In response of all the great work you're doing for the new dokku 0.5 refactoring...

Just a quick question regarding the new dokku 0.5+ / dokku-letsencrypt compatibility matrix. Currently its not mentioned anywhere (neither your plugin nor dokku itself) on how to handle / check dokku compatibility with plugins... Without doing the ol' fingers-crossed-and-lets-see-what-it-does-in-production: dokku plugin:update Are you aware of any compatibility issues for dokku-letsencrypt with older dokku versions?

If not, it might be worthwhile to mention this in the upgrading-section of the readme

Thanks!

Hi!

First of, nice work on this plugin. Works beautifully!

As I understand it, the current solution is to create one certificate for all domains in an app. Are there any plans on supporting the creation of one certificate per domain in an app? This would be really helpful in some cases.

Thanks!

First, great job and great blog post, seems very useful.

I am trying to setup SSL with custom domain dokku running with vhost.
The app works, I can ping it at name.apps-my-domain.com.
I installed both the latest dokku-letsencrypt and tag 0.7.0 and for both got the following

root@dokku:~# dokku letsencrypt hello
=====> Let's Encrypt hello...
-----> Updating letsencrypt docker image...
latest: Pulling from m3adow/letsencrypt-simp_le
420890c9e918: Already exists 
acbaf1e6012f: Already exists 
5f71a1a2d3dc: Already exists 
Status: Image is up to date for m3adow/letsencrypt-simp_le:latest
       done
-----> Enabling ACME proxy for hello...
-----> Getting letsencrypt certificate for hello...
darkhttpd/1.11, copyright (c) 2003-2015 Emil Mikulic.
listening on: http://0.0.0.0:80/
You must set at least one -d/--vhost

Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for hello...
       done

Running dokku 0.4.14

Currently only the http-01 challenge is supported since we only forward port 80 of the standalone letsencrypt webserver. It would be nice to support the tls-01 challenge by additionally exposing port 443.

At the moment, to restrict the authenticator to http-01, we restrict the supported challenges to http-01

I have just updated dokku from 0.4 to 0.5.6 and updated the letsencrypt plugin. When I run letsencrypt on a new site I have pushed to my dokku box, it claims to finish successfully, but it cannot be accessed via https, I just get 502 Bad Gateway nginx.

I have looked at the nginx.conf file for the new site, and it has nothing in it regarding ssl certs. The other sites that I had already been running are working fine over SSL, and letsencrypt auto-renew worked fine for them (one of the sites was about to expire).

Here is the output from running dokku letsencrypt:

=====> Let's Encrypt www.example.com
-----> Updating letsencrypt docker image...
latest: Pulling from dokkupaas/letsencrypt-simp_le

420890c9e918: Already exists
e4a2ae244258: Already exists
5c6ac6d1c950: Already exists
Digest: sha256:18a19b34beceba79dd5be458abe7e132fc7486da1da19cc4d0395ad4578031ef
Status: Image is up to date for dokkupaas/letsencrypt-simp_le:latest
       done updating
-----> Enabling ACME proxy for www.example.com...
-----> Getting letsencrypt certificate for www.example.com...
        - Domain 'www.example.com'
darkhttpd/1.11, copyright (c) 2003-2015 Emil Mikulic.
listening on: http://0.0.0.0:80/
2016-05-15 19:22:37,824:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-15 19:22:38,063:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-15 19:22:38,305:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-15 19:22:38,564:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-15 19:22:38,924:INFO:requests.packages.urllib3.connectionpool:207: Starting new HTTP connection (1): www.example.com
2016-05-15 19:22:38,975:INFO:__main__:1305: www.example.com was successfully self-verified
2016-05-15 19:22:38,992:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-15 19:22:39,251:INFO:__main__:1313: Generating new certificate private key
2016-05-15 19:22:40,083:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-15 19:22:40,345:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-15 19:22:40,652:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-05-15 19:22:40,911:INFO:__main__:391: Saving fullchain.pem
2016-05-15 19:22:40,912:INFO:__main__:391: Saving chain.pem
2016-05-15 19:22:40,913:INFO:__main__:391: Saving cert.pem
2016-05-15 19:22:40,913:INFO:__main__:391: Saving key.pem
-----> Certificate retrieved successfully.
-----> Symlinking let's encrypt certificates
-----> Configuring www.example.com...(using built-in template)
-----> Creating https nginx.conf
-----> Running nginx-pre-reload
       Reloading nginx
-----> Disabling ACME proxy for www.example.com...
       done

I gather from reading other issues here that there have been some problems recently with changes to dokku, but I haven't been able to find anything that would help me solve this problem. Is this a bug, or am I doing something wrong?

