• Stars
    star
    1,048
  • Rank 43,968 (Top 0.9 %)
  • Language
    Shell
  • License
    MIT License
  • Created almost 9 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Automatic Let's Encrypt TLS Certificate installation for dokku

dokku-letsencrypt

dokku-letsencrypt is the official plugin for dokku that gives the ability to automatically retrieve and install TLS certificates from letsencrypt.org. During ACME validation, your app will stay available at any time.

By running this plugin, you agree to the Let's Encrypt Subscriber Agreement automatically (because prompting you whether you agree might break running the plugin as part of a cronjob).

If you like Let's Encrypt, please consider donating to Let's Encrypt.

Installation

sudo dokku plugin:install https://github.com/dokku/dokku-letsencrypt.git

Upgrading from previous versions

sudo dokku plugin:update letsencrypt

Commands

$ dokku letsencrypt:help
    letsencrypt:active <app>                Verify if letsencrypt is active for an app
    letsencrypt:auto-renew                  Auto-renew all apps secured by letsencrypt if renewal is necessary
    letsencrypt:auto-renew <app>            Auto-renew app if renewal is necessary
    letsencrypt:cleanup <app>               Cleanup stale certificates and configurations
    letsencrypt:cron-job <--add|--remove>   Add or remove an auto-renewal cronjob
    letsencrypt:disable <app>               Disable letsencrypt for an app
    letsencrypt:enable <app>                Enable or renew letsencrypt for an app
    letsencrypt:list                        List letsencrypt-secured apps with certificate expiry
    letsencrypt:revoke <app>                Revoke letsencrypt certificate for app

Usage

If using this plugin with Cloudflare:

  • The domain dns should be setup in "Proxied" mode
  • SSL/TLS mode must be in "Full" mode
    • Using letsencrypt in "Flexible" mode will cause Cloudflare to detect your server as down
    • Using "Full" mode will require disabling SSL/TLS in cloudflare in order to renew the certificate.

If using "Flexible" SSL/TLS mode, avoid using this plugin.

See these two links for more details:

The app which is obtaining a letsencrypt certificate must already be deployed and accessible over the internet (i.e. in the browser) in order to add letsencrypt to your app. This plugin will fail to apply for an app that has otherwise only been created.

Obtain a Let's encrypt TLS certificate for app myapp (you can also run this command to renew the certificate):

$ dokku letsencrypt:set myapp email [email protected]
-----> Setting email to [email protected]
$ dokku letsencrypt:enable myapp
=====> Let's Encrypt myapp...
-----> Updating letsencrypt docker image...
latest: Pulling from dokku/letsencrypt

Digest: sha256:20f2a619795c1a3252db6508f77d6d3648ad5b336e67caaf801126367dbdfa22
Status: Image is up to date for dokku/letsencrypt:latest
       done
-----> Enabling letsencrypt proxy for myapp...
-----> Getting letsencrypt certificate for myapp...
        - Domain 'myapp.mydomain.com'

[ removed various log messages for brevity ]

-----> Certificate retrieved successfully.
-----> Symlinking let's encrypt certificates
-----> Configuring SSL for myapp.mydomain.com...(using /var/lib/dokku/plugins/available/nginx-vhosts/templates/nginx.ssl.conf.template)
-----> Creating https nginx.conf
-----> Running nginx-pre-reload
       Reloading nginx
-----> Disabling letsencrypt proxy for myapp...
       done

Once the certificate is installed, you can use the certs:* built-in commands to edit and query your certificate.

You could also use the following command to set an email address for global. So you don't need to type the email address for different application.

dokku letsencrypt:set --global email [email protected]

Automatic certificate renewal

To enable the automatic renewal of certificates, a cronjob needs to be defined for the dokku user which will run daily and renew any certificates that are due to be renewed.

This can be done using the following command:

dokku letsencrypt:cron-job --add

Configuration

dokku-letsencrypt uses the Dokku environment variable manager for all configuration. The important environment variables are:

Variable Default Description
dns-provider (none) The name of a valid lego dns-provider
email (none) REQUIRED: E-mail address to use for registering with Let's Encrypt.
graceperiod 2592000 (30 days) Time in seconds left on a certificate before it should get renewed
lego-docker-args (none) Extra arguments to pass via docker run. See the lego CLI documentation for available options.
server default Which ACME server to use. Can be 'default', 'staging' or a URL

You can set a setting using dokku letsencrypt:set $APP $SETTING_NAME $SETTING_VALUE. When looking for a setting, the plugin will first look if it was defined for the current app and fall back to settings defined by --global.

Note: See "DNS-01 Challenge" for more information on configuration a dns-provider for DNS-01 based challenges and wildcard support.

Redirecting from HTTP to HTTPS

Dokku's default nginx template will automatically redirect HTTP requests to HTTPS when a certificate is present.

You can customize the nginx template if you want different behaviour.

