yeah, but I wanted SSL for the complete trip, free SSL would terminate at Cloudflare leaving the connection from Cloudflare to Heroku not-protected (which would be questionable from a PCI perspective). And then for some reason, I couldn't get the connection from Cloudflare to Heroku to work under the *.herokuapp.com ssl cert.