Setup LetsEncrypt on a .app domain with Dokku

I want to setup a LetsEncrypt certificate on my domain. I am hosting using Dokku. However, when I try to use the Dokku plugin it fails and does not offer me any ways to verify without hosting a http:// file on that domain, which is not possible since .app domains do not support un-encrypted HTTP. I tried to self-certify with certbot, which it also does not allow.

For now I’ve set it up with a GoDaddy cert but that is failing in the chain so I’m looking to setup a Let’s Encrypt cert, but not sure how that’s possible if I can’t use DNS or some other method to confirm ownership of domain.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

My web server is (include version): nginx on dokku

The operating system my web server runs on is (include version): Ubuntu 19.04

My hosting provider, if applicable, is: vultr with Dokku

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

1 Like

Unencrypted HTTP works. Web browsers will always force HTTPS, but the Let’s Encrypt validation servers won’t.

1 Like

I just tried it again and it worked… it failed the first time. Thanks!

1 Like

Hi @negcx

that’s a misunderstanding. App-domains are preloaded. But that’s only something, if a browser connects your domain. Tools, bots and the Letsencrypt validator can connect your domain via http / port 80.

And checking your domain port 80 answers

Domainname Http-Status redirect Sec. G 301 0.277 A 301 0.277 A 200 4.126 B

The redirect isn’t good, remove the port at the end.

If you have root access: Why isn’t it possible to use Certbot, or another client?

Remove the redirect if the subdirectory starts with /.well-known/acme-challenge or use Certbot with --nginx, then a location definition is added to skip your redirect.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.