How can I use Automated Certificate Management with CloudFlare?

Issue

I use CloudFlare, but also want to use ACM. Is it possible to use both of these products together?

Resolution

It is possible to use CloudFlare with ACM, but you won't be able to take advantage of their more advanced features (e.g., CDN, DoS protection, etc.). To use ACM with CloudFlare, you need to configure your domain using the "DNS only" option and NOT the "DNS and HTTP Proxy (CDN)" option. If you do that, then ACM will work fine for your application.

The reason why this is the case is that part of the ACM provisioning process involves performing a DNS verification step with Let's Encrypt. During that process, we generate a temporary SSL certificate that Let's Encrypt expects and serve it for your app's herokudns.com domain. Let's Encrypt then makes a connection to verify that you own the domain. This relies upon your DNS actually pointing to our routing endpoints. The "DNS only" option does just that. The "DNS and HTTP Proxy" option points your DNS to one of CloudFlare's endpoints which does not have the certificate. This causes the DNS verification to fail.

As such, the "DNS only" option is the only one that will work with Heroku ACM.

Alternatives

  • Use "Full SSL" (rather than "Full SSL (Strict)") with CloudFlare. You do not need ACM to use this option.
  • Upload a custom certificate with Heroku SSL to fully secure your connection end-to-end.