Using own SSL certificates for endpoints

I am new to using I have deployed apps for fly and used it’s built-in SSL certificate mechanism. But fly does not allow us to download the private key and certificate. For a new project I have to deploy apps that use SSL provided by the customer. How do it on while using fly deploy? There have been similar questions in the past but the answers are either outdated or not descriptive enough.

Progress I have made: Included a nginx.conf. Updated the Dockerfile to setup nginx. Modified the fly.toml to handle TLS.

Now how to I add the certificates to my deploy config? Some comments suggested using fly secrets but the secrets are not available till the app is deployed. Can someone please help?

I have seen this - Customer provided SSL cert but as I’ve not done this before I could understand the concept but stuck on how to modify my set up.


You seem to be almost there. If you are using nginx, then yes you simply need to set the paths to the certificate and key:

You could include them as part of your image. So your Dockerfile would need to include them (copying them to where the nginx conf expects them to be and making sure they have the correct permissions) . Your .dockerignore file would of course need to not exclude them. Which by default it may be doing,

(You could use secrets instead, in your app’s code, since secrets can be staged prior to deployment. You would set the secret and then not deploy - if asked - and then they would be ready for the next deploy. Using files is perhaps simpler though)

So at this point your nginx is ready to terminate the TLS however Fly won’t know you want to handle it. Most people let its proxy handle that. You can tell it you don’t want it to handle TLS by removing the “tls” from the handlers in the fly.toml.

That should mean the TCP goes directly to your app, letting it handle the SSL certificate.

Not sure if you would need to allocate a dedicated IPv4 to the app for that to work :thinking: In theory no since it’s still HTTP and so Fly still has a domain to work with. Worth a try using a shared IPv4 (the default) and if it doesn’t work, that may be why.

Thank you, Greg. I’m going to try storing the files in cloud storage. I may end up using the secrets to auth keys for cloud access. I will write back here if get it to work.

This works. Although, the trick is in setting two apps, one nginx which will reverse proxy for the other one.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.