Home / Cyber Security / Use LetsEncrypt and CloudFlare to secure any Heroku app for free

Use LetsEncrypt and CloudFlare to secure any Heroku app for free

Let’s make everything secure.

With the advent of free SSL and Heroku finally offering free SSL endpoints, it’s about time we made it ridiculously easy to get an SSL cert for any Heroku application and keep it up to date.

This is alpha software. It may work, or it may not. We use it in production at Substrakt but your milage may vary until 1.0.

Substrakt Logo

Created by Substrakt.

What it does

  1. Generates a private key.
  2. Validates domain ownership using DNS verification for a set of domains including the root. (Only works with CloudFlare currently!)
  3. Generates a CSR.
  4. Generates a LetsEncrypt certificate.
  5. Enables the http-sni feature on a specified Heroku application.
  6. Adds or updates the certificate with the newly generated one.

How it works

  1. User or robot makes an API request to this application.
  2. Magic happens.
  3. Site is secure.


As we’re currently in alpha, there are some severe limitations.

  1. Heroku apps must be in the common runtime. http-sni is not supported in private spaces, yet. This shouldn’t be a problem for 99% of applications.
  2. DNS must be managed by CloudFlare.
  3. Renewals do not happen automatically. (Not sure if this is in the scope of this application or whether or not the application itself should handle renewals?)
  4. We’re using an unreleased Heroku API endpoint and http-sni is beta. If it changes or is removed, this application will simply cease to work.
  5. It doesn’t currently add the CNAME records to CloudFlare once the SSL certificate has been generated. (Possibly out of scope?)
  6. It’s a bit slow (around 1min per validated subdomain) due to the nature of DNS resolution. Not sure how to resolve this yet.
  7. It does not force the secured application to only accept requests via SSL. This is because we use a variety of frameworks so we must remain framework agnostic.


  1. Run the application. Either do it yourself or deploy to Heroku for free.
  2. Hit the following endpoint:
GET domains/{domain_name}?subdomains={subdomains}&debug={0/1}&app_name={heroku_app_name}&auth_token={auth_token}


  • domain_name is the domain name without subdomains. (e.g. google.com == Good. www.google.com == Bad.)
  • subdomains is a comma delimited list of subdomains to cover. Usually this is just www, but could also be anything else such as www,dishwasher,git,purple.
  • debug is 1 or 0 depending if this is a test or not. When debug is on, non-valid certificates are generated.
  • heroku_app_name is the name of the application on Heroku.
  • auth_token is the value of ENV['AUTH_TOKEN'].

That’s it.


Pull requests and issues are very much welcome at this early stage.

About admin


Check Also


Typecasting: The Use (and Misuse) of Period Typography in Movies (2001)

Chocolat (2000, Mirimax) wasn’t a bad movie. It managed to get five Academy Award Nominations. ...

Leave a Reply

Your email address will not be published. Required fields are marked *