# xshogi 官網加入 SSL certificate 紀錄 實驗域名：xshogi.com.tw ## 第一階段 I purchased a domain name from Gandi and use permanent web forwarding to forward the domain name to my heroku application. I also add custom domain(the one I bought) to heroku console. Domain Name DNS Record Type DNS Target ───────────────── ─────────────── ─────────────────────── xshogi.com.tw ALIAS or ANAME xshogi.com.tw.herokudns.com www.xshogi.com.tw CNAME www.xshogi.com.tw.herokudns.com I could not successfully adopt heroku ACM to configure my domain even though I had paid for hobby plan. I followed the tutorial [video](https://vimeo.com/209534466) that Johnnybib posted. 1. create server.crs and server.key in project with `openssl req -nodes -newkey rsa:2048 -sha256 -keyout server.key -out server.csr` 2. go to purchase SSL certificate page in Gandi 3. `cat server.csr` and paste it to Gandi console 4. pay and wait for authentication done to finish this bill 5. download .crt and .pem certificate and concatenate them together into all.crt 6. use `heroku certs:add --app xshogi all.crt` ## 第二階段 ### 新增 certification 和 key 到 heroku ``` ↪ heroku certs:add all.crt .ssl/xshogi_heroku.key --app xshogi 19:35:21 ▸ heroku-cli: update available from 6.15.28-6b9662e to 6.16.13-dbb9c23 Resolving trust chain... done Adding SSL certificate to ⬢ xshogi... done Certificate details: Common Name(s): www.xshogi.com.tw xshogi.com.tw Expires At: 2019-04-19 07:59 UTC Issuer: /C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2 Starts At: 2018-04-18 08:00 UTC Subject: /OU=Domain Control Validated/OU=Gandi Standard SSL/CN=www.xshogi.com.tw SSL certificate is verified by a root authority. === The following common names already have domain entries www.xshogi.com.tw xshogi.com.tw === Your certificate has been added successfully. Update your application's DNS settings as follows Domain Record Type DNS Target ───────────────── ─────────── ──────────────────────────────────── www.山角行.com CNAME www.xn--rhto43ho7a.com.herokudns.com xshogi.com.tw ALIAS/ANAME xshogi.com.tw.herokudns.com www.xshogi.com.tw CNAME www.xshogi.com.tw.herokudns.com 山角行.com ALIAS/ANAME xn--rhto43ho7a.com.herokudns.com ``` ### 檢查憑證 ``` ↪ heroku certs:info 19:36:12 ▸ heroku-cli: update available from 6.15.28-6b9662e to 6.16.13-dbb9c23 Fetching SSL certificate ceratosaurus-25252 info for ⬢ xshogi... done Certificate details: Common Name(s): www.xshogi.com.tw xshogi.com.tw Expires At: 2019-04-19 07:59 UTC Issuer: /C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2 Starts At: 2018-04-18 08:00 UTC Subject: /OU=Domain Control Validated/OU=Gandi Standard SSL/CN=www.xshogi.com.tw SSL certificate is verified by a root authority. ``` ### 測試憑證 ``` ↪ openssl s_client -connect www.xshogi.com.tw.herokudns.com:443 -servername www.xshogi.com.tw 19:36:25 CONNECTED(00000003) depth=2 /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=www.xshogi.com.tw i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2 1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- MIIGATCCBOmgAwIBAgIRAK42Y5Tzqt7mp+/o1XTh/Y8wDQYJKoZIhvcNAQELBQAw XzELMAkGA1UEBhMCRlIxDjAMBgNVBAgTBVBhcmlzMQ4wDAYDVQQHEwVQYXJpczEO MAwGA1UEChMFR2FuZGkxIDAeBgNVBAMTF0dhbmRpIFN0YW5kYXJkIFNTTCBDQSAy MB4XDTE4MDQxODAwMDAwMFoXDTE5MDQxODIzNTk1OVowXDEhMB8GA1UECxMYRG9t YWluIENvbnRyb2wgVmFsaWRhdGVkMRswGQYDVQQLExJHYW5kaSBTdGFuZGFyZCBT U0wxGjAYBgNVBAMTEXd3dy54c2hvZ2kuY29tLnR3MIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAqv2/I8JrMjbmJD2Z9A0etNp3C2NghVd/W69uWgNTlIi5 pZoCmB/4NjyeG/DkixPCAu5S0dT8BNsH5EfA+Yr89aICdeN+satuAOhBuPqB397o 7xVGuqsTfl6vrV7jsa7qURIz4HVszo22dTl2J+4sECY7jd/T5Qz8xKrEHaFymrN2 /EeY1PMEC3t4Hu1wiNBZoGAXonttO+bGzXI9xGJCWAG/1G0qA7HKp3MfonEXJXw7 WGklirLtoHIboKykvl4/PsZH9S6qwbvD6hStqNgjnn4uD7lqNcLChLQBt4SHgMjy ZRPF6IDFpGZr+/lzvBogL2V3lJpsf/LTYbiZQ7L7VQIDAQABo4ICuTCCArUwHwYD VR0jBBgwFoAUs5Cn2MmvTs1hPJ98rV1/Qf1pMOowHQYDVR0OBBYEFNimFTHeRUj1 04k5mtzT9eKN5jLcMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBLBgNVHSAERDBCMDYGCysGAQQBsjEB AgIaMCcwJQYIKwYBBQUHAgEWGWh0dHBzOi8vY3BzLnVzZXJ0cnVzdC5jb20wCAYG Z4EMAQIBMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwudXNlcnRydXN0LmNv bS9HYW5kaVN0YW5kYXJkU1NMQ0EyLmNybDBzBggrBgEFBQcBAQRnMGUwPAYIKwYB BQUHMAKGMGh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9HYW5kaVN0YW5kYXJkU1NM Q0EyLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTAr BgNVHREEJDAighF3d3cueHNob2dpLmNvbS50d4INeHNob2dpLmNvbS50dzCCAQIG CisGAQQB1nkCBAIEgfMEgfAA7gB1AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDE e4l6qP3LAAABYthbaF0AAAQDAEYwRAIgE7cPe0Rz5NVLrQNFeMNail3e0MtOU9c7 HKGPCPtvi7ICIBC+IPhqKDXX7xxgBzffunQG9+KUazLGpw2UPXN/tnsTAHUAdH7a gzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYAAAFi2FtoqAAABAMARjBEAiBO +5cT2VmcMIwDFC8KK9Fwsdo7jwqMXU2eJ1T89T5TJwIgEJ8wodfGFxE2N2Wm9fA2 ImcSbd5l580V42XehzhN0O0wDQYJKoZIhvcNAQELBQADggEBAAKAfHrQeWHOrfW1 FBqbJliYF/IFlji2VUCBaurGqS8jZMBqBL5Mc3ujE5d+29xOFO2/DcmD+JfcO0os sM74NOknLKUkkCwBiw5nrLqkSXnBheEtQ1Enq0rD6QQUXqfWxaw10a45aykKV4D+ /skcZnWvmqy9U6hJNmMvx2UHIRHac9g+Qv7jChl9xwWQcDw12RPsbEwz38CLlTJ4 1RUAjgwfuFP64yZLPCYBy3La/V9zuqH6r2mIS7+Pt2KYc+LXEAgsUKr17Xjnj5Pc Ujip4UwtKMYeaOiO3Mmfh+cLP9MI5dXtPORwpcBF4TfvxGSnbPAZ0B92NeiuPsLX mcesk7M= -----END CERTIFICATE----- subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=www.xshogi.com.tw issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2 --- No client certificate CA names sent --- SSL handshake has read 4636 bytes and written 452 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: F9E02084D92B2715BDC48DC239C2E969ADE4C35A9914C3B3185E13D5B6ECB98B Session-ID-ctx: Master-Key: DA54735704328C775DCB14BDCC5EC5C0BC80F6811D765263B003CB23727FD99574BFAF28C010399F103C3A6DA9E0EA19 Key-Arg : None Start Time: 1524051500 Timeout : 300 (sec) Verify return