Design

dokku-letsencrypt gets around having to disable your web server using the following workflow:

  1. Temporarily add a reverse proxy for the /.well-known/ path of your app to https://127.0.0.1:$ACMEPORT
  2. Run the acme/lego Let's Encrypt client in a Docker container binding to $ACMEPORT to complete the ACME challenge and retrieve the TLS certificates
  3. Install the TLS certificates
  4. Remove the reverse proxy and reload nginx

For a more in-depth explanation, see this blog post

Dockerfile and Image-based Deploys

When securing Dockerfile and Image-based deploys with dokku-letsencrypt, be aware of the proxy mechanism for dokku 0.6+.

For Dockerfile deploys - as well as those via git:from-image - Dokku will determine which ports a container exposes and proxies all those exposed ports in the Docker container by listening on the same port numbers on the host. This means that **both the proxies for HTTP port 80 and HTTPS port 443 to the app's container need to be manually configured** using the dokku proxy:ports-*` commands in order for certificate validation and browsing to the app via HTTPS to work.

A full workflow for creating a new Dockerfile/Image-based deployment (where the app is listening on port 5555) with dokku-letsencrypt would be:

  1. Create a new app myapp in dokku and push to the [email protected] remote. This guide assumes that the Docker container will be listening for connections on port 5555 so replace container port numbers accordingly if necessary.
  2. On the dokku host, use dokku proxy:ports-add myapp http:80:5555 to proxy HTTP port 80 to port 5555 on the Docker image
  3. On the dokku host, use dokku letsencrypt:enable myapp to retrieve HTTPS certificates.
  4. On the dokku host, use dokku proxy:ports-add myapp https:443:5555 to proxy HTTPS port 443 to port 5555 on the Docker image
  5. (optional) On the dokku host, use dokku proxy:ports-remove myapp http:5555:5555 to remove a potential leftover proxy that was automatically configured on first deploy.

After these steps, the output of dokku proxy:ports myapp should look like this:

-----> Port mappings for myapp
-----> scheme             host port                 container port
http                      80                        5555
https                     443                       5555

Replace the container port (5555 in the above example) with the port your app is listening on.

Note: Step 2 and step 4 cannot be joined together since a configured HTTPS proxy will include a ssl_certificate line in the app's nginx config that will cause nginx config validation to fail because no valid HTTPS certificate is available until step 3 is completed.

Dealing with rate limit

Be aware that Let's Encrypt is subject to rate limiting. The limit about the number of certificates you can add on a domain per week is a concern for dokku because of the default domain added to your new applications, named like <app>.<dokku-domain>: using dokku-letsencrypt on all your applications would create a certificate for each application subdomain on <dokku-domain>.

As a workaround, if you want to encrypt many applications, make sure to add a proper domain for each one and remove their default domain before running dokku-letsencrypt. For example, if your dokku domain is dokku.example.com and you want to encrypt your foo app:

dokku domains:add foo foo.com
dokku domains:remove foo foo.dokku.example.com
dokku letsencrypt:enable foo

While playing around with this plugin, you might want to switch to the let's encrypt staging server by running dokku letsencrypt:set myapp server staging to enjoy much higher rate limits and switching back to the real server by running dokku letsencrypt:set myapp server once you are ready.

Generating a Cert for multiple domains

Your default dokku app is accessible under the root domain too. So if you have an application 00-default that is running under 00-default.mydomain.com it is accessible under mydomain.com too. Now if you enable letsencrypt for your 00-default application, it is not accessible anymore on mydomain.com. You can add the root domain to your dokku domains by typing:

dokku domains:add 00-default mydomain.com
dokku letsencrypt:enable 00-default

DNS-01 Challenge

Functionality sponsored by Orca Scan Ltd.

In order to provide a Letsencrypt certificate for a wildcard domain, a DNS-01 challenge must be used. To configure, the dns-provider property must be set to a supported Lego provider. Additionally, the environment variables used by the DNS provider must be set as letsencrypt properties with the prefix dns-provider-. Both global and app-specific properties are supported.

Warning: Before using a DNS-based challenge, ensure all DNS records - including wildcard records - are pointing at your server.

# set the provider to namecheap
dokku letsencrypt:set --global dns-provider namecheap

# set the properties necessary for namecheap usage
dokku letsencrypt:set --global dns-provider-NAMECHEAP_API_USER user
dokku letsencrypt:set --global dns-provider-NAMECHEAP_API_KEY key

Due to limitations in how certain DNS providers work, environment variables must not use the _FILE based method for referring to values in files.

Please see the Lego documentation for your DNS provider for more information on what configuration is necessary to utilize DNS-01 challenges.

Conditional enabling

dokku letsencrypt:enable <app> enables letsencrypt for an application or renews the certificate. This may lead to hitting rate limits with letsencrypt.

To avoid renewals, for example in a continuous deployment scenario, you could first check if letsencrypt has already been enabled for the app:

dokku letsencrypt:active <app> || dokku letsencrypt:enable <app>

License

This plugin is released under the MIT license. See the file LICENSE.

