No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Andreas Peters 1fa8bc80f9
increase wait until proceed
3 weeks ago
test Adjust test resources. 3 years ago
.gitignore remove state file 4 months ago
Dockerfile update to the newest certbot version 1 month ago fix wrong spell 1 month ago
letsencrypt-dcos.json Fix Docker build, optimize image. 2 years ago Make cert env var configurable. 2 years ago increase wait until proceed 3 weeks ago

Fork of Let’s Encrypt for Mesosphere Marathon!

We create this fork to get a fresh update of certbot. The image is based now on the certbot original image.

This is a sample Marathon app for encrypting your Marathon-lb HAProxy endpoints using Let’s Encrypt. With this, you can automatically generate and renew valid SSL certs with Marathon-lb.

Getting started

Clone (or manually copy) this repo, and modify the letsencrypt-dcos.json file to include:

  • The list of hostnames (must be FQDNs) for which you want to generate SSL certs (in HAPROXY_0_VHOST)
  • An admin email address for your certificate (in LETSENCRYPT_EMAIL)
  • The Marathon API endpoint (in MARATHON_URL)
  • The Marathon-lb app ID (in MARATHON_LB_ID)
  • Ensure you have at least 2 or more public agents in your DC/OS cluster, and that marathon-lb is scaled out to more than 1 public agent. Deploying this app requires this since it entails restarting marathon-lb.

Now launch the letsencrypt-dcos Marathon app:

$ dcos marathon app add letsencrypt-dcos.json

There are 2 test apps included, based on openresty, which you can use to test everything. Have a look in the test/ directory within the repo.

How does it work?

The app includes 2 scripts: and The first script ( will generate the initial SSL cert and POST the cert to Marathon for Marathon-lb. It will then attempt to renew & update the cert every 24 hours. The script will compare the current cert in Marathon to the current live cert, and update it as necessary. is called after the initial cert is generated, and again every 24 hours after a renewal attempt.

A persistent volume called data is mounted inside the container at /etc/letsencrypt which contains the certificates and other generated state.


  • You may only have up to 100 domains per cert.
  • Let’s Encrypt currently has rate limits, such as issuing a maximum of 5 certs per set of domains per week.
  • Currently, when the cert is updated, it requires a full redeploy of Marathon-lb. This means there may be a few seconds of downtime as the deployment occurs. This can be mitigated by placing another LB (such as an ELB or F5) in front of HAProxy.