OwnStack

Let's Encrypt

OwnStack stacks ship with the dokku-letsencrypt plugin pre-installed. It uses the ACME HTTP-01 challenge by default, runs renewals nightly, and reloads nginx automatically when certs roll.

HTTP-01 challenge: how it works

  1. You add a domain to an app and Let's Encrypt issuance is triggered (automatic on app domains:add).
  2. The plugin spins up a temporary web server that responds to http://<domain>/.well-known/acme-challenge/<token> with a known signature.
  3. Let's Encrypt's prober fetches that URL — for this to work, your DNS must resolve and port 80 must be reachable from the internet.
  4. If the prober gets the right response, Let's Encrypt issues a cert.
  5. Plugin installs the cert, reloads nginx, traffic is now HTTPS.

Renewals

Certs are valid for 90 days; the plugin renews 30 days before expiry. Cron job runs nightly. Manual renewal:

$ ssh dokku@<stack-ip> letsencrypt:auto-renew <app>

Inspecting

$ ssh dokku@<stack-ip> certs:report <app>
       Ssl enabled:                   true
       Ssl hostnames:                 example.com www.example.com
       Ssl expires at:                Aug  1 02:14:27 2026 GMT
       Ssl issuer:                    C = US, O = Let's Encrypt, CN = R10

$ ssh dokku@<stack-ip> letsencrypt:list
App name           Certificate Expiry        Time before expiry
my-app             2026-08-01 02:14:27       2m 25d

Account email

Let's Encrypt requires an account email for renewal notices. Set it once per app or per stack:

$ ssh dokku@<stack-ip> letsencrypt:set --global email you@example.com

Rate limits

Let's Encrypt rate-limits at:

  • 50 certs per registered domain per week. Includes renewals — enough for almost everyone.
  • 5 failed authorizations per hostname per hour. If you misconfigured DNS and tried five times, you're blocked for the rest of the hour.
  • 5 duplicate certs per week. If your hostnames don't change, no concern.

If you get rate-limited, fix the underlying issue (DNS, port 80) and wait. Don't keep retrying — it counts against you.

When HTTP-01 won't work

  • Wildcards — must use DNS-01. See Wildcard certs.
  • Port 80 closed — corporate firewall, weird CDN setup. Use DNS-01 or supply your own cert.
  • Internal-only domains — Let's Encrypt's prober has to reach your domain from the public internet.