Automated Certificate Management

With Automated Certificate Management (ACM), Heroku automatically manages TLS certificates for apps with Hobby and Professional dynos on the Common Runtime, and for apps in Private Spaces that enable the feature.

Certificates handled by ACM automatically renew one month before they expire, and new certificates are created automatically whenever you add or remove a custom domain. All applications with paid dynos include ACM for free.

Automated Certificate Management uses Let’s Encrypt, the free, automated, and open certificate authority for managing your application’s TLS certificates. Let’s Encrypt is run for the public benefit by the Internet Security Research Group (ISRG).

Setup

Common Runtime

ACM is enabled by default for all Common Runtime apps created after March 21, 2017 that run on Hobby or Professional dynos. The following steps are for apps currently running on Free dynos, and for apps created before that date.

If your app is currently running on Free dynos, Heroku enables ACM automatically when you upgrade your app to use Hobby or Professional dynos:

$ heroku ps:resize web=hobby

If your app is already running on Hobby or Professional dynos, enable ACM with the following command:

$ heroku certs:auto:enable

When you enable ACM, ensure that your DNS is pointed at its new DNS target. If it’s pointed at *.herokuapp.com or *.herokussl.com , Heroku is unable to verify your certificate. Run heroku domains to verify the DNS target.

Private Spaces

Uploading a manual certificate to a Private Space app will disable HTTPS for the built-in <appname>.herokuapp.com hostname.

If your app doesn’t currently have TLS certs, simply enable ACM and wait for the certificate to be provisioned:

$ heroku certs:auto:enable

If you already have manually uploaded TLS certs and want to migrate to ACM, follow the process outlined below.

1. Determine the name of your manually uploaded cert

$ heroku certs Name Endpoint Common Name(s) Expires Trusted Type ──────────── ─────────────────────────────────────────────────────── ────────────────────── ──────────────────── ─────── ───────────────── nagano-91606 <haiku>.<haiku>.herokuspace.com <common-name> 2018-08-13 11:05 UTC True Private Space App

2. Enable ACM for your app

$ heroku certs:auto:enable Enabling Automatic Certificate Management... done === Your certificate will now be managed by Heroku. Check the status by running heroku certs:auto.

3. Wait for the ACM cert to be issued

Make sure to wait for this step to complete before proceeding. If you don’t, your app might experience downtime.

$ watch heroku certs:auto

4. Remove the manually added cert

Specify the cert name you found in step 1:

$ heroku certs:remove --name nagano-91606

View your certificate status

It usually takes between 45 and 60 minutes to generate a TLS certificate for your app’s custom domains. You can view the status of the generated certificate by running the following command:

$ heroku certs:auto

The process is complete when the certificate’s status is Cert Issued .

If your certificate’s status is DNS Verified , the process is not finished yet. Heroku has verified your domain status and is still in the process of submitting it to Let’s Encrypt.

All possible certificate generation statuses are listed below:

Status Description Cert Issued A certificate has been issued for the domain. In Progress Heroku is verifying your custom domain’s DNS. DNS Verified Heroku verified your custom domain’s DNS and is in the process of generating the certificate. Waiting Heroku is currently waiting to process your certificate. Failing Heroku is unable to verify your DNS. We will keep trying to verify for up to an hour. See Troubleshooting for help addressing this error. Failed Heroku is unable to verify your DNS. We have stopped trying to verify this domain. See Troubleshooting for help addressing this error.

Providing your own TLS certificate

If you’d prefer to use a different type of TLS certificate, such as one from a different CA, a wildcard certificate, or an EV certificate, you can easily do so.

Simply upload your own certificate, following the steps listed in Heroku SSL.

Providing your own certificate disables ACM for your application. If you want to re-enable ACM, you can run the following command:

$ heroku certs:auto:enable

Turning off Automated Certificate Management

Do not turn off ACM with the intent of turning it back on immediately. This can cause your account to reach a rate limit with Let’s Encrypt.

You can turn off ACM by running the following command:

$ heroku certs:auto:disable

This removes your domain’s certificate and turns off ACM for your application. Removing your certificate with heroku certs:remove also turns off ACM.

Migrating existing applications

Migrating from Heroku SSL and Private Spaces with your own certificate

Automated Certificate Management uses the same DNS configuration as Heroku SSL (SNI) support. Enabling ACM for Private Space apps also doesn’t require DNS changes. Although it might take some time to verify your DNS configuration, your app will continue to serve your existing SSL certificate while verification is taking place. Your app should continue to remain available at your custom domain throughout the process.

Migrating from SSL Endpoint

Enabling Automated Certificate Management even while an SSL Endpoint is in use will generate an additional ACM certificate on your app for all Custom Domains. After the ACM certificate is successfully provisioned as described by this article, you can then update your Domains’ DNS to the Heroku SSL DNS target in order for requests to use the ACM issued certificate.

Since DNS propagation may take many hours, we recommend that you wait at least 24 hours before removing your SSL Endpoint add-on. You may also want to use a tool such as dnschecker.org to ensure that most of the world sees the updated DNS value before removing it. It is not possible to restore an SSL Endpoint add-on.

