letsencrypt-rails-heroku 0.2.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1a4a463e9fae1296ef19b8fc1213e38fd046e438
+  data.tar.gz: 854e97723f2eaf1c7aa3f90ac941ecc8af4a2423
+SHA512:
+  metadata.gz: f161f92843c8a7c4af64acea6b2d606b0ce3e62fccbc9bbdbaeda40d7bf92d6f69ce3615e356382519a9c07b0c696231f2fb2007336cd0bf10dc75ed1af709c6
+  data.tar.gz: 36a5bd7ee0404c167a649c95b624c5ce518993ad41335e41db878b05e7544487b8f0466bb02f18ed0b00d50dfacebc3a4f5fc555673ace3c35ceb0e88b0396b2

data/.document

@@ -0,0 +1,5 @@
+lib/**/*.rb
+bin/*
+- 
+features/**/*.feature
+LICENSE.txt

data/Gemfile

@@ -0,0 +1,14 @@
+source "https://rubygems.org"
+
+gem 'acme-client', '~> 0.3.7'
+# SNI endpoints not supported yet:
+# <https://github.com/heroku/platform-api/issues/49>
+gem 'platform-api', github: 'jalada/platform-api', branch: 'master'
+
+group :development do
+  gem "shoulda", ">= 0"
+  gem "rdoc", "~> 3.12"
+  gem "bundler", "~> 1.0"
+  gem "juwelier", "~> 2.1.0"
+  gem "simplecov", ">= 0"
+end

data/Gemfile.lock

@@ -0,0 +1,117 @@
+GIT
+  remote: git://github.com/jalada/platform-api.git
+  revision: 45ddb3c1a7e2c7f85d979c0791db18e99affb237
+  branch: master
+  specs:
+    platform-api (0.8.0)
+      heroics (~> 0.0.17)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    acme-client (0.3.7)
+      faraday (~> 0.9, >= 0.9.1)
+      json-jwt (~> 1.2, >= 1.2.3)
+    activesupport (5.0.0)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (~> 0.7)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    addressable (2.4.0)
+    bindata (2.3.1)
+    builder (3.2.2)
+    concurrent-ruby (1.0.2)
+    descendants_tracker (0.0.4)
+      thread_safe (~> 0.3, >= 0.3.1)
+    docile (1.1.5)
+    erubis (2.7.0)
+    excon (0.51.0)
+    faraday (0.9.2)
+      multipart-post (>= 1.2, < 3)
+    git (1.3.0)
+    github_api (0.14.4)
+      addressable (~> 2.4.0)
+      descendants_tracker (~> 0.0.4)
+      faraday (~> 0.8, < 0.10)
+      hashie (>= 3.4)
+      oauth2 (~> 1.0.0)
+    hashie (3.4.4)
+    heroics (0.0.17)
+      erubis (~> 2.0)
+      excon
+      moneta
+      multi_json (>= 1.9.2)
+      netrc
+    highline (1.7.8)
+    i18n (0.7.0)
+    json (1.8.3)
+    json-jwt (1.6.3)
+      activesupport
+      bindata
+      multi_json (>= 1.3)
+      securecompare
+      url_safe_base64
+    juwelier (2.1.2)
+      builder
+      bundler (>= 1.0)
+      git (>= 1.2.5)
+      github_api
+      highline (>= 1.6.15)
+      nokogiri (>= 1.5.10)
+      rake
+      rdoc
+      semver
+    jwt (1.5.4)
+    mini_portile2 (2.1.0)
+    minitest (5.9.0)
+    moneta (0.8.0)
+    multi_json (1.12.1)
+    multi_xml (0.5.5)
+    multipart-post (2.0.0)
+    netrc (0.11.0)
+    nokogiri (1.6.8)
+      mini_portile2 (~> 2.1.0)
+      pkg-config (~> 1.1.7)
+    oauth2 (1.0.0)
+      faraday (>= 0.8, < 0.10)
+      jwt (~> 1.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (~> 1.2)
+    pkg-config (1.1.7)
+    rack (1.6.4)
+    rake (11.2.2)
+    rdoc (3.12.2)
+      json (~> 1.4)
+    securecompare (1.0.0)
+    semver (1.0.1)
+    shoulda (3.5.0)
+      shoulda-context (~> 1.0, >= 1.0.1)
+      shoulda-matchers (>= 1.4.1, < 3.0)
+    shoulda-context (1.2.1)
+    shoulda-matchers (2.8.0)
+      activesupport (>= 3.0.0)
+    simplecov (0.12.0)
+      docile (~> 1.1.0)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.0)
+    thread_safe (0.3.5)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    url_safe_base64 (0.2.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  acme-client (~> 0.3.7)
+  bundler (~> 1.0)
+  juwelier (~> 2.1.0)
+  platform-api!
+  rdoc (~> 3.12)
+  shoulda
+  simplecov
+
+BUNDLED WITH
+   1.12.5

