Support for multiple TLS certs?

[dtenenba]

Hello,

Does interlock support multiple sets of TLS certs/keys? In the documentation/examples I have seen, it appears not.

I want to use interlock on a docker swarm cluster to serve apps with hostnames e.g. .example1.com and .example2.com. I have two sets of wildcard SSL certs/keys, one for each TLD. Is it possible to tell interlock to use one key/cert for .example1.com and a different one for .example2.com?

[mbentley]

You should be able to set the certs on a per-service basis using the labels interlock.ssl_cert / interlock.ssl_cert https://github.com/ehazlett/interlock/blob/master/docs/interlock_data.md. Set those labels on your services with the appropriate location of the certs and it should set the certs for a given service. And just to be clear, these are not labels set on the interlock service, but your services you want to route traffic to using interlock.

[dtenenba]

Thanks. So when you say "location of the certs", what does that mean? That they should be in my service container, or the interlock container? Or in some directory on the host mounted by the interlock container? Should it be a full path? The example just gives a filename.

I also notice that the swarm example defines the certs as being in /var/lib/boot2docker which is mounted into the container with the same path. But that directory does not exist on my swarm hosts - does it matter what the name of that directory is on the host?

Actually, my swarm nodes don't share any filesystems (yet) so I will probably have to bake an image (stored in a private image registry) that contains my certs.

Sorry for all the questions, but my main one is: what should be the value of the interlock.ssl_cert label, the full path to a cert inside the interlock container?

[mbentley]

If I remember right, you want the volume to be mapped for the nginx container. You could use swarm secrets and give it the full path to the secret (been a while since I've used Swarm so the paths escape me where those get mounted to) or you could do a bind mount for the nginx container such as /certs and then your values of your labels on your services would be something like:

interlock.ssl_cert="/cert/host1_cert.pem"
interlock.ssl_cert_key="/cert/host1_key.pem"

interlock.ssl_cert="/cert/host2_cert.pem"
interlock.ssl_cert_key="/cert/host2_key.pem"

Unfortunately I don't have any older examples that use TLS.

[ehazlett]

Thx @mbentley for the help!

Here is an example run that I had from a demo config for SSL:

cat certs/demo-ssl.local.evanhazlett.com.cert | docker secret create demo-ssl.local.evanhazlett.com.cert -
cat certs/demo-ssl.local.evanhazlett.com.key | docker secret create demo-ssl.local.evanhazlett.com.key -
docker service create \
    --name demo-ssl \
    --network demo-ssl \
    --detach=false \
    --label com.docker.lb.hosts=demo-ssl.local.evanhazlett.com \
    --label com.docker.lb.port=8080 \
    --label com.docker.lb.ssl_cert=demo-ssl.local.evanhazlett.com.cert \
    --label com.docker.lb.ssl_key=demo-ssl.local.evanhazlett.com.key \
    --env METADATA="demo-ssl" \
    ehazlett/docker-demo