Troubleshooting

Do not turn off ACM in an attempt to fix or speed up the ACM process. This can cause your account to reach a rate limit with Let’s Encrypt.

Verification errors

If heroku certs:auto shows Failing or Failed for any domain when you run heroku certs:auto , it means Heroku was unable to verify DNS for a given domain. You need to verify that it is pointed to the correct DNS target as specified in heroku domains . The DNS targets will be in the format <your-domain>.herokudns.com .

If your DNS is pointed at older DNS settings, such as *.herokuapp.com or *.herokussl.com , Heroku will not be able to generate a certificate.

If ACM is unable to create a certificate for your domain, you receive a notification after three days of attempts. In most cases, this error occurs because DNS is not properly configured for your domain. After you resolve your DNS issue, run the following command to instruct ACM to try again:

$ heroku certs:auto:refresh

Failure reasons

There are a number reasons why issuing a certificate might fail. A failure reason may be included in a notification email or in the CLI.

CN exceeding 64 character limit

Domain names can not exceed 64 characters.

Incorrect DNS settings

Your DNS record is not set up properly.

Review this document and ensure that your DNS records are set up correctly.

If your domain fails DNSSEC (DNS Security Extensions) verification, you can encounter this error.

You can also encounter this error if your Private Space app does not have a web dyno running.

Unable to resolve DNS for domain

The error is typically encountered when a DNS name hasn’t yet propagated to DNS providers. Heroku’s ACM feature checks for the availability of your domain in Google’s DNS ( 8.8.8.8 ).

Please check that your domain is available in Google’s DNS and that there are no typos in your entry.

CDN not returning HTTP challenge

Heroku ACM is attempting to to verify that the HTTP challenge file is being returned, but is encountering a 404 error. This typically happens when you are pointing your domain at a CDN, rather than the Heroku provided DNS target, and the HTTP challenge file does not exist on the CDN.

This typically happens with AWS CloudFront.

DNS redirect not forwarding path

Heroku ACM is attempting to to verify that the HTTP challenge file is being returned, but your DNS provider is not returning the full path of the file location.

If your DNS provider does not support forwarding paths, you may need to change DNS providers. Some providers, such as Google Domains, offer the ability to turn on or off path forwarding — by default this is turned “off” for Google Domains.

Incorrect CNAME target

This error is encountered when your DNS record specifies app-name.herokuapp.com as the target for the CNAME rather than the provided DNS target. Update your DNS record to point at the correct DNS target.

To get the correct DNS target, run heroku domains .

Rate limited

ACM failed because there have been too many requests to issue a certificate for the domain(s) on this app within a 7-day interval. Heroku support is unable to bypass this rate limit, because it is set by Let’s Encrypt. You may encounter a rate limit when you enable and disable ACM on your app repeatedly.

Note that ACM for domains on other apps are not affected by this error (i.e., a rate limit on one app does not impact ACM on another app with a different domain).

You can figure out when the rate limit will end by running:

$ heroku certs:auto

After the rate limit period has ended, you can try issuing a certificate again by running:

$ heroku certs:auto:refresh

DNS provider timed out

Heroku attempted to verify your DNS record, but your DNS provider timed out. Run heroku certs:auto:refresh to try again.

Strict TLS in CDN not supported

You are attempting to use Cloudflare with ACM, but don’t have it configured correctly.

Heroku recommends against using ACM with Cloudflare, because Cloudflare provides SSL certificates. To disable ACM on your app, run heroku certs:auto:disable .

For more information, check out Cloudflare’s “Configuring Cloudflare and Heroku over HTTPS” documentation.

DNS provider doesn’t support CAA

Let’s Encrypt returned an error that your DNS provider does not support Certificate Authority Authorization (CAA) records.

Contact your DNS provider for more information on CAA support. Learn more about CAA records.

CAA record prevents issuance

The CAA record prevents certificates from being issued by Let’s Encrypt.

Add a CAA record that allows Let’s Encrypt to issue certificates for the domain. Learn more about CAA records.

Domain record does not exist

Let’s Encrypt has returned a NXDOMAIN error, which means the domain record does not exist in your DNS provider.

To fix this error, please make sure that your domain name was entered correctly and the DNS record for the domain contains the right CNAME.

Domain considered unsafe

Let’s Encrypt checks domains against Google’s Safe Browsing API and will not issue certificates for domains considered unsafe.

Check the status of your domain by visiting this URL: http://www.google.com/safebrowsing/diagnostic?site=http://yourdomainhere.com/

Let’s Encrypt domain blocklist

You have requested a certificate for a domain on Let’s Encrypt’s domain blocklist. Typically, well-known domains are on this blocklist as an additional security measure to prevent unauthorized certificate creation.

Contact Let’s Encrypt on their Community Support forum.

Alternatives to ACM

If you want to automatically renew a wildcard certificate or use a different CA, Heroku add-ons such as SSL FastTrack or ExpeditedSSL might serve your use case.

Known limitations