Issue
I use CloudFlare, but also want to use ACM. Is it possible to use both of these products together?
Resolution
It is possible to use Cloudflare with Automated Certificate Management. Please follow the procedure below.
-
Make sure ACM is disabled on Heroku
-
Add the custom domain to the app:
$ heroku domains:add www.example.com
Adding www.example.com to example-app... done
Configure your app's DNS provider to point to the DNS Target
whispering-willow-5678.herokudns.com.
For help, see https://devcenter.heroku.com/articles/custom-domains
-
Configure Cloudflare. Add a
CNAME
record with the sub domain (www
in this example, use@
for the root domain) as "Name" and the DNS Target (whispering-willow-5678.herokudns.com
in this example) as the "Domain name". -
Disable HTTPS redirects on Cloudflare temporarily. If you're using HTTPS redirects on Cloudflare, you'll need to disable them temporarily at this point in the process. ACM will not be set up properly if HTTPS redirects are on while the ACM setup is in progress as ACM relies on a third-party Certificate Authority called Let's Encrypt, and their HTTP challenge requires port 80. Once ACM has been setup successfully, you can turn HTTPS redirects back on.
-
Enable ACM:
$ heroku certs:auto:enable
After a while, a TLS certificate is generated for your app's custom domains. A status of Cert issued
means that the ACM succeeded. This might take a couple of minutes and there's no way around this. With SSL Mode "Full (strict)", Cloudflare verifies the domain using the TLS certificate provided with ACM. Client programs accessing the custom domain see the TLS certificate provided by Cloudflare.
Note there is little need to have an SSL certificate on Heroku if you use Cloudflare - instead, you should consider generating a Cloudflare Origin SSL certificate and turning off ACM. See the setup guide here on how to do this.