Full strict SSL with Heroku


I have a Heroku app exposing an API and I would like to route all requests to it through Cloudflare with full strict SSL mode. I’ve done the following steps:

  1. Add a CNAME record from api.mydomain.com to my-app.herokuapp.com.
  2. Enable flattening all CNAMEs.
  3. Generate an origin certificate for with Cloudflare for *.mydomain.com and mydomain.com.
  4. Set SSL mode to Full (strict)
  5. Set the Heroku app’s domain to api.mydomain.com.
  6. Disable automated certificate management on Heroku and add the Cloudflare origin certificate manually to the app.

Yet requests to api.mydomain.com return Error 526: Invalid SSL certificate. If I set SSL mode to Full, everything is working as expected (ie. when Cloudflare doesn’t verify the Heroku app’s certificate).

What could be the problem?

If you manually visit the heroku domain in your browser, is the origin SSL certificate served?

No, if I visit https://my-app.herokuapp.com, I get the certificate for *.herokuapp.com

In the meantime I managed to get things working by setting the CNAME record for api.mydomain.com to api.mydomain.com.herokudns.com. This what is prescribed in the Heroku SSL guide, but the Cloudflare Heroku SSL guide says not to do this saying “Cloudflare’s security and speed features cannot be used with this record”. How should I proceed?

If you go to your herokudns.com domain, does it then show the right certificate? You might want to try with the correct host header, eg curl -vIH 'Host: example.com' https://example.com.herokudns.com.

Yes, https://api.mydomain.com.herokudns.com shows the correct certificate and if I set a CNAME record for api.mydomain.com to api.mydomain.com.herokudns.com in Cloudflare, everything works as expected with SSL mode Full (strict). However the Cloudflare docs say one shouldn’t use herokudns.com in a CNAME. So my question is if it is at all possible to use SSL mode Full (strict) with Heroku while keeping the CNAME record pointing to my-app.herokuapp.com.

Thanks for the suggestions!

I don’t see why it wouldn’t work, maybe @Martijn could clarify the reason behind that statement. The record CNAME’s all the same based on my tests, but maybe there are disgrepancies I don’t know about.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.