I have a site with SSL. everything works fine with www (the subdomain the SSL is registered under) but if I try to go to the non-www version it says:
You attempted to reach mywebsite.com, but instead you actually reached a server identifying itself as *.heroku.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of mywebsite.com.
How do I make the non-www work with ssl OR make sure that the non-www redirects to the proper www before attempting to use SSL?
Despite some of the older Heroku documentation it is possible to use the naked (non-www) domain with a matching SSL certificate. However, you'll have to have a way to redirect www traffic to the naked domain and this can be problematic with some DNS providers. It is possible with DNS Made Easy's new ANAME records.
Having just been in the exact situation you describe, I used the www subdomain for SSL and put a lightweight Sinatra app together to handle redirections from the naked domain to the www subdomain:
https://github.com/kjohnston/naked_redirect
This Sinatra app deploys very easily to Heroku and of course you can run it there for free. There are third party services that provide this same type of redirection, but I didn't want to be pointing my client's domain at some random service in hopes that they always redirect properly when I could put a solution like this up and be in full control.