5

I am trying to ensure that https://www.my-site.com works, or in other words, the green lock appears next to the url of my site. Right now I am getting the following error: Error 525 SSL Handshake Failed. (I have a Heroku app that is connected to my custom domain, which I have added to Cloudflare in order to get SSL.)

I checked out this page: https://help.heroku.com/GVS2BTB5/why-am-i-getting-error-525-ssl-handshake-failed-with-cloudflare-when-using-a-herokudns-com-endpoint and followed the instructions here: https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates to obtain the origin certificate (server.crt) and private key (server.key).

Then I continued on with the instructions here: https://devcenter.heroku.com/articles/ssl and ran into more problems.

When I put in 

heroku certs:add server.crt server.key

I got the following error message:

You need to be running on either Hobby or Professional dynos to be able to use SNI SSL.

I am not using paid dynos. Is it possible to have SSL with the fully free setup? Where am I getting it wrong?

Ryuki
  • 51
  • 2
  • I think you answered your own question?! You need to be using paid dynos to have SSL certs available to you. – Jon B Oct 15 '19 at 00:32
  • I went over the discussions here https://stackoverflow.com/questions/26131611/heroku-cloudflare-completely-free-ssl?rq=1 and it seems there is a way for it to work for free. I just can't figure out how. – Ryuki Oct 15 '19 at 06:27
  • Just deploy to Netlify instead and save yourself the hassle https://www.netlify.com/blog/2016/01/15/free-ssl-on-custom-domains/ – Jon B Oct 15 '19 at 06:29

1 Answers1

5

Note: See discussion in comments. This approach may stop working after July 31st 2021.

Full SSL with free Heroku is possible via Cloudflare.

Using CNAME examplesite.com -> examplesite.herokuapp.com in Cloudflare (not the *.herokudns.com values heroku domains:add returns) worked for me:

enter image description here

SSL/TLS is set to Full. Didn't need to add certificates, it requires paid dynos. As you point out, Heroku + Cloudflare completely free SSL is good reading for anyone working with this.

Using the *.herokudns.com values in the CNAMEs caused 525 SSL Handshake Failed.

When using a custom domain (e.g. examplesite.com), make sure to also add www.examplesite.com and examplesite.com in Heroku Settings > Domains.

Lauri Harpf
  • 1,448
  • 1
  • 12
  • 30
  • Sadly (NEW): "When an app is migrated to the new infrastructure, its default appname.herokuapp.com, DNS records, and any haiku.herokudns.com custom domain records are modified to point to the IP addresses of the new routing infrastructure. For a period of 24-48 hours, the app is accessible via both the new and old routing infrastructure. When the migration completes, the app will no longer be accessible via the old routing infrastructure and all traffic must flow via the new infrastructure. Requests for an app sent to the old infrastructure will result in error code: H31 Misdirected Request." – Pat May 28 '21 at 15:17
  • Good point. Will this break after the upgrade? https://help.heroku.com/PQ6JP5C4/how-do-i-know-i-have-an-incorrect-custom-hostname-dns-configuration is a bit ambiguous to me, "... foo-app.herokuapp.com will continue to work as a target for upgraded apps" – Lauri Harpf May 28 '21 at 15:27
  • 1
    Very interesting. So in the email I got, they say one can absolutely not use *.herokuapp.com ("Requests for an app sent to the old infrastructure will result in error code: H31 Misdirected Request"), unsure what they mean with "upgraded apps". In the email I got, it all goes kaput 31st of july 2021 . Then the rest of the email goes on about how to fix the SSL which will now break since the move away from *.herokuapp.com. Fixing SSL means using Heroku SSL which can't be used on free dynos. So, dead end here it seems. – Pat May 28 '21 at 15:44
  • Thanks for the heads-up! Added that as a warning to the answer. I have a couple of low-traffic hobby projects running with this approach, let's see what happens to them after July 31st :). – Lauri Harpf May 28 '21 at 16:31
  • 2
    I tried this approach today - 02-Jun-2022 - and still works! – Renan Borges Jun 02 '22 at 21:10