Edit: running dokku domains appname returns www.example.com, running dokku urls appname returns https://www.example.com.

Hey! First off, congratulations on becoming an official Dokku plugin. I think this plugin really is the 'killer app' for Dokku, nice work.

Anyway, I came by to see how things are going since my last PR and I think the API could be cleaned up a little. These ideas will be breaking changes, but I hope to make the plugin easier to use and easier to add features later. Feel free to say 'no'. 😄

The first issue I noticed is user on-boarding got more complicated. Right now the minimum a new user has to do is:

sudo dokku plugin:install https://github.com/dokku/dokku-letsencrypt.git
sudo dokku letsencrypt:email <app> <e-mail>
sudo dokku letsencrypt <app>

Ideally all a user should have to do is:

sudo dokku plugin:install https://github.com/dokku/dokku-letsencrypt.git
sudo dokku letsencrypt <app>

This can be easily done because letsencrypt (and simp_le) lets you get new certs without an email address. See https://github.com/kuba/simp_le/blob/master/simp_le.py#L1233

Although it's recommended to add an email it raises the barrier for entry. I think the main appeal of this plugin is taking something that used to be massively complicated and turn it in to a one-liner.

Second issue I noticed is people are asking for more configuration options. This isn't a bad thing (shows popularity!), but the plugin will need a way to add more options in the future without increasing complexity.

I propose the API is reduced to:

$ dokku help
    letsencrypt <app>                 Enable or renew letsencrypt certificate for app
    letsencrypt:revoke <app>          Revoke letsencrypt certificate for app
    letsencrypt:info <app>            Print letsencrypt info about <app>

And use environment variables to add configuration options. The email setting workflow would go from:

sudo dokku letsencrypt:email <app> <e-mail>
sudo dokku letsencrypt <app>

To:

sudo LE_EMAIL=<e-mail> dokku letsencrypt <app>

On second run config can be read from the app so to renewing is just: letsencrypt <app>.

The main advantage is this will scale when more options are requested, like setting the ACME server:

sudo LE_EMAIL=<e-mail> LE_SERVER=staging dokku letsencrypt <app>

The list of commands wont need new set/get methods for every option. The letsencrypt:info command will be the universal get command.

The other advantage of this approach is people can set up their environment globally once for all apps.

Thoughts?

As requested in #19 - getting the following errors after having manually revoked my certificates:

6-04-11 09:04:12,559:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-11 09:04:13,007:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-11 09:04:13,339:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-11 09:04:13,607:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-11 09:04:13,957:INFO:requests.packages.urllib3.connectionpool:207: Starting new HTTP connection (1): my.app.url
2016-04-11 09:04:13,966:WARNING:__main__:1292: my.app.url was not successfully self-verified. CA is likely to fail as well!
2016-04-11 09:04:13,986:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-11 09:04:14,246:INFO:__main__:1302: Generating new certificate private key
2016-04-11 09:04:16,148:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-11 09:04:16,391:ERROR:__main__:1260: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/g6pR4I21X1sUOpBnIAmZotZdGpVTP5882BX-v_L3q7w
Challenge validation has failed, see error log.

Full dokku trace (URLs & email changed):
https://gist.github.com/haywirez/726f8f916cfd33beea42191fa8968aca

See dokku/dokku#1892

Greetings! First let me say thank you for this excellent plugin. It worked perfectly for me the first time I tried it, but I redeployed my dokku server with ansible and now I can't seem to letsencrypt anything at all.

Googling the error message shows some hits in the letsencrypt issues queue from back in October, but they're all closed and none of them seem to apply to me, because it doesn't seem to be writing any logs when invoked from within dokku.

Here's the error:
An unexpected error occurred:
PythonDialogBug
Please see the logfiles in /var/log/letsencrypt for more details.

