I'll show you how I did it with the blog you are currently reading: okhlopkov.com.
Cloudflare is a free worldwide CDN which also can issue a TLS/HTTPS certificate for your domain or subdomain.
Dokku is a free open-source self-hosted Heroku alternative which I use in all my production environments.
Why you might want to do it
- Letsencrypt is cool but you need to renew its certificates every 3 months. Yes, you can create a crontab task to automatically do it but I always forget to. CF certificates are valid for 15+ years. 😎
- Cloudflare is not only DNS but also a CDN. If your Dokku apps have a frontend you might want to benefit from worldwide & free CDN to speed up your stuff and decrease the load on servers.
Step 1: Attach your domain to Cloudflare
You need to change the nameservers on your DNS provider (probably just where you have bought your domain). Create an account on Cloudflare and it will show you a step-by-step guide on how to do that (great onboarding by the way).
Step 2: Create certificates for your backend
Now we are going to create our own certificates to encrypt CF <> Backend communication.
Open SSL/TLS -> Origin Server menu and press Create Certificate.
If you want to also encrypt domains like super.secret.okhlopkov.com, you need to manually specify them in the List of hostnames field. Otherwise, just press create.
Congratz! Now you have your unique and shiny HTTPS encryption certificates!
Step 3: Upload certs to the server
Now you need to create files on your server and copy-paste there your keys. Open a new ssh connection, create a folder for certs and create these files. I like to use vim to copy-paste the keys.
mkdir certs vim certs/okhlopkov.com.crt # copy-paste the first Certificate vim certs/okhlopkov.com.key # copy-paste the second Private Key
Step 4: Attach certs to Dokku app
You will need to create a .tar archive with these files and then send it to the dokku. Imagine that the name of your Dokku app is
tar -cvf certs/okhlopkov.com.tar certs/okhlopkov.com.crt certs/okhlopkov.com.key dokku certs:add ghost < certs/okhlopkov.com.tar dokku proxy:build-config ghost
Step 5: Enable CF Proxy and Full encryption
Now you can do it!
That's it! Thanks for reading. I basically just did the SSL/TSL encryption for my blog and simultaneously wrote down this step-by-step guide. Good luck with your stuff, dudes! Share this article somewhere, please.