Discussion on: What was your win this week?

View post

This week, I... learned how to set up SSL, disable TLS 1.0, and update our DNS settings without taking down production!!!

Goutham Kolluru • Feb 19 '19

Can you please run down the steps you've followed to achieve this.

Anna Rankin • Feb 19 '19

Sure! I'm using Heroku for this though, so a lot of the "hard stuff" was abstracted away. My basic process was like so:

Follow instructions here to provision the endpoint: SSL Endpoint | Heroku Dev Center
Download the existing key and certificate files from provider
Add certificate to the correct application following instructions in link above
TEST SSL ENDPOINT!!! Make sure it's available before moving on or you might get cert errors on production 🚨
Once live, update CNAME record to point to the herokussl endpoint
Use traceroute to check that domain resolves to the new SSL endpoint
If all is well, remove any old/unused certificates using the heroku certs:remove command from the CLI
Open a support ticket to disable TLS 1.0 support for the affected application
Confirm that TLS 1.0 is disabled using either openssl or SSL Labs (takes much longer but is interesting)

Ahmed Shatat • Oct 2 '20

Hi Anna
I'm struggling with the same issue,
I meant to ask, what certificate providers did you use?
and does setting ssl-endpoint means that you have to renew it manually when the certificate expires?
and does this means that if our websites forces browser to use a secure connection that would be a down time if the certificate expires

I am new to this and I've read tons of articles which made me more confused

Denis Rasulev • Feb 18 '19

Gratz!! I am browsing basically the same waters (mostly SSL now), so any resources / links could be of a great help :) Once again - sincere congratulations :)

Anna Rankin • Feb 19 '19

I should note that I've essentially done this with training wheels since we're on Heroku 😂 Here are the resources I used to set this up:

Setting up the SSL endpoint addon on Heroku
DNSimple docs
Lots of traceroute to make sure my new DNS settings were in place
openssl for confirming that we don't support TLS 1.0 was very useful. openssl s_client -connect google.com:443 -tls1 -servername google.com in particular

General docs that have helped me as I voyage into networking:

High Performance Browser Networking (TLS section)
Basically anything by Julia Evans (Networking tools comics here)