sudo nano /etc/host
127.0.0.1 trustkey.so
127.0.0.1 captionflex-staging.trustkey.so
server {
listen 80;
server_name *.trustkey.so;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
server {
listen 443 ssl;
server_name *.trustkey.so;
ssl_certificate /path/to/trustkey.so.crt;
ssl_certificate_key /path/to/trustkey.so.key;
# Optional: Enable SSL settings (for better security)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:3700;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_cache_bypass $http_upgrade;
proxy_set_header Host $host; # Ensure the original host is passed
proxy_set_header X-Real-IP $remote_addr; # Pass the real IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Forward original IPs
proxy_set_header X-Forwarded-Proto $scheme; # Forward protocol (http or https)
}
}
yarn dev -H 127.0.0.1 -p 3700
A <domain> <ip>
A * <ip>
CNAME www <domain>
dokku domains:add dokku domains:add *.
Automatic Renew: https://petr.codes/blog/dokku/wildcard-certificate/
certbot certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.<domain> -d <domain>
Create the TXT dns from the output into the panel
TXT _acme-challenge.<domain>. <content>
Then:
cp <path_to_certs>/privkey.pem server.key
cat <path_to_certs>/cert.pem <path_to_certs>/fullchain.pem > server.crt
tar cvf certs.tar server.crt server.key
dokku certs:add <app_name> < certs.tar
rm -rf certs.tar server.key server.crt
Create a CNAME record and update domain field in trustkey.tenants collection
CNAME <subdomain> <tenant_identifier>.<domain>
Wildcard certificates are handy and this was the first time when I needed to use them with Dokku. It was a little bit harder than I expected, but luckily, it is doable even with automatic renewal.
Right now, there is no wildcard support from the dokku-letsencrypt plugin. Luckily, Dokku itself can use certificates from other sources.
For a wildcard certificate, you need to use a different challenge with Let’s Encrypt called DNS-01, where you need to change DNS to prove you are the owner of the domain.
Follow a tutorial (e.g., from Jamie Scaife) to install all needed components to set up Certbot to use acme-dns. When you finish, you should have the wildcard certificate created.
Now, we need to tell Dokku to use our new wildcard certificate within our app.
To add a certificate to Dokku for a certain app, we will use the dokku certs:add command.
It is easier to use a tar file with all related files, so we need to create one.
Create a new file, e.g., /home/dokku/.ssl-certs/app/install, where app should be the name of your application. We will use example.com as an example domain. Open it in your favorite editor and add this content:
rm -rf server.crt
rm -rf server.key
rm -rf certs.tar
cp /etc/letsencrypt/live/example.com/fullchain.pem server.crt
cp /etc/letsencrypt/live/example.com/privkey.pem server.key
tar cvf certs.tar server.key server.crt
dokku certs:add app < certs.tar- The first three lines ensure we use only fresh files.
- Lines 5 and 6 copy the needed files from the letsencrypt folder, where Certbot creates the certificates. Update the paths with the correct ones.
- Line 8 creates a tar file that is then imported to Dokku using the last command. Replace
appwith your own Dokku app.
If you need to load the certificate to all Dokku apps on the server, replace the last line with:
APPS=`dokku --quiet apps:list`
for app in $APPS
do
dokku certs:add $app < certs.tar
doneMark the script as executable:
chmod +x /home/dokku/.ssl-certs/app/installNow, run the script and verify that everything works as expected:
/home/dokku/.ssl-certs/app/installYou should see output like this:
server.key
server.crt
-----> Unsetting DOKKU_PROXY_PORT
-----> Unsetting DOKKU_PROXY_SSL_PORT
-----> Setting config vars
DOKKU_PROXY_PORT_MAP: http:80:5000
-----> Setting config vars
DOKKU_PROXY_PORT_MAP: http:80:5000 https:443:5000
-----> Configuring *.example.com...(using built-in template)
-----> Creating https nginx.conf
Enabling HSTS
Reloading nginx
We will use Certbot’s --renew-hook within crontab for automatic renewal.
Open the crontab using the crontab -e command and add this line:
0 0 */10 * * certbot renew --renew-hook "/home/dokku/.ssl-certs/app/install" > /var/log/letsencrypt/renew-errors.logThis will call the certbot renew command with our script in the renew-hook. When a renewal occurs, it will trigger the hook and call our script, which will copy the new certificate into the Dokku app.
If you are using Dokku for review apps (e.g., a copy of the stage app for each PR/MR), you can use this command to add the certificate to the review app with your Dokku deploy user:
ssh $GIT_REMOTE_URL -- "certs:add ${APP_NAME} /home/dokku/.ssl-certs/app/server.crt /home/dokku/.ssl-certs/app/server.key"I hope there is an easier way to do this, but the script above works well.
If anything goes wrong, you will receive an email about the domain expiration from the Let’s Encrypt bot. Ensure you add a working email when creating certificates with Let’s Encrypt.