I have an app that’s already running on Fly with a certificate that is managed by Fly.
I would like to add an existing self-signed certificate to the same app (but on another subdomain).
I have existing clients in the wild that have pinned that exact certificate and will not connect using any other cert.
Can I solve this directly in Fly config or do I need to set up a proxy app myself?
It is bit of an involved setup.
You’ll have to terminate your own TLS (your’e not doing is called mTLS, yeah?), as Fly doesn’t yet support Bring-Your-Own-Certs.
The app config would look something like this:
# svc on public-ip:3443 forwarding tcp reqs to your-app:10443
[[services]]
internal_port = 10443 # or, where ever the app's listenting for tcp mtls reqs
protocol = "tcp"
[services.concurrency] # set as approp
hard_limit = 96
soft_limit = 84
type = "connections"
[[services.ports]]
# use proxy_proto iff info such as client-ip, server-name-id etc is required
# handlers = ["proxy_proto"]
# use either v1 (the default) or v2
# proxy_proto_options = { version = "v2" }
port = "3443" # public port, exposed to clients
You can distribute your TLS (key, cert) pair(s) to the VMs running your Fly app via flyctl secrets, ref this discussion How are you managing cert files with Fly?
Then, use the language / library / framework / reverse-proxy of your choice to do TLS termination using (key, cert) pair(s) from secrets. In golang, it is particularly straight-forward to terminate TLS (as it is in HAProxy, Nginx, Node, Deno et al): ref.