code: 0 (ok) --- read:errno=0 ``` ## 最後一階段 ``` ↪ curl -vI https://www.xshogi.com.tw 20:05:19 * Rebuilt URL to: https://www.xshogi.com.tw/ * Trying 217.70.184.50... * TCP_NODELAY set * Connection failed * connect to 217.70.184.50 port 443 failed: Connection refused * Failed to connect to www.xshogi.com.tw port 443: Connection refused * Closing connection 0 curl: (7) Failed to connect to www.xshogi.com.tw port 443: Connection refused ``` 在甘地修改 www 的 CNAME 從 webredir.vip.gandi.net. 改為 xshogi.com.tw.herokudns.com. ``` veckh at 8c85900fb29e in ~/D/x/official_website ↪ curl -vI https://www.xshogi.com.tw 20:06:50 * Rebuilt URL to: https://www.xshogi.com.tw/ * Trying 50.19.93.33... * TCP_NODELAY set * Connected to www.xshogi.com.tw (50.19.93.33) port 443 (#0) * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: www.xshogi.com.tw * Server certificate: Gandi Standard SSL CA 2 * Server certificate: USERTrust RSA Certification Authority > HEAD / HTTP/1.1 > Host: www.xshogi.com.tw > User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) > Accept: */* > Referer: > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Server: Cowboy Server: Cowboy < Date: Wed, 18 Apr 2018 12:06:54 GMT Date: Wed, 18 Apr 2018 12:06:54 GMT < Connection: keep-alive Connection: keep-alive < X-Frame-Options: SAMEORIGIN X-Frame-Options: SAMEORIGIN < X-Xss-Protection: 1; mode=block X-Xss-Protection: 1; mode=block < X-Content-Type-Options: nosniff X-Content-Type-Options: nosniff < Content-Type: text/html; charset=utf-8 Content-Type: text/html; charset=utf-8 < Etag: W/"edaffa07c2f02d7e700e89b6f7997060" Etag: W/"edaffa07c2f02d7e700e89b6f7997060" < Cache-Control: max-age=0, private, must-revalidate Cache-Control: max-age=0, private, must-revalidate < Set-Cookie: _Xshogi_Server_session=aERuNjZoYnhqMlhqT2FsZERVbnhuNWI1RW1rcm1RRHV6QytQelNvNjdHQW5jVGVqazdIeFVoRUxQYllVMTB0MmdoMEE1Zm1IemFGOUp6VDFDa09EYk5NaDEvTVpzS3hLRVd5UTFlSndHWGJaT0NlSkdrb09HamhVUnIvR0NyQzVEbm1PU0pjSC83eitSb2tKTno1VGZRPT0tLTZhS2IzTzZyWHloWTZWUWhOWE1FQkE9PQ%3D%3D--814dcb9c87b0e66a8966a8c680ff7ed4e0023154; path=/; HttpOnly Set-Cookie: _Xshogi_Server_session=aERuNjZoYnhqMlhqT2FsZERVbnhuNWI1RW1rcm1RRHV6QytQelNvNjdHQW5jVGVqazdIeFVoRUxQYllVMTB0MmdoMEE1Zm1IemFGOUp6VDFDa09EYk5NaDEvTVpzS3hLRVd5UTFlSndHWGJaT0NlSkdrb09HamhVUnIvR0NyQzVEbm1PU0pjSC83eitSb2tKTno1VGZRPT0tLTZhS2IzTzZyWHloWTZWUWhOWE1FQkE9PQ%3D%3D--814dcb9c87b0e66a8966a8c680ff7ed4e0023154; path=/; HttpOnly < X-Request-Id: 05adeb8e-6512-4b0c-895b-1c483e27105f X-Request-Id: 05adeb8e-6512-4b0c-895b-1c483e27105f < X-Runtime: 0.015953 X-Runtime: 0.015953 < Content-Length: 10685 Content-Length: 10685 < Via: 1.1 vegur Via: 1.1 vegur < * Connection #0 to host www.xshogi.com.tw left intact ``` 然後瀏覽器連線 https://www.xshogi.com.tw 就可以通了，且保留 https://www.xshogi.com.tw https 修改 CNAME 後好像就不需要在 網頁轉址 那邊新增項目了．．．我刪光還是 work 但是如果要把 http 導向 https 的，還是要去新增網頁轉址