Using letsencrypt with Dokku

Has anyone tried using letsencrypt with Dokku?

I have an app running on Dokku and I want to learn if there are gotchas I should know I about before I try using letsencrypt on apps that use Dokku.

Any input would be great. Thanks

I was able to successfully install the certificates with some manual intervention:

1. Stop the nginx server to make port 80 available for domain validation
2. Use letsencrypt-auto with the certonly subcommand to download the certificate and key to /etc/letsencrypt/live/mydomain.com/{fullchain,privkey}.pem
3. Create a tarball holding the files in the expected naming scheme:
   tar --transform 's/fullchain\.pem/server.crt/' --transform 's/privkey\.pem/server.key/' -cf mydomain.com.tar {fullchain,privkey}.pem
4. Use dokku certs:add myapp < mydomain.com.tar to import the certificates to dokku
5. Restart nginx

Steps 1 and 5 will hopefully become obsolete once the nginx plugin has matured.

I’ve implemented a dokku plugin to automatically install letsencrypt certificates on a running Dokku server by temporarily adding a reverse proxy for the ACME paths to the nginx configuration and can now automatically download and install certificates for my Dokku apps:

I would be happy to get some feedback whether this is working for others!

Just to follow up, some things have changed since this thread’s last activity:

@sseemayer’s plugin has become official and moved to https://github.com/dokku/dokku-letsencrypt, and it’s wonderful. I’m using it with great success currently. It’s so nice to just type dokku letsencrypt my-app and it’s done.

Also Dokku moved to its own github org.

I found this thread searching “dokku” here to see if anyone had renewal via cron working with the dokku plugin, but I’ll ask about that in a separate thread. Just wanted to stop and say thanks for the plugin and help others find it. Using Let’s Encrypt with Dokku is now a dream.

Thanks so much for the warm words! I’ve recently added an automatic renewal procedure to the plugin that will only renew cerificates when entering a configurable grace period. I’ve done a short writeup on my blog about how I’m using it on my server. So far it’s working very well for me. Hopefully this will be useful to you.

I just noticed this today when debugging my renewal cron job. Since that’s the case I’ve changed my script to run weekly instead of monthly. I saw jcjones on twitter recommend daily renewal because 1) why not, and 2) the first of the month can be busy and it might fail so it’s best to try more often. I think I like weekly plus your age check.

Also I did get it working. Turns out I had just failed to set the PATH variable properly in the crontab and so the dokku command couldn’t find plugn. It’s all great now

Okay, so it turns out that I had not seen your improvements or the new letsencrypt:auto-renew command. This is just perfect. Also the new letsencrypt:ls that lists all the secured apps and expiry times is wonderful. Really amazing work on this. Thanks!

Thank you @sseemayer for such a easy, clean way of handling ssl with Dokku!

Thank you very, very much @sseemayer, your plugin helped me a lot.

First, I tried setting up a letsencrypt certificate for my linode-dokku by hand, and couldn’t figure out how to validate it.
Then I installed your plugin but at first it didn’t work. (I suppose it tried to get a new certificate which created a conflict.)
Finally I revoked both the certificate I had manually created with certbot and the one your plugin created and then started over, and then it worked instantly.

Thank you!