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2016 Pixie Labs
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,174 @@
+# LetsEncrypt & Rails & Heroku
+
+[![Gem Version](https://badge.fury.io/rb/letsencrypt-rails-heroku.svg)](https://badge.fury.io/rb/letsencrypt-rails-heroku)
+
+This gem is a complete solution for securing your Ruby on Rails application
+on Heroku using their free SNI-based SSL and LetsEncrypt. It will automatically
+handle renewals and keeping your certificate up to date.
+
+
+## Pre-requestives
+
+ - Whilst it is in beta, you must use the labs feature to enable Heroku's free
+   SSL offering:
+
+   ```
+   heroku labs:enable http-sni
+   ```
+
+ - You must be using hobby or professional dynos to use free SNI-based SSL.
+
+ - You should have already configured your app DNS as per [Heroku's
+   documentation](https://devcenter.heroku.com/articles/custom-domains).
+
+## Installation
+
+Add the gem to your Gemfile:
+
+```
+# Until the API calls are out of beta, you must manually specify my fork
+# of the Heroku API gem:
+gem 'platform-api', github: 'jalada/platform-api', branch: 'master'
+
+gem 'letsencrypt-rails-heroku', group: 'production'
+```
+
+And add it as middleware in your `config/environments/production.rb`:
+
+```
+Rails.application.configure do
+  <...>
+
+  config.middleware.use Letsencrypt::Middleware
+
+  <...>
+end
+```
+
+## Configuring
+
+By default the gem will try to use the following set of configuration variables,
+which you should set.
+
+ * `ACME_DOMAIN`: Comma separated list of domains for which you want
+   certificates, e.g. `example.com,www.example.com`. Your Heroku app should be
+   configured to answer to all these domains, because LetsEncrypt will make a
+   request to verify ownership.
+ * `ACME_EMAIL`: Your email address, should be valid.
+ * `HEROKU_TOKEN`: An API token for this app. See below
+ * `HEROKU_APP`: Name of Heroku app e.g. bottomless-cavern-7173
+
+The gem itself will temporarily create additional environment variables during
+the challenge / validation process:
+
+ * `ACME_CHALLENGE_FILENAME`: The path of the file LetsEncrypt will request.
+ * `ACME_CHALLENGE_FILE_CONTENT`: The content of that challenge file.
+
+## Creating a Heroku token
+
+Use the `heroku-oauth` toolbelt plugin to generate an access token suitable
+for accessing the Heroku API to update the certificates. From within your
+project directory:
+
+```
+> heroku plugins:install heroku-cli-oauth
+> heroku authorizations:create -d "LetsEncrypt"
+Created OAuth authorization.
+  ID:          <heroku-client-id>
+  Description: LetsEncrypt
+  Scope:       global
+  Token:       <heroku-token>
+```
+
+Use the output of that to set the token (`HEROKU_TOKEN`).
+
+## Using for the first time
+
+After deploying, run `heroku run rake letsencrypt:renew`. Ensure that the
+output looks good:
+
+```
+$ heroku run rake letsencrypt-renew
+Running rake letsencrypt:renew on ⬢ yourapp... ⣷ connecting, run.1234
+Creating account key...Done!
+Registering with LetsEncrypt...Done!
+Setting config vars on Heroku...Done!
+Giving config vars time to change...Done!
+Testing filename works (to bring up app)...done!
+Adding new certificate...Done!
+$ 
+```
+
+If this is the first time you have used an SNI-based SSL certificate on your
