When Heroku automatically ran an ACM refresh two months after initially configuring my web application, Automated Certificate Management began failing and stating “Domain considered unsafe” which according to their docs means, “Let’s Encrypt checks domains against Google’s Safe Browsing API and will not issue certificates for domains considered unsafe.”
When I check the Google’s Safe Browsing API it seems to return my domain IS safe, and Heroku support claims their is nothing they can do about this and suggested I reach out here to try and resolve this issue. Any ideas?
I'm not sure what HEROKU means on ACM not safe, however, Let's Encrypt stopped utilizing Safe Browsing API long time ago (not to mention that API have a enterprise version now) and now they will not prevent issuing certificates based on any status returned by Safe Browsing API.
I'm not even sure if Let's Encrypt has an API interface that allows you to check your domain status on their end, so maybe that's a check from Heroku's side (like if they check your safe browsing status before they request renewal)?
I believe I have resolved this issue. Because we are using Cloudflare SSL/TLS, instead of using Heroku ACM (Automated Certificate Management) I had to create an Origin Server cert in Cloudflare and then manually upload that in in Heroku.
Super interesting, not sure why Heroku mentions they still do this in their documentation. I have notified Heroku support in the case I opened with them in regards to this comment. Subsequently, Heroku is a PaaS now owned by Salesforce and supports many languages and is fairly simple to use and easy to scale.
Heroku built this tool called ACM (Automated Certificate Management) on top of Let's Encrypt that is supposed to automatically renew the SSL/TLS certificate assigned by Heroku, but their documentation is lacking in regards to using external SSL/TLS certificates and Heroku support does not seem to really understand this area (to be fair nor do I), and told me that they would not be able to help and to reach out to Let's Encrypt... Luckily I stumbled across this bug that was recorded: https://help.heroku.com/GVS2BTB5/why-am-i-getting-error-525-ssl-handshake-failed-with-cloudflare-when-using-a-herokudns-com-endpoint