SSL on wildcard subdomains with CloudFlare and Heroku

Question

I'm working on a Ruby on Rails SaaS app with a custom subdomain for each company. When a company signs up, the user is redirected to her subdomain.myapp.io.

The app is hosted on Heroku and DNS are managed at CloudFlare. I use the free SSL feature provided by CloudFlare, which works as expected for https://myapp.io.

My issue is about having SSL active for the subdomains. I wonder if this is possible without buying a wildcard SSL certificate.

CloudFlare DNS setup:

myapp.io.   300 IN  CNAME   myapp.herokuapp.com.
*.myapp.io. 300 IN  CNAME   myapp.herokuapp.com.

Heroku domains setup:

myapp.io
*.myapp.io

This works, but without SSL on subdomains. It is not possible to use CloudFlare features (such as SSL Full) for wildcard subdomains (except for Entreprise plan users).

I think I need to buy a wildcard SSL certificate for my domain ($115/year) and add the SSL Endpoint Heroku add-on ($7/month). Am I wrong?

Answer 1

Short answer:
You can't have a free wildcard SSL (Full protection) for subdomains on CloudFlare (Free plan).

Long answer:
I mean using wildcard with CloudFlare (Free plan), CloudFlare proxy protection and acceleration are bypassed (no orange cloud) so your origin server SSL certificate will be used instead. So to enable SSL you need to add a CNAME record for each subdomain (the cloud icon should be orange).

Example:
foo.myapp.io. 300 IN CNAME myapp.herokuapp.com.
bar.myapp.io. 300 IN CNAME myapp.herokuapp.com.

(You don't need to add any record for custom domains in Heroku if you already have *.myapp.io)

[EDIT]
Maybe you can add DNS records dynamically via CloudFlare's API (https://api.cloudflare.com/#dns-records-for-a-zone-create-dns-record)
(I didn't try that...)

Workaround:

As you said:

1. Pay for CloudFlare Enterprise
2. Buy a wildcard SSL certificate + Heroku SSL SNI (https://devcenter.heroku.com/articles/ssl-beta)

Hope it will help.