Automated Certificate Management

Last updated October 16, 2024

With Automated Certificate Management (ACM), Heroku automatically manages TLS certificates for apps in the Common Runtime, and for apps in Private Spaces that enable the feature.

Certificates handled by ACM automatically renew one month before they expire, and new certificates are created automatically whenever you add or remove a custom domain. All applications include ACM for free.

Automated Certificate Management uses Let’s Encrypt, the free, automated, and open certificate authority for managing your application’s TLS certificates. Let’s Encrypt is run for the public benefit by the Internet Security Research Group (ISRG).

Setup

Common Runtime

Enable ACM with the following command:

$ heroku certs:auto:enable

When you enable ACM, ensure that your DNS is pointed at its new DNS target. If it’s pointed at *.herokuapp.com or *.herokussl.com, Heroku is unable to verify your certificate. Run heroku domains to verify the DNS target.

Private Spaces

If your app doesn’t currently have TLS certs, simply enable ACM and wait for the certificate to be provisioned:

$ heroku certs:auto:enable

If you already have manually uploaded TLS certs and want to migrate to ACM, follow the process outlined below.

1. Determine the name of your manually uploaded cert

$ heroku certs
Name          Endpoint                                                 Common Name(s)          Expires               Trusted  Type
────────────  ───────────────────────────────────────────────────────  ──────────────────────  ────────────────────  ───────  ─────────────────
nagano-91606  <haiku>.<haiku>.herokuspace.com                          <common-name>           2018-08-13 11:05 UTC  True     SNI

2. Enable ACM for your app

$ heroku certs:auto:enable

Enabling Automatic Certificate Management... done
=== Your certificate will now be managed by Heroku.  Check the status by running heroku certs:auto.

3. Wait for the ACM cert to be issued

Make sure to wait for this step to complete before proceeding. If you don’t, your app might experience downtime.

$ watch heroku certs:auto

4. Remove the manually added cert

Specify the cert name you found in step 1:

$ heroku certs:remove --name nagano-91606

View your certificate status

It usually takes between 45 and 60 minutes to generate a TLS certificate for your app’s custom domains. You can view the status of the generated certificate by running the following command:

$ heroku certs:auto

The process is complete when the certificate’s status is Cert Issued.

If your certificate’s status is DNS Verified, the process is not finished yet. Heroku has verified your domain status and is still in the process of submitting it to Let’s Encrypt.

All possible certificate generation statuses are listed below:

Status Description
Cert Issued A certificate has been issued for the domain.
In Progress Heroku is verifying your custom domain’s DNS.
DNS Verified Heroku verified your custom domain’s DNS and is in the process of generating the certificate.
Waiting Heroku is currently waiting to process your certificate.
Failing Heroku is unable to verify your DNS. We will keep trying to verify for up to an hour. See Troubleshooting for help addressing this error.
Failed Heroku is unable to verify your DNS. We have stopped trying to verify this domain. See Troubleshooting for help addressing this error.

Providing your own TLS certificate

If you prefer to use a different type of TLS certificate, such as one from a different CA or an EV certificate, you can easily do so. You must also upload your own wildcard certificate for Private Space apps.

Simply upload your own certificate, following the steps listed in Heroku SSL.

Providing your own certificate disables ACM for your application. If you want to re-enable ACM, you can run the following command:

$ heroku certs:auto:enable

Turning off Automated Certificate Management

Do not turn off ACM with the intent of turning it back on immediately. This can cause your account to reach a rate limit with Let’s Encrypt.

You can turn off ACM by running the following command:

$ heroku certs:auto:disable

This removes your domain’s certificate and turns off ACM for your application. Removing your certificate with heroku certs:remove also turns off ACM.

Migrating existing applications

Migrating from Heroku SSL and Private Spaces with your own certificate

Automated Certificate Management uses the same DNS configuration as Heroku SSL (SNI) support. Enabling ACM for Private Space apps also doesn’t require DNS changes. Although it might take some time to verify your DNS configuration, your app will continue to serve your existing SSL certificate while verification is taking place. Your app should continue to remain available at your custom domain throughout the process.

Troubleshooting

Do not turn off ACM in an attempt to fix or speed up the ACM process. This can cause your account to reach a rate limit with Let’s Encrypt.

Verification errors

If heroku certs:auto shows Failing or Failed for any domain, it means Heroku was unable to verify DNS for a given domain. You need to verify that it is pointed to the correct DNS target as specified in heroku domains. The DNS targets will be in the format <your-domain>.herokudns.com.

If your DNS is pointed at older DNS settings, such as *.herokuapp.com or *.herokussl.com, Heroku will not be able to generate a certificate.

If ACM is unable to create a certificate for your domain, you receive a notification after three days of attempts. In most cases, this error occurs because DNS is not properly configured for your domain. After you resolve your DNS issue, run the following command to instruct ACM to try again:

$ heroku certs:auto:refresh

Failure reasons

There are a number reasons why issuing a certificate might fail. A failure reason may be included in a notification email or in the CLI.

CN exceeding 64 character limit

Domain names can not exceed 64 characters.

