SSL on Discourse / DO sub-domain of Heroku hosted domain

Expedited SSL, a Heroku ‘add-on’, offers SSL on a sub-domain as well as on the primary domain. It would be nice to hand all the configuration / maintenance off to them.

Our sub-domain is a Discourse.org instance hosted on Digital Ocean and maintained by the Discourse team. Since the Discourse team also offers SSL as an add-on, I’m looking for guidance (a) regarding feasibility. Would the Expedited SSL have access to our Docker instance / subdomain? (b) Will we also need to purchase an SSL certificate from Discourse. And © potential conflicts.

Alternatively, should I simply purchase Expedited SSL for the Heroku hosted primary domain and a Discourse team SSL certificate for the sub-domain. (And sort out the configuration myself.)

Thanks

Since you’re using a Digital Ocean docker install, you’ll want to:

  • Get a certificate+key pair
  • Follow this guide:

Kane - Thanks; however, I’m trying to avoid that ‘learning curve.’ My Discourse instance was set-up and is maintained by your team (the $100 / month plan). I’m also using Cloudflare which now offers Universal SSL for free. I’m not sufficiently experienced to understand how the pieces fit together. I’m just trying to (a) follow best practices and (b) add Oauth for SSO.

Thanks.

I am not following @DKH. Are you basically trying to cut the SSL cost here? You can proxy discourse but there are concerns and complex configurations you need to follow, I would not recommend it.

If you insist see:

@sam , cost isn’t the issue. Complexity is. I’m a relatively new developer. Expedited SSL offers to handle everything after initial set-up, including sub-domains and SSL certificate rotation (as a Heroku ‘add-on’). You - Discourse.org - also offer SSL and so, too, does Cloudflare. I’m trying to determine the best way forward. My priority is ‘delegation’, not cost. Thanks

If you want SSL, and are already hosted with us, best way forward is to purchase a cert and have us take care of it. We then take on dealing with all the annoying config issues.

@sam And let Expedited SSL handle the Heroku side of it, i.e., our primary domain?

I don’t understand why you would use Heroku for SSL this is very confusing

Just use namecheap or something like that https://www.namecheap.com/security/ssl-certificates/single-domain.aspx

@sam - Expedited SSL through Heroku as an add-on. We’re (eventually) going to be getting personal information on the primary website and taking payments. I’m risk-averse and want someone with experience managing this.

Having read through the article about Expedited SSL, this is most likely not what you want at all.

The intention of the addon is to set up your Heroku-hosted application for SSL, it’s not a generic tool to build valid certificates. In fact, the article mentions that if the addon is removed, the SSL certificate is erased, which leads me to the interpretation that you never get access to the certificate’s private key – transferring this certificate to a non-Heroku server, such as your Digital Ocean droplet, would be flat out impossible.

2 Likes

(a) That’s why I’m asking lots of questions. (b) I understand that, in general, each server needs its own certificate. It’s not clear (yet) if Expedited SSL covers sub-domains hosted elsewhere than Heroku. I have an open support ticket on Heroku. And, © based upon the replies ‘to date’, I expect to purchase a certificate for the Discourse sub-domain (from Discourse.org) and the Heroku primary domain (from Expedited SSL). I’m trying to avoid managing SSL certificates myself.

We do not sell SSL certificates, you must purchase it from a third party. I strongly recommend you contract somebody technical to help you out here as many of the questions are very confused. As long as you have the ability to validate the CSR we send you we do not care who your SSL provider is.

@sam What does this - below / copied from the $100 / month plan - buy then?

SSL Option
For an additional $20/month, your site can be available over a secure HTTPS connection, and we’ll double the number of Staff users, too!

It means we configure SSL certs for you on our server,

  1. We send you a CSR
  2. You sign it and send us back a file
  3. We configure our servers.

If this is too hard as long if you provide us admin web accounts for the SSL provider you choose we can take care of step #1 and #2 and #3.

@sam Here’s Expedited SSL’s reply to the initial question I asked both of you:

There’s nothing special about a certificate that ties it to just a single host - but in order to accomplish what you’re looking for here, you’d need to purchase our wildcard plan ($79/mo) - and we’d then export the cert for you to manually install on Digital Ocean or wherever else you might need it.

That being the case I think you’d be much better off just using our single plan and then getting a separate certificate from Discourse for your forum.

Now I know what to do: Expedited SSL on the primary website, purchase a separate certificate per your recommendation for my ‘community.’

Thanks, Doug