Wildcard certs
Wildcards (*.example.com) require Let's Encrypt's DNS-01 challenge — the prover places a record in your DNS, Let's Encrypt confirms it, and issues. Configure once, then any subdomain matches.
Pick a DNS plugin
The dokku-letsencrypt plugin uses lego under the hood, which supports many DNS providers. Common choices:
| Provider | Plugin name | Credentials |
|---|---|---|
| Route 53 | route53 | AWS access key + secret with route53:ChangeResourceRecordSets and route53:GetChange on your hosted zone. |
| Cloudflare | cloudflare | API token with Zone:DNS:Edit scoped to the zone. |
| DNSimple | dnsimple | OAuth token from DNSimple account settings. |
| DigitalOcean | digitalocean | Personal access token. |
| Google Cloud DNS | gcloud | Service account JSON key. |
Configure
$ ssh dokku@<stack-ip> letsencrypt:set <app> dns-provider route53
$ ssh dokku@<stack-ip> letsencrypt:set <app> AWS_ACCESS_KEY_ID '...'
$ ssh dokku@<stack-ip> letsencrypt:set <app> AWS_SECRET_ACCESS_KEY '...'
$ ssh dokku@<stack-ip> letsencrypt:set <app> AWS_REGION us-east-1Each DNS plugin reads its own env vars; check the lego docs for the exact names.
Add the wildcard
$ ownstack app domains:add <app> '*.example.com'
$ ssh dokku@<stack-ip> letsencrypt:enable <app>The first command registers the domain with nginx; letsencrypt:enable kicks off the issuance. The plugin will:
- Request a wildcard cert from Let's Encrypt.
- Receive a TXT record token to publish.
- Use your DNS provider credentials to publish the TXT record.
- Wait for DNS propagation, signal Let's Encrypt to validate.
- Receive the cert, install it, reload nginx.
- Clean up the TXT record.
Subdomains under the wildcard
Once the wildcard cert is in place, subdomains like app1.example.com and app2.example.com are covered by the same cert. You still need DNS A records for each (pointing at the stack IP) for traffic to reach the stack.
Renewal
Same as HTTP-01 — automatic, every 60 days. The DNS-01 flow runs again under the hood.