the global cert should be a symlink to the actual global cert?

Question

the global cert should be a symlink to the actual global cert?

AubreyHewes opened this issue 5 years ago · 8 comments

If you use global-cert apps have a physical copy of the cert. If you update the global cert, dependent apps still have physical copies of the previous global cert.

i.e. Global cert is a wildcard *.my.dokku which should be applied to all apps on that subdomain.
If you update the global-cert then only future new apps get the new cert... Should the cert not be a symlink to the actual global cert and not a physical copy?

possible PR

Answer 1 · 2020-05-22T22:38:53.000Z

Pull requests are always welcome.

Answer 2 · 2020-05-23T00:55:29.000Z

@josegonzalez I know a PR is always welcome... but do you agree? Else there is no point in a PR... I seem to be the only user having this issue?

I do not know the impact the change could have

I may be the only user.. in that case... 👯

Answer 3 · 2020-05-23T01:07:29.000Z

@josegonzalez I noticed this due to using a LE wildcard for a "app" domain.. LE wildcard was installed via lego (*.app.dokku) then I noticed that each app actually copies the global cert and does not link to it... you could say that it is a proper problem... as If I update the global cert... any app that already uses the global cert will never be updated

Answer 4 · 2020-05-23T01:09:20.000Z

anyway.. I have fixed it via own plugin.. but was interested to know if this was a bigger problem.. (which it does not seem to be).. ~~As it is not (yet) a problem I will not PR this~~

Answer 5 · 2020-07-15T09:41:25.000Z

@AubreyHewes Thanks for the PR - I definitely agree that the upgrade path for wildcard certificates needs to be addressed.
Indeed it would be nice to know whether @josegonzalez agrees that symlinking the global certificate is the way to go.

Answer 6 · 2020-07-16T17:48:01.000Z

Seems like a good idea, but the PR def needs upstream work.

Answer 7 · 2020-07-24T19:06:38.000Z

Yeah I have not had much time to look at this again for a while. Sorry about this!

I currently fix it by;

script that checks all tls/server.crt if they are the same as the global and if so replace them with a symlink.. as a plugin

This works fine.. until you give an app an own cert (via cert:add .. which dokku-letsencrypt also uses). Then the global cert will be overwritten (as it is a symlink). As described in the draft PR.

The upstream problem of dokku cert:add needs to be addressed. i.e. first remove then copy. I will try to give it a shot for a PR!

Answer 8 · 2020-07-24T19:37:01.000Z

added PR to upstream dokku/dokku#4084