Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add wildcard support via DNS-01 challenge #189

Closed
nabati opened this issue Oct 14, 2019 · 14 comments · Fixed by #295
Closed

Add wildcard support via DNS-01 challenge #189

nabati opened this issue Oct 14, 2019 · 14 comments · Fixed by #295

Comments

@nabati
Copy link

nabati commented Oct 14, 2019

Note

As of 0.12.0, dokku-letsencrypt will be in a position to add dns-01 challenge support. That said, it'll still need work to enable the environment variable support needed. Until someone volunteers or sponsors the work, wildcard support is not officially supported by this plugin.

Original Post

Thanks to @dean1012 for handling the upgrade to ACMEv2 in #184. Judging by the closing of #147 I thought that wildcard certs would be working, but when I add a wildcard domain to my app and try to letsencrypt, I consistently get a TimeoutError. Could someone else confirm that they get the same behavior?

root@ubuntu-s-1vcpu-2gb-ams3-01:~# dokku letsencrypt nabatism.com
=====> Let's Encrypt nabatism.com
-----> Updating letsencrypt docker image...
0.1.0: Pulling from dokku/letsencrypt
Digest: sha256:af5f8529c407645e97821ad28eba328f4c59b83b2141334f899303c49fc07823
Status: Image is up to date for dokku/letsencrypt:0.1.0
docker.io/dokku/letsencrypt:0.1.0
       Done updating
-----> Enabling ACME proxy for nabatism.com...
-----> Getting letsencrypt certificate for nabatism.com...
        - Domain 'nabatism.com'
        - Domain '*.nabatism.com'
darkhttpd/1.12, copyright (c) 2003-2016 Emil Mikulic.
listening on: http://0.0.0.0:80/
2019-10-14 05:15:07,899:INFO:__main__:1317: Generating new account key
2019-10-14 05:15:10,497:INFO:__main__:1343: By using simp_le, you implicitly agree to the CA's terms of service: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2019-10-14 05:15:11,789:INFO:__main__:1406: Generating new certificate private key
Traceback (most recent call last):
  File "/simp_le/simp_le.py", line 1551, in main
    return main_with_exceptions(cli_args)
  File "/simp_le/simp_le.py", line 1535, in main_with_exceptions
    persist_new_data(args, existing_data)
  File "/simp_le/simp_le.py", line 1435, in persist_new_data
    order = finalize_order(client, order)
  File "/simp_le/simp_le.py", line 1362, in finalize_order
    finalized_order = client.poll_and_finalize(order)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 697, in poll_and_finalize
    orderr = self.poll_authorizations(orderr, deadline)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 713, in poll_authorizations
    raise errors.TimeoutError()
TimeoutError
@dean1012
Copy link
Contributor

Actually, there may have been some confusion. My work did not enable wildcard certificates nor did I test that functionality.

Wildcard functionality would require that we use DNS-01 challenge:

Additionally, wildcard domains must be validated using the DNS-01 challenge type. This means that you’ll need to modify DNS TXT records in order to demonstrate control over a domain for the purpose of obtaining a wildcard certificate.

Source: https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579

Right now, we use a simple document root (HTTP) challenge.

Using a DNS-01 challenge would be difficult to implement in a user friendly way.

First, we'd have to require that users setup configuration (similar to email address) for what DNS provider to use and the credentials to that provider. We'd also need a configuration flag to be set to tell the plugin to use wildcard certificates. Without the flag set, the plugin would default to the current method.

Finally, if a user sets the wildcard flag but not the DNS provider configuration settings (for example, if their domain's DNS isn't a supported provider), we'll need to tell the user to set the DNS record manually then prompt them to continue the process.

And also consider that certificates are still handled on a per app basis meaning you would be creating several different wildcard certs unless that is changed too.

I'm not at all sure it would be worth it.

It would be easier to create your own letsencrypt wildcard cert then use the certs command to associate it with all your apps yourself.

@iplanwebsites
Copy link

Wildcard certs aren't supported (freely) by Cloudflare so I was hoping to setup on on Dokku directly but figured they don't seem to be supported.
It'd be especially helpful to have a wildcard certs in Dokku IMHO ;)
As for the UX, it's always horrible workflow to setup certs so anything might be an improvement.
Otherwise, what would be a good alternative option enable SSL on wildcard subdomains?

@josegonzalez
Copy link
Member

@iplanwebsites is this something you'd be interested in sponsoring? Otherwise, pull requests are always welcome!

@weyert
Copy link

weyert commented Dec 14, 2019

There is another ACME solution which offers integration with multiple DNS providers to update the DNS records for wildcard domains. Only then we would need to switch I am not sure if this is something we would like to do?

@archonic
Copy link

👍 for wildcard support. Perhaps a bounty could be setup? I'd chip in.

@CyberMew
Copy link

I’m using wildcard without issues..

@archonic
Copy link

@CyberMew Do you know if support for wildcard from LetsEncrypt is a recent thing? Or know of a resource that specifies how to do that? My devops guy thinks it can't be done.

@josegonzalez
Copy link
Member

This should be more easily possible once #220 gets merged, but someone still needs to figure out env var support and configuration for the dns based solution.

@josegonzalez josegonzalez changed the title Wildcard domains give TimeoutError Add wildcard support via DNS-01 challenge Mar 23, 2021
@benatkin
Copy link

benatkin commented May 6, 2021

@archonic it's been around for a while now. March 2018. #189

However, Let's Encrypt started issuing certs in 2014, so for several years it did not support wildcard certificates.

LE definitely supports Wildcard certs now. Some tools that integrate with LE including this one, don't, however.

@benatkin
Copy link

benatkin commented May 6, 2021

What does environment variable support mean in this context?

@benatkin
Copy link

benatkin commented May 7, 2021

I looked through some blog posts. I'm probably going to follow this one, but with a list of apps rather than a single app. https://petr.codes/blog/dokku/wildcard-certificate/

@josegonzalez
Copy link
Member

We need a way to set arbitrary properties - basically the same as the kubernetes scheduler- and then a way to set the dns provider. That will then let us automate it via dns.

@CyberMew
Copy link

CyberMew commented May 8, 2021

@archonic sorry for the late reply. I was using this https://github.com/josegonzalez/dokku-global-cert

@louwers
Copy link

louwers commented Mar 16, 2022

DNS-01 challenge is also very interesting for when running Dokku inside a VPN (but you still want to use HTTPS).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants