Heroku SSL Revisited (2025 Edition)

Last year we published Cloudflare + Heroku SSL / Certificates Explained, in which Jon Sully masterfully walked through exactly how SSL works when using reverse-proxy CDN like Cloudflare, and how to set it up correctly with Heroku. Jon’s (and my) advice at the time was: Add your domain to Cloudflare, enable proxying (orange cloud). Generate an Origin Certificate for your app in Cloudflare’s dashboard. Add that origin cert to the Heroku app as “Custom SSL”. Set your Cloudflare SSL to “Full (strict)”. This setup still—without a doubt—works great. But something kept nagging at me. Heroku provides automatic SSL management (via Let’s Encrypt) for free, and I feel like there should be a Good Reason why we advise against using that golden path.