在部署 Heroku 应用程序之前,如何验证我的新 SSL 密钥和证书将有效地为 SSL 提供服务?

How do I verify that my new SSL key and certificate will validly serve SSL over my Heroku application before I deploy it?

用于更新 SSL 证书的 Heroku gives simple instructions

$ heroku certs:update server.crt server.key

但是,没有迹象表明在部署之前进行了任何验证。由于这是生产环境,我想确保我提供给他们的两个文件不会造成任何安全混乱。

我有我的 foo_com.crt(由 DigiCert 签名)、server.key 和 DigitCertCA.crt。

I've found that I can use security verify-cert -c certificate.pem 验证我的证书(在 OS X 上)。我的证书虽然没有验证:

$ security verify-cert -c foo_com.crt
Cert Verify Result: CSSMERR_TP_NOT_TRUSTED

这让我相信我的中介可能不可信但是:

$ security verify-cert -c DigiCertCA.crt
...certificate verification successful.

指定 SSL 的用途也成功

$ security verify-cert -p ssl -c foo_com.crt
...certificate verification successful.

我在 Linux 盒子上试过,结果也类似。

$ openssl verify foo_com.crt                            
C = __, ST = ___, L = ___, O = "Foo Inc", CN = foo.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error foo_com.crt: verification failed

$ openssl verify -CAfile DigiCertCA.crt foo_com.crt
foo_com.crt: OK

$ openssl verify -purpose sslserver  -CApath /etc/ssl/certs foo_com.crt
C = __, ST = ___, L = ___, O = "Foo Inc", CN = foo.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error foo_com.crt: verification failed

我如何确保在 Heroku 中更新我的证书时,一切都会顺利进行?

相关:Renewing SSL certificate on Heroku

一位同事对 运行 nginx 的建议让我自信地知道一切都会顺利部署。

我用

配置了 nginx 
server {
     listen 443 http2 ssl;
     listen [::]:443 http2 ssl;

     server_name server_IP_address;

     ssl_certificate /Users/traff/cert/gd.crt;
     ssl_certificate_key /Users/traff/cert/server.key;

     server_name  localhost;
     ...
}

设置好 nginx 服务器后,我 运行 openssl s_client -connect localhost:443 -CApath /etc/ssl/certs。然后,在我的主机中设置 foo.com 以指向我的 nginx 服务器。我用了 curl https://foo.com.

使用 foo_com.crtDigiCertCA.crt(按此顺序)和 server.key 的串联,上传成功。

此外,虽然 Heroku 的文档没有说明,但更新步骤确实验证了 SSL 是否会正常服务

$ heroku certs:update foo_com_DigiCertCA_cat.crt server.key -a my-app
Resolving trust chain... done
 _    Potentially Destructive Action
 _    This command will change the certificate of endpoint ____
 _    (_______.herokussl.com) from _ my-app.
 _    To proceed, type my-app or re-run this command with
 _    --confirm my-app

> my-app
Updating SSL certificate _____ (____.herokussl.com) for _ my-app... done
Updated certificate details:
Common Name(s): foo.com
Expires At:     DateTime
Issuer:         /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
Starts At:      DigiCert
Subject:        blah blah blah
SSL certificate is verified by a root authority.