Why am I getting "Error 525 - SSL handshake failed" with CloudFlare when using a `herokudns.com` endpoint?

Issue

Apps using CloudFlare, a custom domain with an herokudns.com endpoint and no custom SSL certificate will see a "Error 525 - SSL handshake failed" message.

Resolution

Since December 2016 all newly provisioned apps will use herokudns.com endpoints by default. https://devcenter.heroku.com/changelog-items/1060

This issue with CloudFlare occurs when the following conditions are satisfied:

  • app has a custom domain
  • app does not have a custom SSL certificate (therefore defaults to using *.herokuapp.com cert)
  • "SSL Full (Strict)" is enabled on CloudFlare

If you need "SSL Full" communication between your app and Cloudflare then you can take the following approach. For this scenario, Cloudflare have a feature called "Cloudflare Origin CA certificates" which is documented here: https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates The idea is that this is a free certificate that you can download from Cloudflare and upload to any other services that you are using, such as Heroku. When using Cloudflare's "Full (Strict)" mode, this Origin CA certificate will be seen as valid by the Cloudflare service.

Once you have followed the instructions here https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates to download the Origin CA certificate for your domain, you can proceed to upload it to Heroku SSL using the instructions here: https://devcenter.heroku.com/articles/ssl Once this is done the 525 error should go away and everything will work normally.

Please note - previously we recommended using the appname.herokuapp.com domain (instead of the herokudns.com equivalent) as the Cloudflare backend, in order to use the free *.herokuapp.com certificate. While this is possible, we are are no longer recommending this due to some associated security concerns around domain ownership. If you are currently using this method we recommend switching to use the Cloudflare Origin CA certificate instead.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support