Using dokku-acl with dokku-letsencrypt breaks auto-renewal

[Shark]

We use dokku-acl together with the dokku-letsencrypt plugin. For auto-renewal of certificates, the plugin creates a cronjob for the dokku-User:

@daily /var/lib/dokku/plugins/available/letsencrypt/cron-job

which in turn executes

dokku letsencrypt:auto-renew &>> /var/log/dokku/letsencrypt.log

which fails on our hosts:

User default does not have permissions to run letsencrypt:auto-renew
Access denied

What would be the best way to fix this issue? I thought about some ways, but I didn't find one which works well...

1. We've set export DOKKU_SUPER_USER=dokku. So if the cronjob would export NAME it should work, right?
2. We could add letsencrypt:auto-renew to DOKKU_ACL_USER_COMMANDS. But since letsencrypt:auto-renew calls letsencrypt and certs:add, we would need to whitelist those functions for all apps as well, which is undesirable.

[josegonzalez]

Sorry for getting to this so late:

• Can you turn on events via dokku events:on, trigger the cronjob - don't run letsencrypt directly! - and show the output of /var/log/dokku/events.log? It should contain the user that the cronjob is running as. It's possible it is running as root or something.

[Shark]

Thanks for your reply!

I did the following:

• enabled dokku events
• edited dokku's crontab to run the letsencrypt cron-job in the next minute

/var/log/dokku/events.log:

Dec  7 11:01:01 app2 dokku[21011]: INVOKED: user-auth(  default letsencrypt:auto-renew ) NAME= FINGERPRINT=
Dec  7 11:01:02 app2 dokku[21647]: INVOKED: user-auth(  default letsencrypt zweitag-shoebox ) NAME= FINGERPRINT=

/var/log/dokku/letsencrypt.log:

=====> Auto-renewing all apps...
-----> test-app needs renewal
User default does not have permissions to run letsencrypt
Access denied

[josegonzalez]

Where is the crontab file specified?

[Shark]

I edited the crontab w ith sudo crontab -u dokku -l to look like this:

# @daily /var/lib/dokku/plugins/available/letsencrypt/cron-job
00 09 * * * /var/lib/dokku/plugins/available/letsencrypt/cron-job

[josegonzalez]

The default username for dokku is default. This will be used if the NAME environment variable isn't set. We don't default that to dokku but maybe we should?

If we did, that wouldn't break anything in dokku core, and the acl plugin would continue working as expected (the logged in dokku would work), just we would enable background jobs to work.

Anyone have any thoughts on this?

[Cellane]

I think that makes sense, I’d appreciate the rename of the default Dokku’s username to dokku.

I found this issue a few days ago when I was investigating the difficulties of allowing my friend to host his website on my server. I spent some time testing if the reported issue is still a problem nowadays, and came up to the conclusion that as long as your SSH key is called default, and your super-admin username is set to default, you’ll be able to renew LE certificates from cron, access all commands as expected when you have direct access to the server’s SSH and when interacting with Dokku remotely.

But definitely renaming the user from default to dokku would have felt cleaner.
(Alternatively – or in addition – it would’ve been nice to be able to specify multiple super-admin accounts – but perhaps that’s a different issue altogether)