Setting up Let's Encrypt on Dokku

TL;DR - Free SSL/TLS certs anyone?

Today, the Googol GLaDOS Simulator and projects•hakobyte is now currently running on the awesome Heroku platform1 Ever since I’ve been on Heroku they provide free SSL only on the *.herokuapp.com wildcard domain. Which is fine, since my web apps are small. But Heroku is offering $20/mo for SSL for one web application. In my situation, this is pretty expensive for a small web app like projects•hakobyte; especially if I decide to create more on Heroku that require SSL.

Luckily, there’s an initiative to push forward HTTPS as the default for the web. Last year, Cloudflare introduced Universal SSL to all Cloudflare enabled sites. (Even this very one!) and there is a newcomer; called Let’s Encrypt.

For those who are unaware about Let’s Encrypt:

Let’s Encrypt is a free, automated, and open certificate authority brought to you by the Internet Security Research Group (ISRG).Let’s Encrypt

This means you can setup SSL/TLS on your domain and get that free of charge!

You can see an example of a Let’s Encrypt enabled site here.

Dokku is a mini platform as a service (PaaS) powered by Docker. It’s like Heroku except that you own it.

This guide assumes you have Dokku installed on your VPS, and you have an app up and running. If you are on Dokku 0.4 you can check out dokku-letsencrypt or dokku-letsencrypt (Zero downtime). If you prefer the manual approach, you can install Lets Encrypt with the following bash commands:

Note: nginx needs to be stopped before you execute ./letsencrypt-auto. This will most likely be redundant once the public beta is out.

git clone https://github.com/letsencrypt/letsencrypt
 cd letsencrypt
 service nginx stop
 ./letsencrypt-auto certonly -d www.yourdomain.com auth

You should be asked to enter your recovery email and your certificates should be successfully generated at:

/etc/letsencrypt/live/www.yourdomain.com/

Next, bundle up the certificate and private key in a tar file and send it to Dokku.

I had trouble with the *.pem certificates because they were still symlinked in the tar archive. This caused Dokku to not load the certificates properly, so I did this:

cat fullchain.pem > server.crt
cat privkey.pem > server.key
tar cvf certs.tar server.crt server.key 
dokku certs:add yourapp < certs.tar
# check if certificates are installed.
dokku certs:info yourapp
service nginx restart

Now your app should be running a Let’s Encrypt signed certificate!

wesley.hakobaito.co.uk is running with a Let’s Encrypt certificate installed.

Note that your cert expires in 90 days, so just automate renewal with a cron job. Let’s Encrypt recommends renewing certificates at day 60 just to be on the safe side.

+ + =


  1. Since this post was made, projects•hakobyte has now moved to Dokku hosted on DigitalOcean.  

Written by on