Encryption between Cloudflare & Heroku

Question

there a several questions for Heroku, Cloudflare and DNS but doesn't match mine. I've configured Heroku with automated certificate management (ACM) and Cloudflare of course is configured to serve SSL from itself. With this I want to ensure, that requests are also encrypted between Cloudflare and Heroku.

SSL works perfect for the Client. Problem is, that Heroku can't verify the DNS settings from Cloudflare (which is documented from Heroku as ACM isn't working with Cloudflare this way). Of course I could disable it, but then the traffic isn't encrypted anymore between Heroku and Cloudflare, which would be the worst case.

Someone knows how I solve this and ensure the entire communication between my Heroku Apps, Cloudflare and the Client is encrypted? That would be great, I look forward to your answers/questions.

Answer 1

Okay, after a few more researches I guess got the solution. In my case with Cloudflare, Heroku doesn't work with ACM in paid plans above Hobby dynos (as said from Heroku itself). Even the option to generate "Origin Certificates" on Cloudflare and put them into your Dyno config isn't working (tried with an ECDSA one). It's possible to pay Heroku to be able to modify the SSL Endpoint with the "SSL Endpoint Add-on" (20$/mo) and modify Heroku in the way it works, which isn't an option to me.

Update: I the meantime Heroku did update the SSL behavior and you're able to upload an origin certificate (from Cloudflare for instance).