+app, you may need to alter your DNS configuration as per
+[Heroku's instructions](https://devcenter.heroku.com/articles/ssl-beta#change-your-dns-for-all-domains-on-your-app).
+
+You can see these details by typing `heroku domains`.
+
+## Adding a scheduled task
+
+You should add a scheduled task on Heroku to renew the certificate. The
+scheduled task should be configured to run `rake letsencrypt:renew` as often
+as you want to renew your certificate. Letsencrypt certificates are valid for
+90 days, but there's no harm renewing them more frequently than that.
+
+Heroku Scheduler only lets you run a task as infrequently as once a day, but
+you don't want to renew your SSL certificate every day (you will hit
+[the rate limit](https://letsencrypt.org/docs/rate-limits/)). You can make it
+run less frequently using a shell control statement. For example to renew your
+certificate on the 1st day of every month:
+
+```
+if [ "$(date +%d)" = 01 ]; then rake letsencrypt:renew; fi
+```
+
+Source: [blog.dbrgn.ch](https://blog.dbrgn.ch/2013/10/4/heroku-schedule-weekly-monthly-tasks/)
+
+## Security considerations
+
+Suggestions and pull requests are welcome in improving the situation with the
+following security considerations:
+
+ - When configuring this gem you are baking a non-expiring Heroku API token
+   into your applications environment. Your collaborators could use this
+   token to impersonate the account it was created with when accessing
+   the Heroku API. This is important if your account has access to other apps
+   that your collaborators don’t. Additionally, if your application’s environment was
+   leaked this would give access to the Heroku API as your user account. 
+   [More information about Heroku’s API and oAuth](https://devcenter.heroku.com/articles/oauth#direct-authorization).
+
+   You should create the API token from a suitably locked-down account.
+
+ - This gem uses two environment variables (`ACME_CHALLENGE_FILENAME` and
+   `ACME_CHALLENGE_FILE_CONTENT`) to construct routes and responses in your
+   app. These environment variables could be manipulated to spoof URLs on your
+   application.
+
+   The gem performs some cursory checks to make sure the filename is roughly
+   what is expected to try and mitigate this.
+
+## To-do list
+
+- Persist account key, or at least give the option of using an existing one, so
+  we don’t register with LetsEncrypt over and over.
+
+- Stop using a fork of the `platform-api` gem once it supports the SNI endpoint
+  API calls.
+
+- Provide instructions for running the gem decoupled from the app it is 
+  securing, for the paranoid.
+
+## Contributing
+
+- Check out the latest master to make sure the feature hasn't been implemented
+  or the bug hasn't been fixed yet.
+- Check out the issue tracker to make sure someone already hasn't requested it
+  and/or contributed it.
+- Fork the project.
+- Start a feature/bugfix branch.
+- Commit and push until you are happy with your contribution.
+- Make sure to add tests for it. This is important so I don't break it in a
+  future version unintentionally.
+- Please try not to mess with the Rakefile, version, or history. If you want to
+  have your own version, or is otherwise necessary, that is fine, but please
+  isolate to its own commit so I can cherry-pick around it.

