Marathon - SSL and Basic Access Authentication

Question

I'm following SSL basic access authentication doc

Step 3: Combine the key and certificate files into a PKCS12 format file, the format used by the Java keystore. If the certificate you received is not in the .pem format, see the Jetty SSL configuration docs to learn how to convert it.

• Read key password from env variable MARATHON_KEY_PASSWORD

• Set PKCS password to env variable MARATHON_PKCS_PASSWORD

   $ openssl pkcs12 -inkey marathon.key -passin "env:MARATHON_KEY_PASSWORD" -name marathon -in trusted.pem -password "env:MARATHON_PKCS_PASSWORD" -chain -CAfile "trustedCA.crt" -export -out marathon.pkcs12 

I have marathon.key from step 1 I have trusted.pem from step 2 But I don't have trustedCA.crt Is this a cert from my server? I created a cert on my server, and used it but I get an error

Error self signed certificate getting chain.

Answer 1

If you don't have singed chain (self signde doesn't count) there is no point in using this option. Use the code below to generate self signed sert and use it with Marathon.

I generate self signed certs as follow without chain.

mkdir -p /etc/marathon/ssl
cd /etc/marathon/ssl
export MARATHON_SSL_KEYSTORE_PASSWORD=jks_pass
keytool -keystore marathon.jks -deststorepass $MARATHON_SSL_KEYSTORE_PASSWORD -alias marathon -genkey -keyalg RSA
cat << EOF > /etc/default/marathon
MARATHON_SSL_KEYSTORE_PATH=/etc/marathon/ssl/marathon.jks
MARATHON_SSL_KEYSTORE_PASSWORD=$MARATHON_SSL_KEYSTORE_PASSWORD
EOF

Releated to marathon#4783