Incorrect DNS settings

Your DNS record is not set up properly.

Review this document and ensure that your DNS records are set up correctly.

If your domain fails DNSSEC (DNS Security Extensions) verification, you can encounter this error.

You can also encounter this error if your Private Space app does not have a web dyno running.

Unable to resolve DNS for domain

The error is typically encountered when a DNS name hasn’t yet propagated to DNS providers. Heroku’s ACM feature checks for the availability of your domain in Google’s DNS (8.8.8.8).

Please check that your domain is available in Google Public DNS and that there are no typos in your entry.

CDN not returning HTTP challenge

Heroku ACM is attempting to verify that the HTTP challenge file is being returned, but is encountering a 404 error. This typically happens when you are pointing your domain at a CDN, rather than the Heroku provided DNS target, and the HTTP challenge file does not exist on the CDN.

This typically happens with AWS CloudFront.

DNS redirect not forwarding path

Heroku ACM is attempting to verify that the HTTP challenge file is being returned, but your DNS provider is not returning the full path of the file location.

If your DNS provider does not support forwarding paths, you may need to change DNS providers. Some providers, such as Google Domains, offer the ability to turn on or off path forwarding — by default this is turned “off” for Google Domains.

Incorrect CNAME target

This error is encountered when your DNS record specifies <app-name>-<random-identifier>.herokuapp.com as the target for the CNAME rather than the provided DNS target. Update your DNS record to point at the correct DNS target.

To get the correct DNS target, run heroku domains.

Rate limited

ACM failed because there have been too many requests to issue a certificate for the domain(s) on this app within a 7-day interval. Heroku support is unable to bypass this rate limit, because it is set by Let’s Encrypt. You may encounter a rate limit when you enable and disable ACM on your app repeatedly.

Note that ACM for domains on other apps are not affected by this error (i.e., a rate limit on one app does not impact ACM on another app with a different domain).

After the rate limit period has ended, you can try issuing a certificate again by running:

$ heroku certs:auto:refresh

DNS provider timed out

Heroku attempted to verify your DNS record, but your DNS provider timed out. Run heroku certs:auto:refresh to try again.

Strict TLS in CDN not supported

You are attempting to use Cloudflare with ACM, but don’t have it configured correctly.

Heroku recommends against using ACM with Cloudflare, because Cloudflare provides SSL certificates. To disable ACM on your app, run heroku certs:auto:disable.

For more information, check out Cloudflare’s “Configure Cloudflare and Heroku over HTTPS” documentation.

DNS provider doesn’t support CAA

Let’s Encrypt returned an error that your DNS provider does not support Certificate Authority Authorization (CAA) records.

Contact your DNS provider for more information on CAA support. Learn more about CAA records.

CAA record prevents issuance

The CAA record prevents certificates from being issued by Let’s Encrypt.

Add a CAA record that allows Let’s Encrypt to issue certificates for the domain. Learn more about CAA records.

Domain record does not exist

Let’s Encrypt has returned a NXDOMAIN error, which means the domain record does not exist in your DNS provider.

To fix this error, please make sure that your domain name was entered correctly and the DNS record for the domain contains the right CNAME.

Domain considered unsafe

Let’s Encrypt checks domains against Google’s Safe Browsing API and will not issue certificates for domains considered unsafe.

Check the status of your domain by visiting this URL: http://www.google.com/safebrowsing/diagnostic?site=http://yourdomainhere.com/

Let’s Encrypt domain blocklist

You have requested a certificate for a domain on Let’s Encrypt’s domain blocklist. Typically, well-known domains are on this blocklist as an additional security measure to prevent unauthorized certificate creation.

Contact Let’s Encrypt on their Community Support forum.

Alternatives to ACM

If you want to automatically renew a wildcard certificate on a Private Space app or use a different CA, Heroku add-ons such as SSL FastTrack or ExpeditedSSL might serve your use case.

Let’s Encrypt is an organization independent of Heroku and Salesforce, Heroku offers ACM to simplify integration of Let’s Encrypt’s verification process and certificate installation for the majority case of obtaining SSL for a domain. If your app(s) or domain(s) requires a more sophisticated integration, Let’s Encrypt can be used directly and is highly automatable with a number of first- and third-party plugins are already written, including those that can automatically install a resulting certificate into a Heroku app. Please review the resources available on Let’s Encrypt’s site for further possibilities.

Known limitations

  • Custom Domains can not be longer than 64 characters.
  • ACM is a replacement for manually managing certificates, you cannot do both on a single app.
  • Private Space apps using ACM can’t have wildcard domains.
  • ACM doesn’t work for apps in Private Spaces that use Trusted IPs to block access.
  • Private Space apps must have at least one running web dyno for initial validation and renewals to work.
  • When ACM is enabled the Let’s Encrypt HTTP challenge URLs (/.well-known/acme-challenge/*) are handled by the Heroku Platform, redirected away from your app. If you require use of these paths on your app you must disable ACM.
  • ACM does not support IPv6 AAAA DNS records.
  • ACM is not compatible with internal routing.

Feedback

Log in to submit feedback.