Of course there is no letsencrypt log anywhere on the system (dokku doesn't write to the real /var/log, obviously, so I would expect there to be a var/log/ in the ~dokku/.letsencrypt directory, but it doesn't exist. I tried creating a 'log' directory in the 'var' directory that does exist, but that didn't work either. It's really hard to troubleshoot what is going on here exactly without being able to see any error logs.

Any suggestions? I wouldn't ever assume that a recent change to the plugin could have caused this, but it did work fine on Monday this week (with a different subdomain; when I re-deployed I also changed my subdomain from *.docker.example.com to *.apps.example.com (example.com as placeholder; I did actually use a working/resolving subdomain with appropriate wildcard dns.))

I tried changing my TERM to various things, thinking perhaps python was having issues opening a dialog as it did Monday the first time I ran it to prompt me for my email address. At first I thought it didn't like 'xterm' so I changed it to 'vt100' and then I remembered on Monday I was probably running in screen, so I ran screen and verified that my TERM was set to 'screen'. I think I've done as much troubleshooting as is possible without access to an actual verbose log file.

Thanks in advance for your time.

edit to include various random possibly-useful info:
system OS: Ubuntu 14.04.2 x64, fully updated
dokku version: 0.4.7
docker version: 1.9.1

I'm happy to provide any additional information, if needed!

further edit: I guess the logs end up in the docker container that gets created/destroyed, so I really don't have a good idea of what to do next.

I'm using dokku redirect plugin (https://github.com/dokku/dokku-redirect). Redirect domain names should be added to certificate for correct https redirects (for example, https://www.example.net to https://example.com). Plugin stores domains in the $APP/REDIRECTS file.

Workaround:

1. add redirect domains using "dokku domains:add"
2. issue certificate ("dokku letsencrypt")
3. remove redirect domains to fix nginx config ("dokku domains:clear")
4. add non-redirect domains using "dokku domains:add" (if you need more than 1)

Heya,

I'm trying to experiment with HTTP/2, and Dokku seems like a good path to work down, but I have a question about setting this up.

The nginx template that comes with this plugin looks to add in a custom location section, though from my tinkering around locally I have some further configurations in the server block like this:

server {
    listen                     443 ssl http2;
    server_name                localhost;

    ssl                        on;
    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate            cert.pem;
    ssl_certificate_key        cert.key;

    location / {
        proxy_pass          http://localhost:8080;
        proxy_set_header    Host      $host;
        proxy_set_header    X-Real-IP $remote_addr;
        proxy_set_header    X-HTTPS   'True';
    }
}

I feel like I don't really understand this is being set up in the end, so I could be overthinking this or underthinking it.... but any help with this would be really appreciated!

Thanks for the cool software.

After the dokku 0.5 upgrade debacle, It would be helpful to know what is currently working from a broad user base both for troubleshooting and for having a list of known-good configurations to make upgrading less scary/surprising. Please let me know the following:

• Your current dokku version and dokku-letsencrypt commit hash (go to /var/lib/dokku/plugins/available/letsencrypt and run git rev-parse HEAD)
• Your operating system + version (cat /etc/isue)
• What are you deploying?
• Is letsencrypt myapp working?
• Is letsencrypt:ls working?
• Is letsencrypt:auto-renew working?

Add hooks for the backup-export and backup-import triggers so that let's encrypt certificates and keys are backed up.

Could I somehow set this up so it will upload the new certs on Amazon CloudFront automatically each time they are renewed? I ask this because I'm running my dokku on an AWS EC2 instance, and would like to add CDN to supercharge my website speeds.

@sseemayer this plugin is super legit and I'd like to make it official, similar to how we handle the datastores etc.

Up to you, but would you be open to moving it into the dokku org? You obviously still get full admin access to the plugin :)

While dokku-http-auth or similar plugins are enabled on an app, the ACME validation will fail because the ACME server will not know how to authorize with the app.

Is there a way to bypass HTTP authentication for the /.well-known/ directory structure?

