How can I use Automated Certificate Management with CloudFlare?


I use CloudFlare, but also want to use ACM. Is it possible to use both of these products together?


It is possible to use Cloudflare with Automated Certificate Management. Please follow the procedure below.

  1. Make sure ACM is disabled on Heroku

  2. Add the custom domain to the app:

$ heroku domains:add
Adding to  example-app... done
     Configure your app's DNS provider to point to the DNS Target
     For help, see
  1. Configure Cloudflare. Add a CNAME record with the sub domain (www in this example, use @ for the root domain) as "Name" and the DNS Target ( in this example) as the "Domain name".

  2. Disable HTTPS redirects on Cloudflare temporarily. If you're using HTTPS redirects on Cloudflare, you'll need to disable them temporarily at this point in the process. ACM will not be set up properly if HTTPS redirects are on while the ACM setup is in progress as ACM relies on a third-party Certificate Authority called Let's Encrypt, and their HTTP challenge requires port 80. Once ACM has been setup successfully, you can turn HTTPS redirects back on.

  3. Enable ACM:

$ heroku certs:auto:enable

After a while, a TLS certificate is generated for your app's custom domains. A status of Cert issued means that the ACM succeeded. This might take a couple of minutes and there's no way around this. With SSL Mode "Full (strict)", Cloudflare verifies the domain using the TLS certificate provided with ACM. Client programs accessing the custom domain see the TLS certificate provided by Cloudflare.

Note there is little need to have an SSL certificate on Heroku if you use Cloudflare - instead, you should consider generating a Cloudflare Origin SSL certificate and turning off ACM. See the setup guide here on how to do this.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support