Why am I getting "Error 525 - SSL handshake failed" with CloudFlare when using a `herokudns.com` endpoint?

Resolution

Since December 2016 all newly provisioned apps will use herokudns.com endpoints by default. https://devcenter.heroku.com/changelog-items/1060

This issue with CloudFlare occurs when the following conditions are satisfied:

  • app has a custom domain
  • app does not have a custom SSL certificate (therefore defaults to using *.herokuapp.com cert)
  • "SSL Full (Strict)" is enabled on CloudFlare

If you need "SSL Full" communication between your app and Cloudflare you will need to specify the appname.herokuapp.com domain (instead of the herokudns.com equivalent) as the CloudFlare backend, in order to use the free *.herokuapp.com certificate. If this isn't possible for some reason you will need to add a custom certificate to the app to handle requests for custom domains https://devcenter.heroku.com/articles/ssl The error occurs because a https request for a custom domain defaults to using the *.herokuapp.com certificate causing a certificate mismatch error.