data/Rakefile

@@ -0,0 +1,52 @@
+# encoding: utf-8
+
+require 'rubygems'
+require 'bundler'
+begin
+  Bundler.setup(:default, :development)
+rescue Bundler::BundlerError => e
+  $stderr.puts e.message
+  $stderr.puts "Run `bundle install` to install missing gems"
+  exit e.status_code
+end
+require 'rake'
+
+require 'juwelier'
+Juwelier::Tasks.new do |gem|
+  # gem is a Gem::Specification... see http://guides.rubygems.org/specification-reference/ for more options
+  gem.name = "letsencrypt-rails-heroku"
+  gem.homepage = "http://github.com/jalada/letsencrypt-rails-heroku"
+  gem.license = "MIT"
+  gem.summary = %Q{Automatic LetsEncrypt certs in your Rails app on Heroku}
+  gem.description = %Q{This gem automatically handles creation, renewal, and applying SSL certificates from LetsEncrypt to your Heroku account.}
+  gem.email = "david@jalada.co.uk"
+  gem.authors = ["David Somers"]
+
+  # dependencies defined in Gemfile
+end
+Juwelier::RubygemsDotOrgTasks.new
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+desc "Code coverage detail"
+task :simplecov do
+  ENV['COVERAGE'] = "true"
+  Rake::Task['test'].execute
+end
+
+task :default => :test
+
+require 'rdoc/task'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "letsencrypt-rails-heroku #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.2.3

data/letsencrypt-rails-heroku.gemspec

@@ -0,0 +1,71 @@
+# Generated by juwelier
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Juwelier::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+# stub: letsencrypt-rails-heroku 0.2.3 ruby lib
+
+Gem::Specification.new do |s|
+  s.name = "letsencrypt-rails-heroku"
+  s.version = "0.2.3"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib"]
+  s.authors = ["David Somers"]
+  s.date = "2016-08-01"
+  s.description = "This gem automatically handles creation, renewal, and applying SSL certificates from LetsEncrypt to your Heroku account."
+  s.email = "david@jalada.co.uk"
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+    "README.md"
+  ]
+  s.files = [
+    ".document",
+    "Gemfile",
+    "Gemfile.lock",
+    "LICENSE.txt",
+    "README.md",
+    "Rakefile",
+    "VERSION",
+    "letsencrypt-rails-heroku.gemspec",
+    "lib/letsencrypt-rails-heroku.rb",
+    "lib/letsencrypt-rails-heroku/letsencrypt.rb",
+    "lib/letsencrypt-rails-heroku/middleware.rb",
+    "lib/letsencrypt-rails-heroku/railtie.rb",
+    "lib/tasks/letsencrypt.rake"
+  ]
+  s.homepage = "http://github.com/jalada/letsencrypt-rails-heroku"
+  s.licenses = ["MIT"]
+  s.rubygems_version = "2.5.1"
+  s.summary = "Automatic LetsEncrypt certs in your Rails app on Heroku"
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 4
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<acme-client>, ["~> 0.3.7"])
+      s.add_runtime_dependency(%q<platform-api>, [">= 0"])
+      s.add_development_dependency(%q<shoulda>, [">= 0"])
+      s.add_development_dependency(%q<rdoc>, ["~> 3.12"])
+      s.add_development_dependency(%q<bundler>, ["~> 1.0"])
+      s.add_development_dependency(%q<juwelier>, ["~> 2.1.0"])
+      s.add_development_dependency(%q<simplecov>, [">= 0"])
+    else
+      s.add_dependency(%q<acme-client>, ["~> 0.3.7"])
+      s.add_dependency(%q<platform-api>, [">= 0"])
+      s.add_dependency(%q<shoulda>, [">= 0"])
+      s.add_dependency(%q<rdoc>, ["~> 3.12"])
+      s.add_dependency(%q<bundler>, ["~> 1.0"])
+      s.add_dependency(%q<juwelier>, ["~> 2.1.0"])
+      s.add_dependency(%q<simplecov>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<acme-client>, ["~> 0.3.7"])
+    s.add_dependency(%q<platform-api>, [">= 0"])
+    s.add_dependency(%q<shoulda>, [">= 0"])
+    s.add_dependency(%q<rdoc>, ["~> 3.12"])
+    s.add_dependency(%q<bundler>, ["~> 1.0"])
+    s.add_dependency(%q<juwelier>, ["~> 2.1.0"])
+    s.add_dependency(%q<simplecov>, [">= 0"])
+  end
+end
+

