Add support for wildcard domains via DNS-01 challenge

[josegonzalez]

This MR implements support for DNS-01 challenges via lego, which is necessary for wildcard domain support. My testing shows that everything works normally except for revoking certificates when you have multiple domains, at least one of which is a wildcard certificate. It's not clear to me that this ever worked, so I think thats an okay trade-off (the revoke command isn't even documented, and this seems like a lego bug from my investigation).

Closes #189
Refs #257
Refs #197
Refs #203
Refs #147
Refs #170
Refs #148
Refs #144
Refs #110
Refs #125
Refs #114
Refs #7

[louwers]

Awesome!

[michaelyork]

Yes! 🫶🏼

[atwoodjw]

I can't seem to request a wildcard cert and assign to an app. Based on the README updates in this PR, I tried the following.

sudo dokku plugin:install https://github.com/dokku/dokku-letsencrypt.git
dokku letsencrypt:set --global dns-provider route53
dokku letsencrypt:set --global dns-provider-AWS_ACCESS_KEY_ID XXX
dokku letsencrypt:set --global dns-provider-AWS_SECRET_ACCESS_KEY XXX
dokku letsencrypt:enable ruby-getting-started

user@dokku:~$ dokku letsencrypt:list
-----> App name           Certificate Expiry        Time before expiry        Time before renewal
ruby-getting-started      2023-05-02 17:05:49       89d, 17h, 22m, 39s        59d, 17h, 22m, 39s

But this generates a non-wildcard (ruby-getting-started.mydomain.com).

What am I missing?

[josegonzalez]

What is the output of dokku domains:report for that app?

[atwoodjw]

user@dokku:~$ dokku domains:report
=====> ruby-getting-started domains information
       Domains app enabled:           true
       Domains app vhosts:            ruby-getting-started.mydomain.com
       Domains global enabled:        true
       Domains global vhosts:         mydomain.com

[josegonzalez]

If you want a wildcard cert on your domain, you need to attach the wildcard domain to your app. This plugin only fetches certificates for domains attached to the app.

[atwoodjw]

Thanks for your help. Sorry for the noob questions.

I think I'm a bit confused by the terminology. Attaching the wildcard domain to the app leads me to believe *.mydomain.com will route to my app (ruby-getting-started). Wouldn't this prevent me from deploying additional apps (e.g. node-js-getting-started), since all other app domains would match the wildcard domain?

My goal is to have a global domain (mydomain.com) and a wildcard LE cert (mydomain.com, *.mydomain.com). And when I deploy an app to Dokku (like ruby-getting-started), have it be hosted at ruby-getting-started.mydomain.com and configured with the wildcard LE cert.

[josegonzalez]

If you add that a specific domain to another app, that would take precedence over the app that has the wildcard domain associated, so no, it wouldn't prevent you from deploying additional apps.

[atwoodjw]

I'm still not able to get this working.

I can add the wildcard domain, but then I get an error generating the cert, as the non-wildcard domain is redundant.

user@dokku:~$ dokku domains:add ruby-getting-started *.mydomain.com
-----> Added *.mydomain.com to ruby-getting-started
 !     Please run dokku letsencrypt:enable to add https support to the new domain
-----> Configuring *.mydomain.com...(using built-in template)
-----> Configuring ruby-getting-started.mydomain.com...(using built-in template)
-----> Creating https nginx.conf
       Enabling HSTS
       Reloading nginx

user@dokku:~$ dokku domains:report ruby-getting-started
=====> ruby-getting-started domains information
       Domains app enabled:           true
       Domains app vhosts:            ruby-getting-started.mydomain.com *.mydomain.com
       Domains global enabled:        true
       Domains global vhosts:         mydomain.com

user@dokku:~$ dokku letsencrypt:enable ruby-getting-started
=====> Enabling letsencrypt for ruby-getting-started
-----> Enabling ACME proxy for ruby-getting-started...
-----> Getting letsencrypt certificate for ruby-getting-started via DNS-01
        - Domain 'ruby-getting-started.mydomain.com'
        - Domain '*.mydomain.com'
2023/02/03 02:19:02 [INFO] [ruby-getting-started.mydomain.com, *.mydomain.com] acme: Obtaining bundled SAN certificate
2023/02/03 02:19:02 Could not obtain certificates:
	acme: error: 400 :: POST :: https://acme-staging-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: Error creating new order :: Domain name "ruby-getting-started.mydomain.com" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for ruby-getting-started...
 !     Failed to setup letsencrypt
 !     Check log output for further information on failure

