Effortlessly add HTTPS to Dokku, with Let’s Encrypt
26 September 2016, by Tim Perry
You’ve written an application deployed using Dokku, and you’ve got it all up and running and great. You’ve heard a lot about why HTTPS is important nowadays, especially the SEO and performance benefits, and you’d like to add all that, with minimal cost and hassle. Let’s get right on that.
Let’s Encrypt is a new certificate authority (an organisation that issues the certificates you need to host an HTTPS site), which provides certificates to sites entirely for free, by totally automating the system, to help get 100% of the web onto HTTPS. Sounds great, right?
To set up this up, you’re going to need to prove you own the domain you’re asking for a certificate for, you need to get the certificates and start using them, and you’re going to want to have some system in place to automatically renew your certificates, so you never have to think about this again (Let’s Encrypt certificates expire every 90 days, to encourage automation). That means we’ve got a few key steps:
- Generate a key-pair to represent ourselves (you can think of this as our login details for Let’s Encrypt).
- Complete Let’s Encrypt’s Simple HTTP challenge, by signing and host a given JSON token at /.well-known/acme-challenge/<token> on port 80 for the given domain name, with our public key. This validates the key pair used to sign this token as authorized to issue certificates for this domain.
- Request a certificate for this domain, signing the request with our now-authorized key.
- Set up our server to use this key.
- Set up an automated job to re-request certificates and update the certificate we’re using at regular intervals.
(Interested in the full details of how the Let’s Encrypt process works? Check out their detailed intro: https://letsencrypt.org/how-it-works/)
Fortunately, you barely have to do any of this! In reality, with Dokku, this is pretty much a case of turning a plugin on, and walking away.
How do you actually do this with Dokku?
First up, we need to install dokku-letsencrypt, which will do most of the setup magically for us (see full instructions here). On your server, run the command below for your dokku version (run ‘dokku version’ to check):
# dokku 0.5+ dokku plugin:update letsencrypt # dokku 0.4 dokku plugin:update letsencrypt dokku-0.4
To configure it, set an email for your app:
dokku config:set --no-restart myapp [email protected]
(This email will receive the renewal warnings for your certificate)
Turn it on:
dokku letsencrypt myapp
For Dokku 0.5+, set up auto-renewal:
dokku letsencrypt:cron-job --add
For Dokku 0.4, you’ll have to manually add a cronjob scheduled every 60 days to kick off the auto-renewal process:
What just happened?
The magic is in the ‘dokku letsencrypt myapp’ command. When you run that, Dokku-LetsEncrypt:
- Starts a new service, in a Docker container, and temporarily delegates the top-level .well-known path on port 80 to it in Nginx (the server which sits in front of all your services in Dokku and routes your requests).
- Generates a key pair, and authorizes it for each of the domains you have configured for your app (see ‘dokku domains myapp’).
- Uses that key pair to get certificates for each of those domains.
- Configures Nginx to enable HTTPS with these certificates for each of those domains.
- Configures Nginx to 301 redirect any vanilla HTTP requests on to HTTPS for each of those domains.
The later auto-renewal steps just do the work to update these certificates later on.
Easy as pie. Don’t forget to check it actually worked though! It’s quite likely you’ll find mixed content warnings when you first turn on HTTPS. Most major CDNs or other services you might be embedding will have HTTPS options available nowadays, so this should just be a matter of find/replacing http: tohttps: throughout your codebase. With that done though, that shiny green padlock should be all yours.
This post originally appeared on Tim Perry’s personal blog.