I was trying to revoke a certificate that I installed a few minutes earlier. The revoke process fails, app still redirects to https. When I try to revoke again, I get no existing certificate. Here is the full console log:

admin@host:~$ dokku letsencrypt:revoke ob-app-prod
=====> Revoke Let's Encrypt certificate from ob-app-prod...
-----> Updating letsencrypt docker image...
latest: Pulling from dokkupaas/letsencrypt-simp_le
420890c9e918: Already exists 
e4a2ae244258: Already exists 
5c6ac6d1c950: Already exists 
Digest: sha256:18a19b34beceba79dd5be458abe7e132fc7486da1da19cc4d0395ad4578031ef
Status: Image is up to date for dokkupaas/letsencrypt-simp_le:latest
       done updating
-----> Revoking letsencrypt certificate for ob-app-prod...
        - Domain 'app.mydomain.ch'
darkhttpd/1.11, copyright (c) 2003-2015 Emil Mikulic.
listening on: http://0.0.0.0:80/
No existing certificate

Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate revocation failed (code 2)!
       done

After that, the letsencrypt:ls shows:

admin@host:~$ dokku letsencrypt:ls
-----> App name           Certificate Expiry        Time before expiry        Time before renewal      
ob-app-prod               2016-08-21 17:51:00       89d, 8h, 10s              59d, 8h, 10s        

Using dokku 0.5.5 and letsencrypt 0.8.2, Ubuntu 14.04.

When I install the plugin and try to encrypt an app on a digital ocean droplet running dokku 0.5.4 I get the following error.

root@dokku-messenger-512mb-sfo1-01:~# dokku letsencrypt isitsunny
=====> Let's Encrypt isitsunny
-----> Updating letsencrypt docker image...
latest: Pulling from dokkupaas/letsencrypt-simp_le
420890c9e918: Already exists 
e4a2ae244258: Already exists 
5c6ac6d1c950: Already exists 
Digest: sha256:18a19b34beceba79dd5be458abe7e132fc7486da1da19cc4d0395ad4578031ef
Status: Image is up to date for dokkupaas/letsencrypt-simp_le:latest
       done updating
-----> Enabling ACME proxy for isitsunny...
-----> Getting letsencrypt certificate for isitsunny...
        - Domain 'isitsunny.southfacingsoftware.com'
/var/lib/dokku/plugins/enabled/letsencrypt/subcommands/default: line 82: 60: command not found
darkhttpd/1.11, copyright (c) 2003-2015 Emil Mikulic.
listening on: http://0.0.0.0:80/
simp_le.py: error: argument --valid_min: invalid int value: ''
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for isitsunny...
       done

Hi

I am hosting an application that uses websockets, and goes through CloudFlare.

Since CF does not support websockets, I have to route these seperately to a CNAME ws -> mydomain.com, and disable the CF for that specific record.

I get the following error:

WebSocket connection to 'wss://ws.mydomain.com/socket/websocket?vsn=1.0.0' failed: Error in connection establishment: net::ERR_CONNECTION_REFUSED

I'm guessing that's because the SSL is not properly setup on the subdomain

How can I fix this?

LetsEncrypt is unable to verify a domain behind http authentication. Since dokku-http-auth is an official plugin, it might be good to find a way to get these plugins to work together. If not, we can always add a note in the documentation that dokku-http-auth has to be disabled for this plugin to work correctly.

Here's the dokku output when trying to add letsencrypt to an app with http-auth turned on: https://gist.github.com/johnfraney/62b1dc5ccddd2c8a7358

Thanks for the great plugin!

It looks like the plugins does not support multiple apps that share the same domain but operate on different ports. In my setup I have an app that is available through nginx on port 80/443 and another on 8000/8080. While creating a certificate for the first app was easy, it didn't work for the second one:

=====> Let's Encrypt api
-----> Updating letsencrypt docker image...
latest: Pulling from dokkupaas/letsencrypt-simp_le
420890c9e918: Already exists 
e4a2ae244258: Already exists 
5c6ac6d1c950: Already exists 
Digest: sha256:18a19b34beceba79dd5be458abe7e132fc7486da1da19cc4d0395ad4578031ef
Status: Image is up to date for dokkupaas/letsencrypt-simp_le:latest
       done updating
-----> Enabling ACME proxy for api...
-----> Getting letsencrypt certificate for api...
        - Domain 'tunnel.connectingspaces.ch'
darkhttpd/1.11, copyright (c) 2003-2015 Emil Mikulic.
listening on: http://0.0.0.0:80/
2016-04-26 21:31:22,045:INFO:__main__:1211: Generating new account key
2016-04-26 21:31:22,805:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-26 21:31:23,132:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-26 21:31:23,353:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-26 21:31:24,187:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): letsencrypt.org
2016-04-26 21:31:24,892:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-26 21:31:25,132:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-26 21:31:25,392:INFO:requests.packages.urllib3.connectionpool:207: Starting new HTTP connection (1): tunnel.connectingspaces.ch
2016-04-26 21:31:25,395:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): tunnel.connectingspaces.ch
2016-04-26 21:31:25,444:WARNING:__main__:1303: tunnel.connectingspaces.ch was not successfully self-verified. CA is likely to fail as well!
2016-04-26 21:31:25,466:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-26 21:31:25,697:INFO:__main__:1313: Generating new certificate private key
2016-04-26 21:31:33,397:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-26 21:31:33,600:ERROR:__main__:1271: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/2p5I0c2PcYSCNtvBRLaNjRnKpmYX-cT7WYD4PidChiw
Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for api...
       done

I guess the different port configuration didn't allow the acme servers to reach the app... In that particular case it wouldn't actually be necessary to get a certificate as there is already one existing for that domain.

Maybe the plugin could store the certificates per domain and retrieve them if valid?

Now I ended up just symlinking the other apps certificate to the other, but that would break the autorenew process...

Any suggestions?

Any ideas here? Of course the cert expires today. Not even revoke works - I'd appreciate any tips on getting nginx to disable the cert in the meantime. Just updated to the latest plugin version too.

# dokku letsencrypt:auto-renew aqueousband.com
=====> Auto-renew aqueousband.com...
=====> Let's Encrypt aqueousband.com...
-----> Updating letsencrypt docker image...
latest: Pulling from m3adow/letsencrypt-simp_le
Digest: sha256:be1d7aca214d5277af18d7bf75a2bc78afa5a1eabf98aaa8a606c4ca2a7fdeb5
Status: Image is up to date for m3adow/letsencrypt-simp_le:latest
       done
-----> Enabling ACME proxy for aqueousband.com...
-----> Getting letsencrypt certificate for aqueousband.com...
darkhttpd/1.11, copyright (c) 2003-2015 Emil Mikulic.
listening on: http://0.0.0.0:80/
You must set at least one -d/--vhost

Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for aqueousband.com...
       done

Cert info:

# dokku certs:info aqueousband.com
-----> Fetching SSL Endpoint info for aqueousband.com...
-----> Certificate details:
=====> Common Name(s): 
=====>    aqueousband.com
=====>    aqueousband.com
=====> Expires At: Apr  5 04:28:00 2016 GMT
=====> Issuer: C=US, O=Lets Encrypt, CN=Lets Encrypt Authority X1
=====> Starts At: Jan  6 04:28:00 2016 GMT
=====> Subject: CN=aqueousband.com
=====> SSL certificate is self signed.

Add

ssl_trusted_certificate {{ .DOKKU_ROOT }}/{{ .APP }}/letsencrypt/certs/current/fullchain.pem;

in nginx config for apps with Lets Encrypt enabled.

This plugin should do this since it's not possible to handle effectively yourself because:

• You can't add stuff to you repo that end up in <dokku_app>/nginx.conf.d/
• <dokku_app>/nginx.conf cannot be extended. And creating a nginx.cong.sigil thats identical to the default with the only difference being the staplin', ain't a good solution.

Since https://github.com/kuba/simp_le is much easier to automate and there exists a much more compact docker container that is easy to use, move to use simp_le instead of the official client.

In the process, it will also be easy to deal with #13, #14 and #15.

As reported by @fruitl00p #18 , we currently get warning messages on non-SSL apps when running dokku letsencrypt:ls:

140668729374368:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/dokku/app1-without-tls/tls/server.crt','r')
140668729374368:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
Error opening Certificate /home/dokku/mediaweb/tls/server.crt
140609668568736:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/dokku/app2-without-tls/tls/server.crt','r')
140609668568736:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
Error opening Certificate /home/dokku/mediaweb2/tls/server.crt
140405065541280:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/dokku/app3-without-tls/tls/server.crt','r')
140405065541280:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
Error opening Certificate /home/dokku/vraagsturing/tls/server.crt
139854962603680:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/dokku/app4-without-tls/tls/server.crt','r')
139854962603680:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load certificate
Error opening Certificate /home/dokku/www-kerkenijmondnoord-nl/tls/server.crt
140535163012768:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/dokku/app4-without-tls/tls/server.crt','r')
140535163012768:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

Add a filter to only list and attempt to get certificate information for SSL-secured apps to fix warning messages.