data/lib/letsencrypt-rails-heroku.rb

@@ -0,0 +1,6 @@
+require 'letsencrypt-rails-heroku/letsencrypt'
+require 'letsencrypt-rails-heroku/middleware'
+
+if defined?(Rails)
+  require 'letsencrypt-rails-heroku/railtie'
+end

data/lib/letsencrypt-rails-heroku/letsencrypt.rb

@@ -0,0 +1,38 @@
+module Letsencrypt
+  class << self
+    attr_accessor :configuration
+  end
+
+  def self.configure
+    self.configuration ||= Configuration.new
+    yield(configuration) if block_given?
+  end
+
+  def self.challenge_configured?
+    configuration.acme_challenge_filename.present? && 
+      configuration.acme_challenge_filename.starts_with?(".well-known/") &&
+      configuration.acme_challenge_file_content.present?
+  end
+
+  class Configuration
+    attr_accessor :heroku_token, :heroku_app, :acme_email, :acme_domain, :acme_endpoint
+    
+    # Not settable by user; part of the gem's behaviour.
+    attr_reader :acme_challenge_filename, :acme_challenge_file_content
+
+    def initialize
+      @heroku_token = ENV["HEROKU_TOKEN"]
+      @heroku_app = ENV["HEROKU_APP"]
+      @acme_email = ENV["ACME_EMAIL"]
+      @acme_domain = ENV["ACME_DOMAIN"]
+      @acme_endpoint = ENV["ACME_ENDPOINT"].presence || 'https://acme-v01.api.letsencrypt.org/'
+      @acme_challenge_filename = ENV["ACME_CHALLENGE_FILENAME"]
+      @acme_challenge_file_content = ENV["ACME_CHALLENGE_FILE_CONTENT"]
+    end
+
+    def valid?
+      heroku_token.present? && heroku_app.present? && acme_email.present? &&
+        acme_domain.present?
+    end
+  end
+end

data/lib/letsencrypt-rails-heroku/middleware.rb

@@ -0,0 +1,17 @@
+module Letsencrypt
+  class Middleware
+
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      if Letsencrypt.challenge_configured? && env["PATH_INFO"] == "/#{Letsencrypt.configuration.acme_challenge_filename}"
+        return [200, {"Content-Type" => "text/plain"}, [Letsencrypt.configuration.acme_challenge_file_content]]
+      end
+
+      @app.call(env)
+    end
+
+  end
+end

data/lib/letsencrypt-rails-heroku/railtie.rb

@@ -0,0 +1,9 @@
+class LetsencryptRailsHerokuRailtie < Rails::Railtie
+  config.before_configuration do
+    Letsencrypt.configure
+  end
+
+  rake_tasks do
+    load 'tasks/letsencrypt.rake'
+  end
+end

