❯ heroku _certs
Name                    Endpoint                             Common Name(s)        Expires               Trusted  Type
──────────────────────  ───────────────────────────────────  ────────────────────  ────────────────────  ───────  ────────
procompsognathus-87601  us-east-1-a-sni.route.herokuapp.com  www.brettgoulder.com  2017-03-21 21:35 UTC  False    SNI
hyogo-67203             hyogo-67203.herokussl.com            www.brettgoulder.com  2017-03-21 21:35 UTC  False    Endpoint

~/code/bretts-test-app master*
❯ heroku _certs:remove hyogo-67203
 ▸    Error: Unexpected argument hyogo-67203
 ▸    Usage: heroku _certs:remove
 ▸    You gave this command too many arguments. Try the command again without these extra arguments.
 ▸
 ▸    See more information with heroku _certs:remove --help

~/code/bretts-test-app master*
❯ heroku _certs:remove
 ▸    Must pass --name when more than one endpoint

heroku _certs:remove hyogo-67203 should work, right?

Let's rename the command, repo, to heroku ssl.

It'll be easier to put that in front of customers than heroku sni.

Currently the UX for adding a certificate plus its intermediates is slightly confusing, since:

• the heroku certs:add help text (see below) doesn't mention how to specify the intermediates at all, and uses a CRT reference that could lead people to think that .pem files aren't also accepted.
• the devcenter SSL docs here use a wording ("Add your certificate, any intermediate certificates bundles, and private key with the certs:add command.") that implies that the intermediates should be in a separate certificate bundle (possibly passed as a third argument), when they should in fact be concatenated with the main certificate.
• several third-party guides incorrectly say to pass the intermediates as an additional argument (when there are only two arguments allowed: source), eg:
  • https://lostechies.com/derickbailey/2014/02/12/heroku-and-ssl-fixing-this-sites-security-certificate-is-not-trusted-on-android-and-other-devices/
  • https://gist.github.com/cjolly/3165095#gistcomment-887392
  • https://stackoverflow.com/questions/26076559/renewing-ssl-certificate-on-heroku

It looks like I wasn't the only one who wasn't sure what to do with the intermediate cert:
https://stackoverflow.com/questions/38447944/heroku-ssl-install-intermediate-cert
https://stackoverflow.com/questions/23763411/uploading-ssl-certificate-to-heroku

And a number of guides have popped up to try and document it:
http://www.joshwright.com/tips/setup-a-godaddy-ssl-certificate-on-heroku ("Here's the part that the Heroku docs don't explain...")
http://ryan.mcgeary.org/2011/09/16/how-to-add-a-dnsimple-ssl-certificate-to-heroku/

As such, it would be great to:

1. update the heroku certs:add help text to clarify that:

• the reference to CRT can be either a .crt or .pem file, not just a .crt
• the CRT is actually "certificate concatenated with intermediate certificates"

2. Update the devcenter docs, so that they don't imply that heroku certs:add takes three arguments, for example by:

• changing "Add your certificate, any intermediate certificates bundles, and private key..." to "Add your certificate (including any intermediate certificates), and private key..."
• updating the example heroku certs:add code block to show the cat example.crt intermediates-bundle.crt > server.crt line too.

The current help text for reference:

$ heroku certs:add --help
Usage: heroku certs:add CRT KEY

add an SSL certificate to an app

 -a, --app APP       # app to run command against
 -r, --remote REMOTE # git remote of app to run command against
 --bypass            # bypass the trust chain completion step
 --domains DOMAINS   # domains to create after certificate upload
 --type TYPE         # type to create, either 'sni' or 'endpoint'

Example:

 $ heroku certs:add example.com.crt example.com.key

Many thanks!

Make it more obvious and handle multiple domains with some failing better.

I think most of these would benefit from adding help with examples since they're not obvious how to use. Especially for certs:add, certs:generate, certs:key, and certs:update

ideally these should fit in 80 characters:

also, they should not begin with uppercase characters or end in periods (as described in the style guide)

SSL Test is reporting that one of our Heroku-hosted domains has Chain issues: Contains anchor - ie the root CA certificate was unnecessarily included in the bundle, when it already exists in the browser trust store, so doesn't need to be sent out over the wire.

Whilst this doesn't cause any breakage, it's not recommended for performance reasons, so it would be great if heroku certs:add warned in a such a case, so users would realise they had done so. (We have to get the WebOps team to upload the SSL certs since we don't have access ourselves, so the less error-prone we can make the process, the better).

This seems like something that could be verified via the call to ssl-doctor (after appropriate changes there).

Many thanks!

npm install heroku-certs fails with

npm ERR! tar.unpack untar error C:\Users***\AppData\Local\heroku\npm\heroku-certs\1.1.12\package.tgz
npm WARN plugins No description
npm WARN plugins No repository field.
npm WARN plugins No license field.
npm ERR! Windows_NT 10.0.10586
npm ERR! argv "C:\Users*_\AppData\Local\heroku\cli\lib\node.exe" "C:\Users_**\AppData\Local\heroku\cli\lib\npm\cli.js" "install" "heroku-certs" "--loglevel=info"
npm ERR! node v6.2.1
npm ERR! npm v3.9.3
npm ERR! path C:\Users*_\AppData\Local\heroku\plugins\node_modules.staging\heroku-certs-e1807e29_.thawing-temple-8799.com.key
npm ERR! code ENOENT
npm ERR! errno -4058
npm ERR! syscall open

npm ERR! enoent ENOENT: no such file or directory, open 'C:\Users***\AppData\Local\heroku\plugins\node_modules.staging\heroku-certs-e1807e29*.thawing-temple-8799.com.key'
npm ERR! enoent ENOENT: no such file or directory, open 'C:\Users**_\AppData\Local\heroku\plugins\node_modules.staging\heroku-certs-e1807e29_.thawing-temple-8799.com.key'
npm ERR! enoent This is most likely not a problem with npm itself
npm ERR! enoent and is related to npm not being able to find a file.
npm ERR! enoent

Some migration flows where users move to ACM may involve waiting for the ACM process to complete getting the first cert (before removing old manually added ones). It'd be good to have a wait command for that.

The one support ticket we commonly see for the CLI is folks trying to add a wildcard cert, eg. *.example.com, to multiple apps and then getting tripped up during the domain adding suggestion.

Let's just skip the domain adding check if the common name of the cert is a wildcard. It will result in a much better end user experience.

cc @ransombriggs

It is sometimes confusing that Type for an endpoint on a Private Spaces app is shown as Endpoint while SSL Endpoint add-on is not required on the app and SNI extension is required on client. Might it be possible to show Type as, say, Private Spaces for such an app to avoid confusion.

since this will be a core plugin, it should be in standard.js like the others. This doesn't have to happen before GA, but should at some point.

Running heroku certs:remove for an SSL endpoint certificate should not disable ACM