We run a backend API app on Heroku and for simplicity our frontend calls it via the herokuapp.com subdomain `<our-app-name>.herokuapp.com`.<p>We haven't bothered with a custom domain SSL certificate as the herokuapp.com subdomain has been just fine.<p>Fortunately I was monitoring the endpoint as I started getting SSL expiry warnings a few weeks ago.<p>It seems heroku is serving an old certificate for <our-app-name>.herokuapp.com, issued April 2019 and expiring 22nd June:<p>```
$ curl -v --head https://<our-app-name>.herokuapp.com/
* Connected to <our-app-name>.herokuapp.com (52.19.225.66) port 443 (#0)
[snip]
* Server certificate:
* expire date: Jun 22 12:00:00 2020 GMT
* subjectAltName: host "<our-app-name>.herokuapp.com" matched cert's "<i>.herokuapp.com"
</i> issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
```<p>It's a wildcard cert for <i>.herokuapp.com but it's different from the current one I see if I curl the root domain:<p>```
$ curl -v --head https://herokuapp.com/
</i> Connected to herokuapp.com (34.194.84.166) port 443 (#0)
* Server certificate:
* expire date: Aug 2 02:13:11 2020 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3<p>```<p>It seems they've transitioned to Let's Encrypt for the wildcard domain, but it isn't being served for app subdomains. I've checked a few other subdomains and see the same thing:<p>* govuk-prototype-kit.herokuapp.com
* heroku-status.herouapp.com
* juice-shop.herokuapp.com<p>I've been raising this with support since T-30 and they just keep saying things like:<p>> Our concerned team is aware of it and they are actively working on the renewal process. We'll get the new cert in there well before the expiration, and there will be no disruption of service.<p>Now we're at 7 days I've lost confidence that support has even forwarded my ticket to the right team.<p>I suspect in 7 days we're gonna see a lot of things break...
Something that's nice about Let's Encrypt is that it forces you to change something every few months. After the first couple months, you'll probably get your issues worked out. If you just change certs every few years, then every few years you have some sort of disaster because of the "well we fixed it, we don't have to worry for two years" effect.<p>A broader lesson is the importance of "trying out" rare events, even before that rare event actually happens. If depends on a service with a certain SLA, it's pretty dangerous when that service has 100% uptime. You never get to see what happens when it does go down, which it did promise you it will. Some people track their error budget, and at the end of the accounting period, break their service in accordance with the SLA. Then you get to see what happens when it does go down. (Ref: <a href="https://queue.acm.org/detail.cfm?id=2371516" rel="nofollow">https://queue.acm.org/detail.cfm?id=2371516</a>)
Heroku also doesn't enforce any verification that you own a domain name. Another user can simply add any domain they like to their app if you haven't claimed it by adding it to your app first. Regardless of ownership and you will no longer be able to add your own domain to your app getting a generic "domain is already in use" error. Happened to me a few years ago, had to reach out to support and prove I owned the domain. They made me verify I owned it and fixed it but said theres nothing they can do going forward. Granted it's a total edge case but was still an unnexpected experience, maybe it's fixed now who knows.<p>Edit: Looks like this is fairly common on PAAS so my original comment isn't that relevant.
It already broke a few days ago: <a href="https://status.heroku.com/incidents/2045" rel="nofollow">https://status.heroku.com/incidents/2045</a>
Wow. I really hope they’ll get it done before the expiration date but I always thought they’d be renewing months in advance at minimum. Are they trying to negotiate something?
There's more context in this Heroku Changelog <a href="https://devcenter.heroku.com/changelog-items/1813" rel="nofollow">https://devcenter.heroku.com/changelog-items/1813</a><p>"On Tuesday June 9th 2020 Heroku changed the certificate used for terminating TLS for built-in <appname>.herokuapp.com hostnames from a certificate issued by DigiCert to one issued by Starfield/AWS. This change was rolled back on June 10th because a small subset of Heroku customers had pinned apps to the DigiCert certificate or had apps that could not establish a chain of trust with the new certificate for other reasons.<p>A new DigiCert-signed certificate will replace the current one before June 22nd (when it expires)."