This is really stupid, but as far as I can tell there was an issue with using TextEdit in Mac OS to save the initial server.key and server.orig.crt files.
I used TextMate instead and everything is working fine.
Question
I am having trouble generating ssl certs that Heroku will accept for secure.mydomain.com. I'm using DNSimple, Cedar Stack, and following the instructions here: https://devcenter.heroku.com/articles/ssl-certificate
$ curl https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem > rapidssl_bundle.pem
cat server.orig.crt rapidssl_bundle.pem > server.crt
So now I have the server.key & server.orig.crt files, which I try to upload to Heroku with $ heroku certs:add server.crt server.key
. This gives the error
Key could not be read since it's protected by a passphrase.
The docs above don't mention anything about removing the passphrase from the server.key file. So I dug around and found the docs here: https://devcenter.heroku.com/articles/ssl#customdomain-ssl. I'm running these commands between #1 and #2 above:
1b. $ mv server.key server.orig.key
1c. $ openssl rsa -in server.orig.key -out server.key
However this gives the error
unable to load Private Key
47930:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY
Which I suspect means there is no private key found.
Anyone know what is the issue here? Is this a Heroku issue or an openssl issue (or a DNSimple issue)?
Solution 3
This is really stupid, but as far as I can tell there was an issue with using TextEdit in Mac OS to save the initial server.key and server.orig.crt files.
I used TextMate instead and everything is working fine.
OTHER TIPS
I just struggled mightily with a nearly identical problem installing SSL Certs on a Heroku app with DNSimple and RapidSSL, and want to post my solution here in case someone with a similar problem comes across this response.
I had followed the directions from everywhere on SO and Heroku dev center to install certs through DNSimple and RapidSSL, but every time I tried to add the certs with the command:
$ heroku certs:add server.crt bundle.pem server.key
no matter what I did, I got this error:
$ Adding SSL Endpoint to mysite... failed
! Key could not be read since it's protected by a passphrase.
! Read instructions on how to remove the passphrase on:
! http://www.madboa.com/geek/openssl/#key-removepass`
I knew the key didn't have a passphrase (because I went through that process multiple times) but it still didn't want to add them. I did two things that ultimately got it working though I'm not sure which one was the clincher.
First, I made sure to download the proper PEM file under the Apache, Plesk & CPA box from the RapidSSL email link to Intermediate certificates.
The second thing was to verify my Heroku toolbelt installation by going through the steps here: https://devcenter.heroku.com/articles/heroku-command#installing-the-heroku-cli
Turns out I was still using the gem and had to uninstall until I got to heroku-toolbelt, after which I tried adding the certs again and voila.
Struggled with this issue for days! Until I came across this thread and followed the upgrade advice. The first thing I had to do is
gem uninstall heroku --all
I answered 'Yes' to the keep executable question, because of another post I had read on stackoverflow. I then went to https://toolbelt.herokuapp.com/ and installed the toolbelt (even though heroku --version was saying that it was installed). Upgraded it to heroku-toolbelt 2.39.0. Retried the following command and it worked:
heroku certs:add cert.cer bundle.pem server.key
Maybe i'll finally get some sleep tonight :)
An old toolbelt installation was my problem on windows.
Even though heroku update
changed the version number from 2.30.1 to 2.39.0, a heroku version
showed it wasn't updating correctly for some reason.
I reinstalled the toolbelt from https://toolbelt.herokuapp.com/ and tried it again, and everything worked.
heroku version
now says this for me, and the certs:add works correctly:
heroku-gem/2.39.0 (i386-mingw32) ruby/1.9.2
I now got the same error, even with a recent heroku/7.47.6
(from npm).
The reason turned out to be that I got an elliptic-curve certificate from Let's Encrypt, the private key file contained:
-----BEGIN EC PRIVATE KEY-----
That's not supported according to https://devcenter.heroku.com/articles/acquiring-an-ssl-certificate:
Heroku only supports RSA keys for certs. Elliptic curve keys are not supported.
Once I obtained an RSA cert, it worked.
(specifically, dehydrated now defaults to --algo secp384r1
, I had to provide --algo rsa
. But the idea should be same with other tools/CAs, you need an RSA cert.)