to GoDaddy and go to manage your SSL Certificates. At first, my newly purchased certificate didn’t appear to be there. So I called and they said it was in the “credits” folder even though it said 0 next to it. So, I clicked “credits” and then a “Click here” to update your list link and it magically appeared. Bad job GoDaddy…
Paste the CSR file contents (all of it) into the Godaddy screen where it asks for the CSR. Click all the way through. You should be seeing big green checks as you click through and then it will say you’re good to go.
Now, still in GoDaddy’s SSL Cert management, click on your certificates folder and you should see your certificate. Click its name and then click the download link above it. Choose your IIS and download.
Then, go back to your local IIS and complete the certificate signing. Instructions are on GoDaddy’s page – here for IIS 5 or 6 and here for IIS 7. Note – do not “bind” or assign the certificate to any of your local sites. Skip that part of the instruction (its at the end).
Now, still in your IIS, right click on your certificate and choose export. Choose a filename and location and a password.
Head over to AppHarbor and your application. Click on the ‘Certificates’ link on the left. Choose pfx file and upload the file you created in step 4.
This one was documented NO WHERE! Grrr…
Go back to the Console1 window you opened back in step 1. Find your GoDaddy certificate, right click, and choose All Tasks –> Export.
Click through the welcome window and choose Base-64 encoded X .509 (.CER). Note: I tried doing the pb7 option and it didn’t work.
Click Next. Choose a file path and name and click ‘Next’. Then click ‘Finish’ on the confirmation page.
Head back to your app on AppHarbor and click Certificates on the left nav. Magically, a link will appear to add an intermediate certificate. Click it then click “Add a New Intermediate Certificate”. Open the certificate file you created in Step 6 in Notepad and cut and paste the contents into the AppHarbor window. Save it.
That’s it! You’re done and should now be able to navigate to https://yourdomain.com! But just to be sure, head on over to http://www.sslshopper.com/ssl-checker.html and enter your url to see if it worked!
Out of the box, the standard MVC RequireHttps Attribute won’t work. This is because Https is terminated at the load balancer level on AppHarbor as explained by rune at AppHarbor support. He also very kindly created a custom RequireHttpsAttribute class to fix the problem. Head over to https://gist.github.com/915869 and grab the code. Thanks rune!
I wanted everything to be https so I added the custom RequireHttpsAttribute to my global filters and now all is well in the world of https on AppHarbor! See for yourself at https://demo.connectaround.com
PS – Don’t forget to make all your external links (such as using Google’s hosted jquery libraries/fonts/etc) point to https versions or your https won’t be pretty and green in the address bar.