how to enable wildcard ssl certificate for an app
Opened this issue · 2 comments
I have trouble using this plugin. I could install it and add my cert and key files.
But newly created apps are still not served via HTTPS. They are still only running using HTTP.
I use dockerfile deployments and my certificate is a wildcard certificate (*.mydomain.com) and dokku ist running at dokku.mydomain.com, so all services are served as <app_name>.dokku.mydomain.com
Do I have to somehow enable the global cert per app?
is this plugin still working with the latest dokku version? (v.0.10.3)
I also ran into this issue, it seems like the plugin uses an post-create hook to attach the cert to an app, so it won't attach the cert to any app that was already created. this can probably be fixed by adding an extra install step to add ssl to any existing app
the work around i used was to just delete my apps and push them again, but this can be time consuming/not acceptable for some environments.
I "fixed" the issue with wildcard certs configured at the pre-app Nginx level (using Let's Encrypt), which then gets proxied to HTTP (non-S). It's not an ideal solution, but in lieu of a better one it works pretty well.
Here's my config in case anyone would find it useful:
(Click to show)
$ cat /etc/nginx/conf.d/00-ssl.conf
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name .ctmartin.dev;
ssl_certificate /etc/letsencrypt/live/ctmartin.dev/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ctmartin.dev/privkey.pem;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_pass http://localhost;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name .ctmartin.me;
ssl_certificate /etc/letsencrypt/live/ctmartin.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ctmartin.me/privkey.pem;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_http_version 1.1;
proxy_pass http://localhost;
}
}
Tip: if you only have one wildcard domain, you only need one of those blocks; if you need more you can add more.