Issue
Apps using CloudFlare, a custom domain with an herokudns.com endpoint and no custom SSL certificate will see a "Error 525 - SSL handshake failed" message.
Resolution
Since December 2016 all newly provisioned apps will use herokudns.com endpoints by default. https://devcenter.heroku.com/changelog-items/1060
This issue with CloudFlare occurs when the following conditions are satisfied:
- app has a custom domain
- app does not have a custom SSL certificate (therefore defaults to using
*.herokuapp.comcert) - "SSL Full (Strict)" is enabled on CloudFlare
If you need "SSL Full" communication between your app and Cloudflare then you can take the following approach. For this scenario, Cloudflare have a feature called "Cloudflare Origin CA certificates" which is documented here: https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates The idea is that this is a free certificate that you can download from Cloudflare and upload to any other services that you are using, such as Heroku. When using Cloudflare's "Full (Strict)" mode, this Origin CA certificate will be seen as valid by the Cloudflare service.
Once you have followed the instructions here https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates to download the Origin CA certificate for your domain, you can proceed to upload it to Heroku SSL using the instructions here: https://devcenter.heroku.com/articles/ssl Once this is done the 525 error should go away and everything will work normally.
Please note - previously we recommended using the appname.herokuapp.com domain (instead of the herokudns.com equivalent) as the Cloudflare backend, in order to use the free *.herokuapp.com certificate. While this is possible, we are are no longer recommending this due to some associated security concerns around domain ownership. If you are currently using this method we recommend switching to use the Cloudflare Origin CA certificate instead.