Setup LetsEncrypt on a .app domain with Dokku

I want to setup a LetsEncrypt certificate on my delega.app domain. I am hosting using Dokku. However, when I try to use the Dokku plugin it fails and does not offer me any ways to verify without hosting a http:// file on that domain, which is not possible since .app domains do not support un-encrypted HTTP. I tried to self-certify with certbot, which it also does not allow.

For now I’ve set it up with a GoDaddy cert but that is failing in the chain so I’m looking to setup a Let’s Encrypt cert, but not sure how that’s possible if I can’t use DNS or some other method to confirm ownership of domain.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: delega.app

My web server is (include version): nginx on dokku

The operating system my web server runs on is (include version): Ubuntu 19.04

My hosting provider, if applicable, is: vultr with Dokku

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

1 Like

Unencrypted HTTP works. Web browsers will always force HTTPS, but the Let's Encrypt validation servers won't.

1 Like

I just tried it again and it worked… it failed the first time. Thanks!

1 Like

Hi @negcx

that's a misunderstanding. App-domains are preloaded. But that's only something, if a browser connects your domain. Tools, bots and the Letsencrypt validator can connect your domain via http / port 80.

And checking your domain port 80 answers

Domainname Http-Status redirect Sec. G
http://delega.app/
207.148.3.147 301 https://delega.app:443/ 0.277 A
http://www.delega.app/
207.148.3.147 301 https://www.delega.app:443/ 0.277 A
https://delega.app/
207.148.3.147 200 4.126 B

The redirect isn't good, remove the port at the end.

If you have root access: Why isn't it possible to use Certbot, acme.sh or another client?

Remove the redirect if the subdirectory starts with /.well-known/acme-challenge or use Certbot with --nginx, then a location definition is added to skip your redirect.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.