From scratch

Set up a brand new app on the VPS

Everything needed to take a new app from "doesn't exist yet" to live with HTTPS and a working git push deploy.

1. DNS provider

1

Add a wildcard A record (one-time)

At your DNS provider

A wildcard record covers any subdomain you create now or later, so you never need to touch DNS again when adding a new app. Skip this if it's already in place. Propagation can take a few minutes up to a few hours depending on your provider's TTL.

DNS record

        
Verify before continuing Run dig +short <anything>.<your-domain> until it returns the VPS IP before requesting a Let's Encrypt certificate, otherwise the HTTP-01 challenge in step 2 will fail.
2

Add an apex/root A record (only for the no-subdomain app)

At your DNS provider

Only needed if one app should be reachable at the bare domain (no subdomain) — for example a main marketing site. Only one app can own the apex domain at a time. Skip this if every app will live on a subdomain.

DNS record

        

2. Dokku: nginx & HTTPS

3

Create the app and assign the domain

In VPS

These commands only touch the new app — existing apps and their domains are untouched. Use whichever fits this app.

With a subdomain

        
No subdomain (apex domain)

        
4

Map the app's ports

In VPS

Tell nginx which container port to forward public traffic to. Without this, Dokku won't know how to route incoming HTTP/HTTPS requests to your app's process.

Shell

        
http:80:3000 https:443:3000 Maps public port 80 (HTTP) and 443 (HTTPS) to internal container port 3000 — adjust the last number to match the port your app actually listens on.
5

Enable HTTPS for this app only

In VPS

Scope the Let's Encrypt commands to <app_name> instead of looping over dokku apps:list — that loop re-touches every app's nginx config and certificate, which is unnecessary risk when you're only adding one app.

Shell

        
Cron job is global dokku letsencrypt:cron-job --add only needs to be run once per server. Check first with dokku letsencrypt:cron-job — if it's already installed, skip re-adding it.
Don't run the all-apps loop Avoid for app in $(dokku apps:list); do dokku letsencrypt:enable $app; done here. It's only appropriate for renewing every existing certificate at once, not for onboarding a single new app.

3. Git push setup

6

Add the Dokku git remote

In local machine

Point the local repo at the app on the VPS.

With a subdomain

        
No subdomain (apex domain)

        
Existing remote If a dokku remote already exists locally, remove it first with git remote remove dokku.
7

Set the deploy branch

In VPS

Make sure Dokku deploys from master.

Shell

        
8

Set the build subfolder (optional)

In VPS

Only needed if the app to deploy isn't at the root of the repository — for example a monorepo where the deployable app lives under apps/web. Skip this if the build is at the project root.

Shell

        
9

Push to deploy

In local machine
Deploy

        

4. Extra steps

10

Env vars, storage, and cleanup

In VPS

Set config, mount persistent storage if the app needs it, then clean up build leftovers.

Shell

        
Set DATABASE_URL=/app/storage/db.sqlite as an env var so the app points to the mounted volume, if it uses SQLite.
11

Confirm it's live

In VPS
With a subdomain

        
No subdomain (apex domain)