Workaround for Heroku no longer supporting SSL behind Cloudflare ("Strict TLS in CDN not supported")?
It looks like Heroku specifically doesn't want you to use ACM (Automatic Certificate Management), in which they use Let's Encrypt to automatically issue certificates for you. This is unnecessary when your certificates aren't client-facing.
If it's always Cloudflare talking to your Heroku app, I suggest instead using "origin certificates". Cloudflare can generate a certificate and private key specifically for you to install on your origin server for the purpose of authenticating it to Cloudflare. This certificate is signed by Cloudflare's private CA, which is not recognized by browsers, only by Cloudflare itself. This means you don't have to jump through so many hoops to verify your domain and renew certs like you would with normal CA certs.
You can tell Cloudflare to generate an origin certificate in the Cloudflare dashboard. You can the install your certificate into Heroku according to this documentation:
https://devcenter.heroku.com/articles/ssl#manually-uploading-certificates-and-intermediaries
Note that this does not require "ACM" on the Heroku side, because you're bringing your own cert. I would expect Heroku is fine with this mode while behind Cloudflare (if not... that would be a pretty serious flaw in Heroku).
Here's Cloudflare's general docs on origin certs:
https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates
(Disclaimer: I haven't actually tried this with Heroku, but I've successfully used origin certs with other hosts in the past.)
I was experiencing this problem and this is how I resolved it. First I deleted my certificate from Heroku and also deleted my custom domain then, I went to the terminal
$ heroku certs:info --app myapp (To ensure I did not have a certificate present)
$ heroku certs:auto:enable --app myapp (I did this for good measure, this created a cert)
heroku domains:add data.myapp.com --app data-myapp ( I was working with a subdomain, this added my custom domain)
Add DNS details to Cloudflare, I set it to DNS instead of proxy and it worked. I set it back to Proxy and it worked, I figured, the problem is the process, first use a terminal, two make sure you have a certificate before you add the domain name.
I hope that works for someone.