Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL on wildcard subdomains with CloudFlare and Heroku

I'm working on a Ruby on Rails SaaS app with a custom subdomain for each company. When a company signs up, the user is redirected to her subdomain.myapp.io.

The app is hosted on Heroku and DNS are managed at CloudFlare. I use the free SSL feature provided by CloudFlare, which works as expected for https://myapp.io.

My issue is about having SSL active for the subdomains. I wonder if this is possible without buying a wildcard SSL certificate.

CloudFlare DNS setup:

myapp.io.   300 IN  CNAME   myapp.herokuapp.com.
*.myapp.io. 300 IN  CNAME   myapp.herokuapp.com.

Heroku domains setup:

myapp.io
*.myapp.io

This works, but without SSL on subdomains. It is not possible to use CloudFlare features (such as SSL Full) for wildcard subdomains (except for Entreprise plan users).

I think I need to buy a wildcard SSL certificate for my domain ($115/year) and add the SSL Endpoint Heroku add-on ($7/month). Am I wrong?

like image 968
Michael Avatar asked May 25 '16 14:05

Michael


People also ask

Does Cloudflare free SSL cover subdomains?

If you want SSL to work on any of your subdomains with Cloudflare, you will need to have your main domain also enabled on Cloudflare. This is a limitation imposed by the SSL Certificate provider; without the main domain being on Cloudflare, the certificate will not be valid for the subdomains.

Does Cloudflare support wildcard?

Does Cloudflare support wildcard DNS entries? Cloudflare now supports proxying wildcard '*' record for DNS management in all customer plans. This used to only be offered to Enterprise plans.

Does Cloudflare work with subdomains?

Cloudflare Subdomain Support simplifies management of Cloudflare performance and security for subdomains and provides several additional benefits. Subdomain Support is available for multiple subdomain levels such as www.example.com, dev.www.example.com, etc.


1 Answers

Short answer:
You can't have a free wildcard SSL (Full protection) for subdomains on CloudFlare (Free plan).

Long answer:
I mean using wildcard with CloudFlare (Free plan), CloudFlare proxy protection and acceleration are bypassed (no orange cloud) so your origin server SSL certificate will be used instead. So to enable SSL you need to add a CNAME record for each subdomain (the cloud icon should be orange).

Example:
foo.myapp.io. 300 IN CNAME myapp.herokuapp.com.
bar.myapp.io. 300 IN CNAME myapp.herokuapp.com.

(You don't need to add any record for custom domains in Heroku if you already have *.myapp.io)

[EDIT]
Maybe you can add DNS records dynamically via CloudFlare's API (https://api.cloudflare.com/#dns-records-for-a-zone-create-dns-record)
(I didn't try that...)

Workaround:

As you said:

  1. Pay for CloudFlare Enterprise
  2. Buy a wildcard SSL certificate + Heroku SSL SNI (https://devcenter.heroku.com/articles/ssl-beta)

Hope it will help.

like image 70
Renshuki Avatar answered Sep 22 '22 20:09

Renshuki