Hi,

It seems command dokku letsencrypt:ls returns empty result.

Please have a look, thanks!

root@ubuntu:~/nginx/sites-enabled# dokku letsencrypt:auto-renew temp
       temp still has 59d, 22h, 55m, 36s days left before renewal
root@ubuntu:~/nginx/sites-enabled# dokku letsencrypt:ls
-----> App name           Certificate Expiry        Time before expiry        Time before renewal
root@ubuntu:~/nginx/sites-enabled# dokku letsencrypt:ls
-----> App name           Certificate Expiry        Time before expiry        Time before renewal

Since 68a53ca, account keys, private keys and certificates are stored in a subdirectory whose name is generated from the parameters that are passed to the simp_le client. Since every configuration change will thus result in a new folder being created, it would be nice to have a command to remove all old certificates that are not linked to by the $APP_ROOT/letsencrypt/certs/current symlink.

First, thanks for making this. The other plugin's approach is not nearly as good. 😄

Anyway, it appears you copied one of the bad practices from the other plugin. Namely owning /etc/letsencrypt with the user dokku: https://github.com/sseemayer/dokku-letsencrypt/blob/master/install#L7

The cert folder should only be readable/writable by root. This should be fine since they are only read when nginx starts up (as root to bind to port 80) and written to when created. You can use sudo for that. As far as I can tell just removing those two lines should let the plugin keep working, but I'm not 100% on that.

Cheers!

I've tried to add a cronjob with the
dokku letsencrypt:cron-job --add command, but neither dokku user nor admin or root have any crontab entries after that.

I'm using Dokku v0.5.5 with letsencrypt 0.8.2.

Currently the dockerized letsencrypt will always bind port 80 to port 8888 on the Docker host. Since this port may be already taken, it would be better to automatically determine a free port and set ACMEPORT accordingly here

When switching between staging and main let's encrypt servers, the let's encrypt client will not clobber pre-existing keys in ~dokku/.letsencrypt/etc/live but instead append a -0001 to a newly created folder. Make sure that the newly generated keys are symlinked after a successful run of the let's encrypt client.

Hello,

Today I tried to update one of my apps but it stopped at "Enabling ACME". I also tried updating the plugin and removing the TLS folder but without success.

Here is the log:
=====> Let's Encrypt youtrack...
-----> Updating letsencrypt docker image...
latest: Pulling from dokkupaas/letsencrypt-simp_le
420890c9e918: Already exists
e4a2ae244258: Pull complete
5c6ac6d1c950: Pull complete
Digest: sha256:18a19b34beceba79dd5be458abe7e132fc7486da1da19cc4d0395ad4578031ef
Status: Downloaded newer image for dokkupaas/letsencrypt-simp_le:latest
done
-----> Enabling ACME proxy for youtrack...

An app might have multiple domains. dokku-letsencrypt should be able to obtain a certificate for all domains.

BTW, thanks for this plugin! This will definitely help a lot of people.

I've updated to dokku 0.5.3 and dokku-letsencrypt stopped working.

I've tracked first part of my problem and it turned out to be a problem with port in domain name, I fixed it with this patch:

diff --git a/functions b/functions
index f83e3e6..49c78f9 100755
--- a/functions
+++ b/functions
@@ -194,7 +194,7 @@ letsencrypt_configure_and_get_dir() {
   fi

   # construct domain arguments
-  DOMAINS=$(dokku urls "$APP" | sed "s,\\s,\n,g" | sed -re "s,https?://,," | sed -re "s,\\*\\.,," | uniq | xargs)
+  DOMAINS=$(dokku urls "$APP" | sed "s,\\s,\n,g" | sed -re "s,https?://,," | sed -re "s,\\*\\.,," | sed -re "s,:[0-9]+$,," | uniq | xargs)   DOMAIN_ARGS=''
   for DOMAIN in $DOMAINS; do
     dokku_log_verbose " - Domain '$DOMAIN'" >&2

After that .well-known is written in /var/www/html:

