Setting up a free SSL certificate on Heroku
In this tutorial, we will change the URL of your website from http://www.yourdomain.tld to https://www.yourdomain.tld. That's a subtle difference, but it is very important.
We assume you already have a domain and it correctly points to your Heroku application. If that’s not the case, check out this tutorial first.
Heroku now supports Let’s Encrypt, a free way of generating SSL certificates. They call it Automated Certificate Management (or ACM in short).
Although the certificate is free, you still need to upgrade your application to at least a Basic plan to use it. Go to your Heroku dashboard, select your application and click on the Resources tab. You should quickly find the button Upgrade to Basic…. Select the Basic plan (7$/dyno/month) and Save.
In Heroku, go back to the Settings tab of your application and scroll down to Domain and certificates. You should now see a white button Configure SSL. Click on it. Leave the Automatically option ticked and click on Continue.
You should then have instructions to set up your DNS. That is something which we already did in the previous tutorial, so click on I’ve done this and Continue.
That’s it! Open your favorite browser and navigate to https://www.yourdomain.tld, you should see a green URL bar with the Securekeyword
Right now, if you go to http://www.yourdomain.tld, your website is still served insecurly. You can’t expect your visitors to manually add the missing s in the address bar. What you want to do is force a redirection from http:// to https:// URLs. In Rails, you can do that with a single line of code, using the force_ssl option.
To do so, go to your Rails project, open it in Sublime Text, and open the config/environments/production.rb file. Look for a commented line mentioning force_ssl. Update this line to have:
config.force_ssl = true
That’s the exact same configuration we did on www.lewagon.com.
Commit & Push your changes to Heroku. You should now see an automatic redirection from http:// URLs to https:// (using a 301 and preserving the path).
Go ship something awesome!