data/lib/tasks/letsencrypt.rake

@@ -0,0 +1,106 @@
+require 'open-uri'
+require 'openssl'
+require 'acme-client'
+require 'platform-api'
+
+namespace :letsencrypt do
+
+  desc 'Renew your LetsEncrypt certificate'
+  task :renew => :environment do
+    # Check configuration looks OK
+    abort "letsencrypt-rails-heroku is configured incorrectly. Are you missing an environment variable or other configuration? You should have a heroku_token, heroku_app, acmp_email and acme_domain configured either via a `Letsencrypt.configure` block in an initializer or as environment variables." unless Letsencrypt.configuration.valid?
+
+    # Set up Heroku client
+    heroku = PlatformAPI.connect_oauth Letsencrypt.configuration.heroku_token
+    heroku_app = Letsencrypt.configuration.heroku_app
+
+    # Create a private key
+    print "Creating account key..."
+    private_key = OpenSSL::PKey::RSA.new(4096)
+    puts "Done!"
+
+    client = Acme::Client.new(private_key: private_key, endpoint: Letsencrypt.configuration.acme_endpoint, connection_options: { request: { open_timeout: 5, timeout: 5 } })
+
+    print "Registering with LetsEncrypt..."
+    registration = client.register(contact: "mailto:#{Letsencrypt.configuration.acme_email}")
+
+    registration.agree_terms
+    puts "Done!"
+
+    authorization = client.authorize(domain: Letsencrypt.configuration.acme_domain)
+    challenge = authorization.http01
+
+    print "Setting config vars on Heroku..."
+    heroku.config_var.update(heroku_app, {
+      'ACME_CHALLENGE_FILENAME' => challenge.filename,
+      'ACME_CHALLENGE_FILE_CONTENT' => challenge.file_content
+    })
+    puts "Done!"
+
+    # Wait for request to go through
+    print "Giving config vars time to change..."
+    sleep(5)
+    puts "Done!"
+
+    # Wait for app to come up
+    print "Testing filename works (to bring up app)..."
+
+    # Get the domain name from Heroku
+    hostname = heroku.domain.list(heroku_app).first['hostname']
+    open("http://#{hostname}/#{challenge.filename}").read
+    puts "done!"
+
+    # Once you are ready to serve the confirmation request you can proceed.
+    challenge.request_verification # => true
+    challenge.verify_status # => 'pending'
+
+    # Wait a bit for the server to make the request, or just blink. It should be fast.
+    sleep(5)
+
+    unless challenge.verify_status == 'valid'
+      abort "Problem with verifying challenge."
+    end
+
+    # Unset temporary config vars. We don't care about waiting for this to
+    # restart
+    heroku.config_var.update(heroku_app, {
+      'ACME_CHALLENGE_FILENAME' => nil,
+      'ACME_CHALLENGE_FILE_CONTENT' => nil
+    })
+
+    # Create CSR
+    names = Letsencrypt.configuration.acme_domain.split(',').map(&:strip)
+    csr = Acme::Client::CertificateRequest.new(names: names)
+
+    # Get certificate
+    certificate = client.new_certificate(csr) # => #<Acme::Client::Certificate ....>
+
+    # Send certificates to Heroku via API
+    
+    # First check for existing certificates:
+    certificates = heroku.sni_endpoint.list(heroku_app)
+
+    begin
+      if certificates.any?
+        print "Updating existing certificate #{certificates[0]['name']}..."
+        heroku.sni_endpoint.update(heroku_app, certificates[0]['name'], {
+          certificate_chain: certificate.fullchain_to_pem,
+          private_key: certificate.request.private_key.to_pem
+        })
+        puts "Done!"
+      else
+        print "Adding new certificate..."
+        heroku.sni_endpoint.create(heroku_app, {
+          certificate_chain: certificate.fullchain_to_pem,
+          private_key: certificate.request.private_key.to_pem
+        })
+        puts "Done!"
+      end
+    rescue Excon::Error::UnprocessableEntity => e
+      warn "Error adding certificate to Heroku. Response from Heroku’s API follows:"
+      abort e.response.body
+    end
+
+  end
+
+end

metadata

@@ -0,0 +1,157 @@
+--- !ruby/object:Gem::Specification
+name: letsencrypt-rails-heroku
+version: !ruby/object:Gem::Version
+  version: 0.2.3
+platform: ruby
+authors:
+- David Somers
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-08-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: acme-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.7
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.7
+- !ruby/object:Gem::Dependency
+  name: platform-api
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: shoulda
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rdoc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.12'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: juwelier
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.1.0
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This gem automatically handles creation, renewal, and applying SSL certificates
+  from LetsEncrypt to your Heroku account.
+email: david@jalada.co.uk
+executables: []
+extensions: []
+extra_rdoc_files:
+- LICENSE.txt
+- README.md
+files:
+- ".document"
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- VERSION
+- letsencrypt-rails-heroku.gemspec
+- lib/letsencrypt-rails-heroku.rb
+- lib/letsencrypt-rails-heroku/letsencrypt.rb
+- lib/letsencrypt-rails-heroku/middleware.rb
+- lib/letsencrypt-rails-heroku/railtie.rb
+- lib/tasks/letsencrypt.rake
+homepage: http://github.com/jalada/letsencrypt-rails-heroku
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Automatic LetsEncrypt certs in your Rails app on Heroku
+test_files: []