Cloudflare certificates + Dokku

How to create and install Cloudflare SSL / TLS encryption for your Dokku app (instead of Letsencrypt).

Cloudflare certificates + Dokku

I'll show you how I did it with the blog you are currently reading: okhlopkov.com.

Why you might want to do it

  1. Letsencrypt is cool but you need to renew its certificates every 3 months. Yes, you can create a crontab task to automatically do it but I always forget to. CF certificates are valid for 15+ years. 😎
  2. Cloudflare is not only DNS but also a CDN. If your Dokku apps have a frontend you might want to benefit from worldwide & free CDN to speed up your stuff and decrease the load on servers.

Step 1: Attach your domain to Cloudflare

You need to change the nameservers on your DNS provider (probably just where you have bought your domain). Create an account on Cloudflare and it will show you a step-by-step guide on how to do that (great onboarding by the way).

Step 2: Create certificates for your backend

Now we are going to create our own certificates to encrypt CF <> Backend communication.

Open SSL/TLS -> Origin Server menu and press Create Certificate.

Ow, boy! 15 years

If you want to also encrypt domains like super.secret.okhlopkov.com, you need to manually specify them in the List of hostnames field. Otherwise, just press create.

Congratz! Now you have your unique and shiny HTTPS encryption certificates!

try to guess the other part of my keys!

Step 3: Upload certs to the server

Now you need to create files on your server and copy-paste there your keys. Open a new ssh connection, create a folder for certs and create these files. I like to use vim to copy-paste the keys.

mkdir certs
vim certs/okhlopkov.com.crt
# copy-paste the first Certificate

vim certs/okhlopkov.com.key
# copy-paste the second Private Key

Step 4: Attach certs to Dokku app

You will need to create a .tar archive with these files and then send it to the dokku. Imagine that the name of your Dokku app is ghost:

tar -cvf certs/okhlopkov.com.tar certs/okhlopkov.com.crt certs/okhlopkov.com.key

dokku certs:add ghost < certs/okhlopkov.com.tar
dokku proxy:build-config ghost

Step 5: Enable CF Proxy and Full encryption

Now you can do it!

OW YEAH, Let's do it, CDN!

That's it! Thanks for reading. I basically just did the SSL/TSL encryption for my blog and simultaneously wrote down this step-by-step guide. Good luck with your stuff, dudes! Share this article somewhere, please.