dokku
Add wildcard support via DNS-01 challenge
Note
As of 0.12.0, dokku-letsencrypt will be in a position to add dns-01 challenge support. That said, it'll still need work to enable the environment variable support needed. Until someone volunteers or sponsors the work, wildcard support is not officially supported by this plugin.
Original Post
Thanks to @dean1012 for handling the upgrade to ACMEv2 in #184. Judging by the closing of #147 I thought that wildcard certs would be working, but when I add a wildcard domain to my app and try to letsencrypt, I consistently get a TimeoutError. Could someone else confirm that they get the same behavior?
root@ubuntu-s-1vcpu-2gb-ams3-01:~# dokku letsencrypt nabatism.com
=====> Let's Encrypt nabatism.com
-----> Updating letsencrypt docker image...
0.1.0: Pulling from dokku/letsencrypt
Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823
Status: Image is up to date for dokku/letsencrypt:0.1.0
docker.io/dokku/letsencrypt:0.1.0
Done updating
-----> Enabling ACME proxy for nabatism.com...
-----> Getting letsencrypt certificate for nabatism.com...
- Domain 'nabatism.com'
- Domain '*.nabatism.com'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2019-10-14 05:15:07,899:INFO:__main__:1317: Generating new account key
2019-10-14 05:15:10,497:INFO:__main__:1343: By using simp_le, you implicitly agree to the CA's terms of service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2019-10-14 05:15:11,789:INFO:__main__:1406: Generating new certificate private key
Traceback (most recent call last):
File "/simp_le/simp_le.py", line 1551, in main
return main_with_exceptions(cli_args)
File "/simp_le/simp_le.py", line 1535, in main_with_exceptions
persist_new_data(args, existing_data)
File "/simp_le/simp_le.py", line 1435, in persist_new_data
order = finalize_order(client, order)
File "/simp_le/simp_le.py", line 1362, in finalize_order
finalized_order = client.poll_and_finalize(order)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 697, in poll_and_finalize
orderr = self.poll_authorizations(orderr, deadline)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 713, in poll_authorizations
raise errors.TimeoutError()
TimeoutError
Actually, there may have been some confusion. My work did not enable wildcard certificates nor did I test that functionality.
Wildcard functionality would require that we use DNS-01 challenge:
Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.
Source: https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579
Right now, we use a simple document root (HTTP) challenge.
Using a DNS-01 challenge would be difficult to implement in a user friendly way.
First, we'd have to require that users setup configuration (similar to email address) for what DNS provider to use and the credentials to that provider. We'd also need a configuration flag to be set to tell the plugin to use wildcard certificates. Without the flag set, the plugin would default to the current method.
Finally, if a user sets the wildcard flag but not the DNS provider configuration settings (for example, if their domain's DNS isn't a supported provider), we'll need to tell the user to set the DNS record manually then prompt them to continue the process.
And also consider that certificates are still handled on a per app basis meaning you would be creating several different wildcard certs unless that is changed too.
I'm not at all sure it would be worth it.
It would be easier to create your own letsencrypt wildcard cert then use the certs command to associate it with all your apps yourself.
Wildcard certs aren't supported (freely) by Cloudflare so I was hoping to setup on on Dokku directly but figured they don't seem to be supported. It'd be especially helpful to have a wildcard certs in Dokku IMHO ;) As for the UX, it's always horrible workflow to setup certs so anything might be an improvement. Otherwise, what would be a good alternative option enable SSL on wildcard subdomains?
@iplanwebsites is this something you'd be interested in sponsoring? Otherwise, pull requests are always welcome!
There is another ACME solution which offers integration with multiple DNS providers to update the DNS records for wildcard domains. Only then we would need to switch I am not sure if this is something we would like to do?
@CyberMew Do you know if support for wildcard from LetsEncrypt is a recent thing? Or know of a resource that specifies how to do that? My devops guy thinks it can't be done.
This should be more easily possible once #220 gets merged, but someone still needs to figure out env var support and configuration for the dns based solution.
@archonic it's been around for a while now. March 2018. https://github.com/dokku/dokku-letsencrypt/issues/189
However, Let's Encrypt started issuing certs in 2014, so for several years it did not support wildcard certificates.
LE definitely supports Wildcard certs now. Some tools that integrate with LE including this one, don't, however.
I looked through some blog posts. I'm probably going to follow this one, but with a list of apps rather than a single app. https://petr.codes/blog/dokku/wildcard-certificate/
We need a way to set arbitrary properties - basically the same as the kubernetes scheduler- and then a way to set the dns provider. That will then let us automate it via dns.
@archonic sorry for the late reply. I was using this https://github.com/josegonzalez/dokku-global-cert
DNS-01 challenge is also very interesting for when running Dokku inside a VPN (but you still want to use HTTPS).
