SSL certificates per app

[vbspace]

Hello There,

 Thank you for building this great tool. I am using marathon-lb with DCOS, and the lack of good or clear documentation has stacked me for 2 days.

 I think I read the documentation more than 10 times and it still not clear how I pre-load the ssl certificates do marathon-lb. I am launching marathon-lb from dcos catalog and I am having problems passing the certificates. I also tried creating my own image of marathon-lb and its not working as well.

My question is, how do I. pre-load more than one ssl-certificate to marathon-lb, to be able to use the label HAPROXY_0_SSL_CERT ?

[jerluc]

@ntk860 not sure if this is what you're asking for, but here's how I am doing it for multiple domains and their certs:

1. Firstly, you need to mount your SSL certs into the Docker images as volumes at a specific mount point for each domain, e.g. -v /path/to/ssl/cert/on/host:/target/in/docker/{DOMAIN_NAME}.
2. Then, pass the --ssl-certs CLI argument to the Docker entrypoint, using the target mount points you specified above, separated by commas, e.g. --ssl-certs /target/in/docker/domain1.com,/target/in/docker/domain2.com,...
3. Lastly, configure each app to use its appropriate domain name using the HAPROXY_0_VHOST label, e.g. HAPROXY_0_VHOST=domain1.com.

With this all set, Marathon-LB should automatically pick the right SSL cert for the incoming traffic (I believe using SNI), and will decrypt the traffic and forward it on to your configured backends appropriately.

There may be a more direct way to do exactly one cert per app, but I haven't seen it yet.

Also, FWIW, I only found this out by searching through their "Longhelp" and the source code itself.