2016-04-03 15:35:48,444:DEBUG:__main__:978: Saving validation (u'e5qZ5J8e7jqE-5besOmhTGOnp9WeVzcBzoj0_ypyiZI.7FK3qYS8ifxcMDmTmvKh6yFmj1JAUKSQWVb64aEWnlM') at /var/www/html/.well-known/acme-challenge/e5qZ5J8e7jqE-5besOmhTGOnp9WeVzcBzoj0_ypyiZI

I've checked container filesystem (removed --rm and then commited a snapshot), and this file exists there. But:

2016-04-03 15:35:48,502:DEBUG:requests.packages.urllib3.connectionpool:387: "GET /.well-known/acme-challenge/e5qZ5J8e7jqE-5besOmhTGOnp9WeVzcBzoj0_ypyiZI HTTP/1.1" 404 None

Soo... Not really sure what to do now. Any pointers?

kuba/simp_le#29 says that simp_le creates private key as world readable.
dokku uses the files by root user. So I think they can set more secure permissions.

How about this patch?

diff --git a/functions b/functions
index 67e092a..7685bb3 100755
--- a/functions
+++ b/functions
@@ -68,6 +68,7 @@ letsencrypt_create_root () {
   # Set up folders
   if [ ! -d "$LETSENCRYPT_ROOT" ]; then
     mkdir -p "$LETSENCRYPT_ROOT"
+    chmod 600 "$LETSENCRYPT_ROOT"
   fi
 }

or this one?

diff --git a/functions b/functions
index 67e092a..a965ee4 100755
--- a/functions
+++ b/functions
@@ -69,6 +69,7 @@ letsencrypt_create_root () {
   if [ ! -d "$LETSENCRYPT_ROOT" ]; then
     mkdir -p "$LETSENCRYPT_ROOT"
   fi
+  chmod 600 "$LETSENCRYPT_ROOT"
 }

 letsencrypt_get() {

• dokku 0.5.4 with dokku-letsencrypt 5338510
• Ubuntu 14.04.4 LTS

letsencrypt app1 worked great for the first app, but on the second app, letsencrypt app2 fails at the verification stage:

2016-04-15 04:13:20,170:ERROR:acme.challenges:267: Unable to reach http://app2.apps.example.com/.well-known/acme-challenge/FdhXO8u3IWsE7VNqZZXphq-JeHWcFycEMy-uu4uveh4: hostname 'app2.apps.example.com' doesn't match 'app1.apps.example.com'
2016-04-15 04:13:20,170:WARNING:__main__:1292: app2.apps.example.com was not successfully self-verified. CA is likely to fail as well!

Any ideas? Is this related to dokku 0.5 compat?

Renewal doesn't work as cron job

Easy to reproduce by executing:

:| dokku letsencrypt APP

-----> Let's Encrypt APP...
-----> Updating letsencrypt docker image...
...
-----> Enabling ACME proxy for APP...
-----> Getting letsencrypt certificate for APP...
        - Domain 'APP.TLD'
cannot enable tty mode on non tty input

Hi

I am kinda new to all these server set up.
Does this play well with cloudflare?

My understanding is that if you are using the flexible SSL certificate and once you have implemented letsencrypt you may change flexible to full SSL but on a free account users will still see that the cert is provided by cloudflare. Is this correct?

If so is it really that easy to just follow your steps in the readme after you get the cert successfully (and nginx restarted auto configured) you go to your cloudflare domain panel and change to full ssl everything will work? Seems too easy for me lol ;) so i want make sure this is the case before i implement

thanks in advance for your help! would love to contribute some documentation regarding cloudflare and this excellent plugin

Hi there,

Thanks for dokku-letsencrypt, it's almost magical after being used to
non letsencrypt ssl configuration :)

One problem with it is that the rate limit for letsencrypt is very
easily hit:

An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: <domain>
Please see the logfiles in /var/log/letsencrypt for more details.

The problem is that it will try to issue a certificate for every single
domain of the app, included the default <app>.<dokku_domain> one (so
making sure to use a domain per app wouldn't help).

Do you think it would be possible to either omit the default domain, or
maybe to specify which domains should have a ssl certificate?

I've successfully used this great plugin on few servers running dokku, but now one simply does nothing when running the following:

dokku letsencrypt <myapp>

It doesn't give any error messages whatsoever. Any suggestions what could be causing this?

Add a command to the plugin to facilitate certificate revocation.

Update to 0.5.0 applies wrong cert to some applications. The first application in alphabetical orders cert is applied to these apps.

It's not clear from the readme which domains this gets certificates for. If I've added multiple domains to an app before running this, will it get a certificate to cover all the domains. If not, is there a way to specify which domain I want to get a certificate for (I've looked through the source code, and this doesn't look possible).

When requesting certs for apps with more than one vhost, simp_le fails.

-----> Enabling ACME proxy for my-app...
-----> Getting letsencrypt certificate for my-app...
        - Domain 'sub1.myapp.tld
sub2.myapp.tld'
darkhttpd/1.11, copyright (c) 2003-2015 Emil Mikulic.
listening on: http://0.0.0.0:80/
simp_le.py: error: unrecognized arguments: sub2.myapp.tld
-----> Certificate retrieval failed!

A dokku trace confirms that it's due to a malformed call to simp_le.py: dokku-letsencrypt parses the domains as a single string with newlines, hence fails to split them into separate "-d" arguments.

yes = DOKKU_LE_EMAIL
no = LETSENCRYPT_EMAIL

See dokku/dokku#1579 and https://github.com/dokku/dokku/tree/refactor-commands

@256dpi asks in #55:

Another Question: Is there a reason that the plugin does not have a command that automatically adds the autorenew to the roots crontab?

The reason that there is no command yet is that doing it manually is fairly easy and educative while automating could be more complicated. If anyone is interested in providing a PR for adding and removing cron entries I'd be happy to add this to the plugin, though! 👍

The best way would be to add the entry to the dokku (not root) user's crontab since that should theoretically be the most secure.

Since it is important that the letsencrypt command can be run from cron (i.e. no TTY), it is important that we're able to run the letsencrypt docker container without a TTY attached.

On first run of the plugin, the container will currently ask for the user's e-mail address to register a new account. In some configurations (ref. #14), the current terminal detection methods fail and the docker container crashes with the PythonDialogBug error.

Add a letsencrypt:register command that can be performed once to create a user account with let's encrypt and to ensure that future interactions with the docker container can run fully automated.

First of all, I'm love with this plugins. It's AMAZING!

Could be interesting add a flag option or something similar to activate crontab auto-renew.

Or add in the documentation an example of how to do it for newbies :-)

Potentially related: alex/letsencrypt-aws#30

root@dokku:~# dokku letsencrypt visualcosita
=====> Let's Encrypt visualcosita...
-----> Updating letsencrypt docker image...
latest: Pulling from m3adow/letsencrypt-simp_le
420890c9e918: Already exists
acbaf1e6012f: Pull complete
5f71a1a2d3dc: Pull complete
Digest: sha256:be1d7aca214d5277af18d7bf75a2bc78afa5a1eabf98aaa8a606c4ca2a7fdeb5
Status: Downloaded newer image for m3adow/letsencrypt-simp_le:latest
       done
-----> Enabling ACME proxy for visualcosita...
-----> Getting letsencrypt certificate for visualcosita...
        - Domain 'visualcosita.dokku.josediazgonzalez.com'
darkhttpd/1.11, copyright (c) 2003-2015 Emil Mikulic.
listening on: http://0.0.0.0:80/
2016-04-16 20:18:11,149:INFO:__main__:1207: Generating new account key
2016-04-16 20:18:11,830:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-16 20:18:11,999:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-16 20:18:12,192:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-16 20:18:12,498:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): letsencrypt.org
2016-04-16 20:18:13,125:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Traceback (most recent call last):
  File "/simp_le-master/simp_le.py", line 1397, in main
    return main_with_exceptions(cli_args)
  File "/simp_le-master/simp_le.py", line 1382, in main_with_exceptions
    new_data(args, existing_data)
  File "/simp_le-master/simp_le.py", line 1283, in new_data
    for vhost in args.vhosts
  File "/simp_le-master/simp_le.py", line 1283, in <genexpr>
    for vhost in args.vhosts
TypeError: request_domain_challenges() got an unexpected keyword argument 'new_authzr_uri'

Unhandled error has happened, traceback is above

Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for visualcosita...
       done

Thoughts?