Understanding SSL on Heroku
Last updated May 19, 2023
There are two ways to enable SSL for your Heroku app’s custom domains. The options are listed in order of recommended use:
- Automated Certificate Management (ACM)
- Heroku SSL
In general, use Automated Certificate Management unless your app requires functionality that ACM doesn’t support. This article provides summaries of the functionality provided by each method.
For enabling SSL on apps in Private Spaces, refer to the documentation here.
SSL is always enabled for
.herokuapp.com for Common Runtime apps.
When to use Automated Certificate Management (ACM)
With Automated Certificate Management (ACM), Heroku automatically manages TLS certificates for apps running on paid dynos on the Common Runtime. Certificates handled by ACM automatically renew one month before they expire, and new certificates are created automatically whenever you add or remove a custom domain.
ACM is recommended for most Heroku apps, because:
- It provides TLS certificates at no additional cost
- It supports creating certificates for multiple domains
- It automatically renews TLS certificates before they expire
ACM doesn’t support:
- Wildcard domains
- OV/EV certificates
- Apps using internal routing
- Eco dyno apps
If your app requires any of the functionality that ACM doesn’t support, use Heroku SSL instead.
DNS Targets for ACM
DNS targets for ACM end with
herokudns.com for Common Runtime apps, or
herokuspace.com for Private Spaces apps. For example:
example.com example.com.herokudns.com www.example.com www.example.com.herokudns.com
Or for Private Spaces
Again, AMC doesn’t support wildcard domains.
When to use Heroku SSL
Heroku SSL is a free service for apps running on paid dynos that allows you to upload your own TLS certificate. You’re responsible for purchasing and renewing this certificate.
Use Heroku SSL instead of Automated Certificate Management (ACM) if:
- You want to use an OV/EV certificate
- Your app must support wildcard domains
- Your app uses internal routing
Heroku SSL uses Server Name Indication (SNI), an extension of the TLS protocol.
DNS Targets for Heroku SSL
DNS targets for Heroku SSL follow these patterns:
example.com example.com.herokudns.com www.example.com www.example.com.herokudns.com *.example.com wildcard.example.com.herokudns.com