Auto Cert Management and More TLS Options for Private Spaces

Today we’re announcing two exciting TLS improvements for apps running in Private Spaces—Heroku’s runtime optimized for security-sensitive workloads that require network and tenant isolation:

  • Automated Certificate Management to automatically create, configure, and renew free TLS certificates for custom domains on Private Space apps
  • Expanded and updated cipher suite selections for TLS/SSL termination for Private Space apps

Together, ACM and greater TLS cipher suite flexibility makes building secure apps in Heroku Private Spaces simpler and less burdensome. Read on for details.

Automated Certificate Management

Automated Certificate Management (ACM) is now available at no extra cost for all apps in Heroku Private Spaces. When ACM is enabled on an app, Heroku automatically creates, configures and renews TLS certificates for custom domains you add to the app.

TLS certificates are the cryptographic keys that encrypt HTTPS traffic and establish identity so your visitors know they’re not browsing an imposter website. Getting and renewing certs for web sites used to be a chore because certs are hard to handle securely, expire periodically, and require strict validation. All of those problems go away with Heroku ACM.

ACM can be enabled using the Heroku Dashboard or the CLI:

$ heroku certs:auto:enable -a your-app

Then check the certificate status:

$ heroku certs:auto -a your-app
 …
 Domain Status Last Updated
 ────────────────────────────────────────
 example.com OK about 1 hour

acm-good

Heroku uses the Let’s Encrypt certificate authority to provision certificates. Let’s Encrypt is run as a public benefit by the Internet Security Research Group with the goal of improving security on the Internet.

ACM is not enabled by default. To use ACM, enable it for an app in Heroku Dashboard or with the CLI. If you want to move an app with a manually provisioned cert to ACM, follow the process below.

1. Determine the name of your current manually uploaded certificate

$ heroku certs
Name
nagano-91606

2. Enable ACM for your app

$ heroku certs:auto:enable
Enabling Automatic Certificate Management... done
=== Your certificate will now be managed by Heroku. Check the status by running heroku certs:auto.

3. Wait for the cert to be issued

It's important to wait for this step to complete before proceeding. If you don't your app might incur downtime.

$ watch heroku certs:auto

4. Remove the old manually added cert

Use the name found in step 1

$ heroku certs:remove --name nagano-91606

Because of the network security controls available in Heroku Private Spaces, ACM cannot be used in some configurations that would block Let’s Encrypt validation requests. Also note that ACM cannot be used to generate certificates for the built-in appname.herokuapp.com address for Private Space apps. Stay tuned for improvements.

Heroku customers can still use certs provisioned in other ways, of course, but Heroku ACM makes getting setup with https quick and simple. Dev Center has details on Heroku Automated Certificate Management.

Improved TLS Cipher Suite

Transport Layer Security (TLS) is the foundational technology that encrypts web traffic on the Internet, and cipher suites are used by clients and servers to negotiate what key-exchange and encryption algorithms to use.

We have expanded the cipher-suites available to Private Space apps:

  • spaces-tls-modern: TLS 1.2 - excellent security that works with relatively new browsers and mobile/IoT clients
  • default (no flag or setting): TLSv1.1, TLSv1.2 - good security and compatible with a large range of browsers and clients
  • spaces-tls-legacy: TLSv1, TLSv1.1 and TLSv1.2 - should only be used if backwards compatibility with old clients is required

At the time of writing, all of these suites score “A” or better on SSL Labs tests.

TLS for Private Space apps is configured using the features command. Make sure you disable any other TLS-related flags and then enable the suite you want for the app:

$ heroku features:disable spaces-strict-tls --app your-app
$ heroku features:enable spaces-tls-modern --app your-app

Check out Dev Center for full docs. Dev Center also has details on the cipher-suites used with each setting.

The new spaces-tls-legacy suite is the same as the previous default. The previous spaces-strict-tls suite (TLS 1.1 and 1.2, with some accommodations for older clients) is deprecated.

Because TLS settings can affect connection behavior for users accessing Heroku apps, we have not changed the cipher suites for any existing Private Space apps. Apps using spaces-strict-tls can keep doing so (but should consider upgrading to spaces-tls-modern).

Only new apps will have the new default suite. Apps created before June 19th 2018 have been given a spaces-tls-legacy flag and will see no change in behavior. If, for any reason, you need a newly created app to behave the same as one that’s using a legacy cipher suite, just go ahead and enable either the spaces-tls-legacy (previous default) or spaces-strict-tls feature. To get the new default behavior, simply remove all TLS-related features (typically spaces-tls-legacy):

 heroku features:disable spaces-tls-legacy --app your-app

Getting TLS configuration right is critical for running secure apps on the internet. The new cipher suite selection for apps in Heroku Private Spaces gives your access to flexible, secure and up-to-date options that will keep your users data safe.

Browse the archives for news or all blogs Subscribe to the RSS feed for news or all blogs.