More Repositories

1

dokku

A docker-powered PaaS that helps you build and manage the lifecycle of applications
Shell
24,965
star
2

dokku-postgres

a postgres plugin for dokku
Shell
444
star
3

sshcommand

Turn SSH into a thin client specifically for your app
Shell
361
star
4

dokku-redis

a redis plugin for dokku
Shell
240
star
5

dokku-mongo

a mongo plugin for dokku
Shell
171
star
6

ansible-dokku

Ansible modules for installing and configuring Dokku
Python
142
star
7

dokku-scheduler-kubernetes

Scheduler plugin for deploying applications to kubernetes
Shell
134
star
8

github-action

Shell
130
star
9

dokku-maintenance

dokku plugin that gives the ability to manage application maintenance mode
Shell
106
star
10

heroku-buildpack-nginx

Buildpack for static websites on Dokku (nginx)
Shell
103
star
11

dokku-redirect

A plugin for dokku that gives the ability to set simple redirects for an application
Shell
98
star
12

dokku-mysql

a mysql plugin for dokku
Shell
92
star
13

dokku-elasticsearch

an elasticsearch plugin for dokku
Shell
88
star
14

dokku-http-auth

dokku plugin that gives the ability to manage HTTP basic auth for an application
Shell
78
star
15

plugn

Hook system that lets users extend your application with plugins
Shell
75
star
16

dokku-mariadb

a mariadb plugin for dokku
Shell
65
star
17

dokku-api

Unmaintained: HTTP API on top of Dokku Daemon
Ruby
59
star
18

dokku-graphite

a graphite, grafana, statsd, carbon plugin for dokku
Shell
55
star
19

dokku-rabbitmq

a rabbitmq plugin for dokku
Shell
45
star
20

dokku-rethinkdb

a rethinkdb plugin for dokku
Shell
42
star
21

dokku-scheduler-nomad

Scheduler plugin for deploying applications to nomad
Shell
32
star
22

dokku-daemon

A daemon wrapper around dokku
Shell
31
star
23

ci-docker-image

A Docker Image meant for use with CI/CD pipelines
Shell
27
star
24

dokku-memcached

a memcached plugin for dokku
Shell
25
star
25

dokku-couchdb

a couchdb plugin for dokku
Shell
25
star
26

gitlab-ci

A collection of gitlab-ci examples
Shell
24
star
27

docker-wait

Shell
23
star
28

dokku-nats

a nats plugin for dokku
Shell
23
star
29

dokku-meilisearch

a meillisearch plugin for dokku
Shell
22
star
30

dokku-clickhouse

a clickhouse plugin for dokku
Shell
18
star
31

dokku-copy-files-to-image

copies files from the host onto the container
Makefile
14
star
32

dokku-update

Shell
12
star
33

dokku-solr

a solr plugin for dokku
Shell
11
star
34

dokku-event-listener

Service that listens to docker events and runs dokku commands
Makefile
10
star
35

lambda-builder

A tool for building lambda function images or zips via Docker
Go
10
star
36

dokku-registry

Deprecated in favor of the official Registry plugin introduced in 0.25.x
Shell
9
star
37

compose-transpiler

Simple docker-compose.yml to dokku commands web utility
Vue
7
star
38

docker-grafana-graphite

Docker image with StatsD, Graphite, Grafana 6
JavaScript
6
star
39

docker-letsencrypt

Docker container for the "simp_le" Let's encrypt implementation running on Alpine Linux
Dockerfile
6
star
40

docker-ambassador

A maintained version of the ambassador linking pattern
Shell
6
star
41

procfile-util

A tool for interacting with Procfiles
Go
5
star
42

omakase

Go
5
star
43

dokku-pushpin

a pushpin plugin for dokku
Shell
5
star
44

docker-image-labeler

Adds and removes labels from docker images
Makefile
5
star
45

netrc

Utility that allows users to manage netrc files
Makefile
5
star
46

dokku-arch

Shell
5
star
47

docker-container-healthchecker

Runs healthchecks against local docker containers
Go
5
star
48

dokku-typesense

a typesense plugin for dokku
Shell
5
star
49

service-proxy

An app that can be used to proxy to a datastore service's web ui
Shell
3
star
50

dokku.github.io

A blog for dokku
SCSS
3
star
51

dokku-orb

Python
3
star
52

docker-run-export

exports the flags passed to a `docker run` call to a variety of formats
Go
2
star
53

websocket-example

Go
2
star
54

.github

Organization Repository
Shell
2
star
55

smoke-test-app

Smoke test app for dokku test suite
Python
2
star
56

dokku-cron-restart

Shell
2
star
57

dokku-omnisci

an omnisci plugin for dokku
Shell
2
star
58

heroku-buildpack-null

A buildpack that performs no actions, for testing purposes
Shell
1
star
59

docker-image-updater

A tool to manually or automatically manage updated docker images
1
star
60

smoke-test-plugin

Smoke test plugin for dokku test suite
Go
1
star
61

github-playground

a playground to test github functionality
1
star
62

smoke-test-gradle-app

Java
1
star
63

tutorials

An mkdocs-based tutorial site
Shell
1
star
64

arch-herokuish

Mirror of AUR git repo for https://github.com/gliderlabs/herokuish
Shell
1
star
65

prop

A golang-based cli interface for manipulating config backed by various datastores
Go
1
star
66

test-app-5065

Python
1
star
67

docs

Docs site in generated html form
HTML
1
star
68

dokku-ansible

an ansible plugin for dokku
Shell
1
star