Issue
How to update an SSL cert that needs to use an intermediate cert in order to be trusted.
Resolution
Some SSL Certs need to use an intermediate cert in order for the SSL Certs to be considered trusted. The popular DNS Provider GoDaddy is an example of this.
Adding your SSL cert for the first time
If you are adding the SSL cert to your Herokuapp for the first time you can use the heroku certs:add command which allows you to add the intermediate cert as the fist argument in the command as documented here. EG:
heroku certs:add intermediary.crt server.crt server.key
Updating your cert in the future
There are some caveats regarding updating your SSL cert with an intermediate cert;
In general, the easiest method to update an SSL cert is to use heroku certs:update as documented here, but this command does not allow you to add the additional argument for the intermediate cert (intermediary.crt) and will result in an error. To get around this:
Concatenate the new cert and the intermediary cert together into a single cert file and then use the heroku certs:update command to update the cert. EG:
cat example-cert.crt example-intermediate-cert.crt > example-cert-bundle.crt
Note: you may need to apply the necessary permissions on the newly created cert file, before updating it on Heroku. EG:
chmod 775 example-cert-bundle.crt
Alternative options
-
Remove the old cert, and add the new cert (along with the intermediate cert) as outlined above in the "Updating your cert for the first time" section. Once this is done make any other necessary updates, if necessary (like updating the domains to point to the new cert). See: https://devcenter.heroku.com/articles/ssl#update-certificate
-
Update certs via the Platform API endpoint
ssl-endpoint update; https://devcenter.heroku.com/articles/platform-api-reference#ssl-endpoint-update