Multiple apps on same domain

[256dpi]

Thanks for the great plugin!

It looks like the plugins does not support multiple apps that share the same domain but operate on different ports. In my setup I have an app that is available through nginx on port 80/443 and another on 8000/8080. While creating a certificate for the first app was easy, it didn't work for the second one:

=====> Let's Encrypt api
-----> Updating letsencrypt docker image...
latest: Pulling from dokkupaas/letsencrypt-simp_le
420890c9e918: Already exists 
e4a2ae244258: Already exists 
5c6ac6d1c950: Already exists 
Digest: sha256:18a19b34beceba79dd5be458abe7e132fc7486da1da19cc4d0395ad4578031ef
Status: Image is up to date for dokkupaas/letsencrypt-simp_le:latest
       done updating
-----> Enabling ACME proxy for api...
-----> Getting letsencrypt certificate for api...
        - Domain 'tunnel.connectingspaces.ch'
darkhttpd/1.11, copyright (c) 2003-2015 Emil Mikulic.
listening on: http://0.0.0.0:80/
2016-04-26 21:31:22,045:INFO:__main__:1211: Generating new account key
2016-04-26 21:31:22,805:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-26 21:31:23,132:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-26 21:31:23,353:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-26 21:31:24,187:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): letsencrypt.org
2016-04-26 21:31:24,892:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-26 21:31:25,132:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-26 21:31:25,392:INFO:requests.packages.urllib3.connectionpool:207: Starting new HTTP connection (1): tunnel.connectingspaces.ch
2016-04-26 21:31:25,395:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): tunnel.connectingspaces.ch
2016-04-26 21:31:25,444:WARNING:__main__:1303: tunnel.connectingspaces.ch was not successfully self-verified. CA is likely to fail as well!
2016-04-26 21:31:25,466:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-26 21:31:25,697:INFO:__main__:1313: Generating new certificate private key
2016-04-26 21:31:33,397:INFO:requests.packages.urllib3.connectionpool:758: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-04-26 21:31:33,600:ERROR:__main__:1271: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/2p5I0c2PcYSCNtvBRLaNjRnKpmYX-cT7WYD4PidChiw
Challenge validation has failed, see error log.

Debugging tips: -v improves output verbosity. Help is available under --help.
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for api...
       done

I guess the different port configuration didn't allow the acme servers to reach the app... In that particular case it wouldn't actually be necessary to get a certificate as there is already one existing for that domain.

Maybe the plugin could store the certificates per domain and retrieve them if valid?

Now I ended up just symlinking the other apps certificate to the other, but that would break the autorenew process...

Any suggestions?

[sseemayer]

Thanks for your interest in the plugin!

As you might have seen, the http-01 challenge used by dokku-letsencrypt to validate the domain doesn't allow verifying on anything else than port 80 because that might be a security risk for shared hosting (see e.g. this let's encrypt forum discussion).

On the other hand, dokku is designed in a way that there is always exactly one cert per app that should cover all of its domains. Detecting if two apps share the same set of domains would be possible but we'd have to reorganize how certificates are stored (currently, all let's encrypt data is stored on a per-app basis) making things much more complicated.

For your use case, symlinking should actually be the perfect solution since the auto-renew command will only consider an app to be secured by let's encrypt if its $APP_ROOT/tls/server.crt is a symlink pointing to $APP_ROOT/letsencrypt/certs/current/fullchain.pem. In your case, this check will succeed for your app listening on port 443 and consequently auto-renew the certificate when necessary, but will not detect your app with another port as being secured by dokku-letsencrypt because your symlink points to a certificate within another app. You can verify that this is the case by using dokku letsencrypt:ls. Your port 443 app should show up while the other one won't.

[256dpi]

Thanks of the clarification. Even if the symlinking might work, I decided to put the second app on a subdomain to make things easy and smooth. ;)

Another Question: Is there a reason that the plugin does not have a command that automatically adds the autorenew to the roots crontab?

[sseemayer]

Having subdomains for every app is definitely the cleaner solution. I'm glad that things are working for you now! Closing since the original issue is solved and opening #57 to discuss the crontab things.