search

josegonzalez / dokku-global-cert

allows setting a global certificate for applications
MIT License
20 stars 6 forks source link

how to enable wildcard ssl certificate for an app #2

Open Finkes opened 7 years ago

Finkes commented 7 years ago

I have trouble using this plugin. I could install it and add my cert and key files. But newly created apps are still not served via HTTPS. They are still only running using HTTP. I use dockerfile deployments and my certificate is a wildcard certificate (*.mydomain.com) and dokku ist running at dokku.mydomain.com, so all services are served as .dokku.mydomain.com

Do I have to somehow enable the global cert per app? is this plugin still working with the latest dokku version? (v.0.10.3)

mjrb commented 4 years ago

I also ran into this issue, it seems like the plugin uses an post-create hook to attach the cert to an app, so it won't attach the cert to any app that was already created. this can probably be fixed by adding an extra install step to add ssl to any existing app

the work around i used was to just delete my apps and push them again, but this can be time consuming/not acceptable for some environments.

ct-martin commented 4 years ago

I "fixed" the issue with wildcard certs configured at the pre-app Nginx level (using Let's Encrypt), which then gets proxied to HTTP (non-S). It's not an ideal solution, but in lieu of a better one it works pretty well.

Here's my config in case anyone would find it useful:

(Click to show) ``` $ cat /etc/nginx/conf.d/00-ssl.conf server { listen 443 ssl; listen [::]:443 ssl; server_name .ctmartin.dev; ssl_certificate /etc/letsencrypt/live/ctmartin.dev/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ctmartin.dev/privkey.pem; location / { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_http_version 1.1; proxy_pass http://localhost; } } server { listen 443 ssl; listen [::]:443 ssl; server_name .ctmartin.me; ssl_certificate /etc/letsencrypt/live/ctmartin.me/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ctmartin.me/privkey.pem; location / { proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $http_host; proxy_http_version 1.1; proxy_pass http://localhost; } } ```

Tip: if you only have one wildcard domain, you only need one of those blocks; if you need more you can add more.