I want to connect a custom domain to an app built on Heroku. Can someone confirm that I actually need to buy a certificate and in addition buy the SSL addon on Heroku?
D
If you are already using paid dynos (e.g. Hobby dynos) then you can save some costs by using Heroku SSL for free in your app, instead of paying for the SSL Endpoint add on. This is assuming your app doesn't need to support really old browsers (see Minimum supported browser versions.
These add ons basically provide the protocol support your app needs for SSL with your private domain.
However, regardless of which of the above 2 you choose, you will still need to acquire in addition an SSL certificate. There are all kinds of different offerings for the actual certificate, including free certificates e.g. from Let's Encrypt.
See here for instructions on using a free Let's Encrypt certificate on Heroku with Heroku SSL.
Bottom line: If you are already using paid dynos, it should be possible for you to add full SSL support for your custom Heroku domain for free.
If however you find the above too bewildering, you might want to pay a few bucks for a service such as Expedited SSL, which gives you a certificate (for a monthly fee) and takes care of the whole issue of installing it and keeping it updated on Heroku.
Heroku has made it even easier to use SSL for custom domains now assuming you're not on the free tier plan (if you pay for at least one dyno you're good to go).
https://blog.heroku.com/announcing-automated-certificate-management
Basically, once you have a paid plan for your app., Heroku will generate the certs for you and any custom domains you have added. Then you need to check that you have the right forwarding setup by your domain provider etc.
To add ssl to an existing app you can run:
$ heroku certs:auto:enable -a <app name>
Then run the following command and make sure your custom domains are returned:
$heroku domains