Public | Automated Build

Last pushed: 2 years ago
Short Description
letsencrpyt for dcos
Full Description

Let's Encrypt DCOS!

This is a sample Marathon app for encrypting your Marathon-lb HAProxy endpoints using Let's Encrypt. With this, you can automatically generate and renew valid SSL certs with Marathon-lb.

Getting started

Clone (or manually copy) this repo, and modify the letsencrypt-dcos.json file to include:

  • The list of hostnames (must be FQDNs) for which you want to generate SSL certs (in HAPROXY_0_VHOST)
  • An admin email address for your certificate (in LETSENCRYPT_EMAIL)
  • The Marathon API endpoint (in MARATHON_URL)
  • The Marathon-lb app ID (in MARATHON_LB_ID)

Now launch the letsencrypt-dcos Marathon app:

$ dcos marathon app add letsencrypt-dcos.json

There are 2 test apps included, based on openresty, which you can use to test everything. Have a look in the test/ directory within the repo.

How does it work?

The app includes 2 scripts: and The first script ( will generate the initial SSL cert and POST the cert to Marathon for Marathon-lb. It will then attempt to renew & update the cert every 24 hours. The script will compare the current cert in Marathon to the current live cert, and update it as necessary. is called after the initial cert is generated, and again every 24 hours after a renewal attempt.


  • You may only have up to 100 domains per cert.
  • Let's Encrypt currently has rate limits, such as issuing a maximum
  • Currently, when the cert is updated, it requires a full redeploy of Marathon-lb. This means there may be a few seconds of downtime as the deployment occurs. This can be mitigated by placing another LB (such as an ELB or F5) in front of HAProxy.
  • The certs are kept inside the container at /etc/letsencrypt. You might want to mount the directory as an external volume to preserve the data.
Docker Pull Command
Source Repository