Understanding SSL on Heroku

Last updated September 19, 2022

There are two ways to enable SSL for your Heroku app’s custom domains (listed in order of recommended use):

  • Automated Certificate Management (ACM)
  • Heroku SSL

In general, your app should use Automated Certificate Management unless it requires functionality that ACM does not support. Summaries for the functionality provided by each method are provided below.

For enabling SSL on apps in Private Spaces, please refer to the documentation here.

SSL is always enabled for .herokuapp.com for Common Runtime apps.

When to use Automated Certificate Management (ACM)

With Automated Certificate Management (ACM), Heroku automatically manages TLS certificates for apps running on paid dynos on the Common Runtime. Certificates handled by ACM automatically renew one month before they expire, and new certificates are created automatically whenever you add or remove a custom domain.

ACM is recommended for most Heroku apps, because:

  • It provides TLS certificates at no additional cost
  • It supports creating certificates for multiple domains
  • It automatically renews TLS certificates before they expire

ACM does not provide support for:

If your app requires any of the functionality that ACM doesn’t support, it should use Heroku SSL instead.

DNS Targets for ACM

DNS targets for ACM will end with herokudns.com for Common Runtime apps, or herokuspace.com for Private Spaces apps e.g.

example.com        example.com.herokudns.com
www.example.com    www.example.com.herokudns.com

or

example.com        random-word-odhsycy1xdsqfbqy8gceaa2d.herokudns.com

or for Private Spaces

example.com        random-haiku-5196.also-random-3847.herokuspace.com

Again, wildcard domains are not supported by ACM.

When to use Heroku SSL

Heroku SSL is a free service for apps running on paid dynos that allows you to upload your own TLS certificate. You are responsible for purchasing and renewing this certificate.

Use Heroku SSL instead of Automated Certificate Management (ACM) if:

  • You want to use an OV/EV certificate
  • Your app needs to support wildcard domains
  • Your app uses internal routing

Heroku SSL uses Server Name Indication (SNI), an extension of the TLS protocol.

DNS Targets for Heroku SSL

DNS targets for Heroku SSL follow these patterns:

example.com        example.com.herokudns.com
www.example.com    www.example.com.herokudns.com
*.example.com      wildcard.example.com.herokudns.com

Feedback

Log in to submit feedback.

Heroku logo

Heroku Update
Starting November 28th, 2022, free Heroku Dynos, free Heroku Postgres, and free Heroku Data for Redis® will no longer be available.

If you have apps using any of these resources, you must upgrade to paid plans by this date to ensure your apps continue to run and to retain your data. For students, we will announce a new program by the end of September.

Learn More