---
title: SSL for Rails with Heroku and DNSimple
teaser: 'Buy, prepare, and deploy an SSL certificate from DNSimple for your Heroku
  app.

  '
tags: web,dns,rails
author: Dan Croak
published_on: 2014-05-21
---

SSL certificates can be intimidating but Heroku and DNSimple make the process
easy. The following steps should take us less than 15 minutes.

### Buy the SSL certification from DNSimple

Buy a [wildcard certificate from
DNSimple](https://dnsimple.com/ssl-certificate). The wildcard (`*`) lets us use
the same certificate on staging, production, and any other future subdomains
(api, etc.).

### Prepare the SSL certificate

Follow [the wildcard certificate
instructions](https://devcenter.heroku.com/articles/ssl-certificate-dnsimple#wildcard-domain)
to get `.pem`, `.crt`, and `.key` files prepared.

Follow [these
instructions](https://devcenter.heroku.com/articles/ssl-endpoint#provision-the-add-on)
to complete `.key` preparation, provision the SSL addon from Heroku, and add the
certificate to Heroku:

    heroku certs:add server.crt server.key

Replace it with:

    heroku certs:add *.{pem,crt,key}

Otherwise, we might see an error like:

    Updating SSL Endpoint myapp.herokussl.com for [heroku-app]... failed
     !    Internal server error.

### Get SSL endpoint from Heroku

Run:

    heroku certs

This provides us the correct end point for the SSL enabled domain. This is a
domain that looks like `tokyo-2121.herokussl.com`.

### Add Heroku SSL endpoint to DNSimple

Next, go to our DNSimple dashboard and update/add the CNAME record for the SSL
enabled domain to point to (e.g.) `tokyo-2121.herokussl.com`.

### Prepare Rails app

Make a one-line configuration change in our staging and production environment
config files within our Rails app:

    # config/environments/{staging,production}.rb
    config.force_ssl = true

Deploy that change.

Now, if users type "ourdomain.com", they should be redirected to "https://www.ourdomain.com" and our browser's <abbr title="Uniform Resource Locator">URL</abbr> bar should display its appropriate indicator (perhaps a green lock) declaring the SSL certificate is valid.

### What's next

Read our [production checklist](http://playbook.thoughtbot.com/#checklist) to
see a full list of things, including SSL, that should be done before an
application goes live.