If I remove the non-wildcard domain, there's some issue with the generated crt file.

user@dokku:~$ dokku domains:remove ruby-getting-started ruby-getting-started.mydomain.com
-----> Removed ruby-getting-started.mydomain.com from ruby-getting-started
-----> No matching configured domains for ruby-getting-started found in SSL certificate. Your app will show as insecure in a browser if accessed via SSL
-----> Please add appropriate domains via the dokku domains command
-----> Configured domains for app:
=====> *.mydomain.com
-----> Domains found in SSL certificate:
=====> ruby-getting-started.mydomain.com
-----> Configuring *.mydomain.com...(using built-in template)
-----> Creating https nginx.conf
       Enabling HSTS
       Reloading nginx

user@dokku:~$ dokku domains:report ruby-getting-started
=====> ruby-getting-started domains information
       Domains app enabled:           true
       Domains app vhosts:            *.mydomain.com
       Domains global enabled:        true
       Domains global vhosts:         mydomain.com

user@dokku:~$ dokku letsencrypt:enable ruby-getting-started
=====> Enabling letsencrypt for ruby-getting-started
-----> Enabling ACME proxy for ruby-getting-started...
-----> Getting letsencrypt certificate for ruby-getting-started via DNS-01
        - Domain '*.mydomain.com'
2023/02/03 02:23:24 No key found for account [email protected]. Generating a P256 key.
2023/02/03 02:23:24 Saved key to /certs/accounts/acme-staging-v02.api.letsencrypt.org/[email protected]/keys/[email protected]
2023/02/03 02:23:24 [INFO] acme: Registering account for [email protected]
       !!!! HEADS UP !!!!

       Your account credentials have been saved in your Let's Encrypt
       configuration directory at "/certs/accounts".

       You should make a secure backup of this folder now. This
       configuration directory will also contain certificates and
       private keys obtained from Let's Encrypt so making regular
       backups of this folder is ideal.
2023/02/03 02:23:24 [INFO] [*.mydomain.com] acme: Obtaining bundled SAN certificate
2023/02/03 02:23:24 [INFO] [*.mydomain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/5213455833
2023/02/03 02:23:24 [INFO] [*.mydomain.com] acme: use dns-01 solver
2023/02/03 02:23:24 [INFO] [*.mydomain.com] acme: Preparing to solve DNS-01
2023/02/03 02:23:25 [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]
2023/02/03 02:24:00 [INFO] [*.mydomain.com] acme: Trying to solve DNS-01
2023/02/03 02:24:00 [INFO] [*.mydomain.com] acme: Checking DNS record propagation using [192.168.1.1:53]
2023/02/03 02:24:04 [INFO] Wait for propagation [timeout: 2m0s, interval: 4s]
2023/02/03 02:24:11 [INFO] [*.mydomain.com] The server validated our request
2023/02/03 02:24:11 [INFO] [*.mydomain.com] acme: Cleaning DNS-01 challenge
2023/02/03 02:24:12 [INFO] Wait for route53 [timeout: 2m0s, interval: 4s]
2023/02/03 02:24:33 [INFO] [*.mydomain.com] acme: Validations succeeded; requesting certificates
2023/02/03 02:24:34 [INFO] [*.mydomain.com] Server responded with a certificate.
-----> Certificate retrieved successfully.
-----> Installing let's encrypt certificates
 !     CRT file specified not found, please check file paths
cp: cannot stat '/home/dokku/ruby-getting-started/letsencrypt/certs/5c0b57f16f858fe9b5d4f63accd5ac3dd75bfbe3/certificates/*.mydomain.com.crt': No such file or directory
cp: cannot stat '/home/dokku/ruby-getting-started/letsencrypt/certs/5c0b57f16f858fe9b5d4f63accd5ac3dd75bfbe3/certificates/*.mydomain.com.crt': No such file or directory
-----> Ensuring network configuration is in sync for ruby-getting-started
 !     Ignoring detected https port mapping without an accompanying ssl certificate (https:443:5000)
-----> Configuring *.mydomain.com...(using built-in template)
-----> Creating http nginx.conf
       Reloading nginx
-----> Disabling ACME proxy for ruby-getting-started...
-----> Done

[josegonzalez]

Mind creating a new ticket? Debugging in a GitHub PR is not a great experience ;)