Reputation: 16882
Cloudflare Origin Certificate with Google App Engine
Cloudflare recently released origin certs. I can generate one for my domain but am not able to upload it to app engine. After getting the cert and key from cloudflare, I have to run openssl rsa -in old -out new on the key to convert it to an RSA key. Using this key and the cert, app engine shows the following error:
The SSL certificate provided could not be inserted.
With no additional information it's difficult to know what's going on here.
Upvotes: 3
Views: 1911
Answers (4)
Reputation: 81
For anyone reading this, a small issue you might face is that CloudFlare will generate private keys for Origin CA certificates with a -----BEGIN PRIVATE KEY----- line and this fails AppEngine's validation and that might imply some kind of conversion is necessary.
To get past, change it to -----BEGIN RSA PRIVATE KEY----- instead. The same applies for the end comment.
Upvotes: 7
Reputation: 198
05/DEC/2019 UPDATE: App Engine now supports Cloudflare Origin CA certificates.
One must convert private key to RSA format:
$ openssl rsa -in {key-name}.key -out {key-name-rsa}.key
and enable Cloudflare proxying (make sure cloud icon is orange in DNS settings).
Same here, seems like CloudFlare Origin certificates are not publicly trusted, this may be the issue.
CF support encourages to contact Google.
Update:
Bundling, i.e. "appending the appropriate root to your certificate and re-uploading" (Patrick) CloudFlare CA root Cert and Public certificates together does not help.
Same error message from Google App Engine: "The SSL certificate provided could not be inserted."
Upvotes: 1
Reputation: 367
At the present time, Google App Engine only allows the uploading of certificates that are either self-signed or are signed by a publicly trusted certificate authority (CA).
CloudFlare's CA for origin certificates is not publicly trusted, so Google App Engine currently returns an error when an Origin CA certificate is uploaded: "The SSL certificate provided could not be inserted."
We've reached out to Google regarding this policy decision and will update this article if the behavior changes.
Upvotes: 3
Reputation: 1474
CloudFlare PM here for Origin CA. A few comments/questions:
- Are you specifying RSA upfront, i.e., during issuance? Strange that you'd have to convert from RSA to RSA if so. If you're specifying ECDSA may be that GAE doesn't support those key types.
- As another answer indicated, our Origin CA certificates are intended to be used behind CloudFlare. By default they are leaf-only and have been reduced to the absolute minimum size that will work with our edge. Please see this blog post that I wrote for more details: https://blog.cloudflare.com/cloudflare-ca-encryption-origin.
- We've noticed that some software, e.g., cPanel, that can't determine a path all the way to a trusted root can be placated by appending our Origin CA root certificate. You can find these certificates here, one for RSA and one for ECDSA: https://support.cloudflare.com/hc/en-us/articles/218689638-What-are-the-root-certificate-authorities-CAs-used-with-CloudFlare-Origin-CA-. I would try appending the appropriate root to your certificate and re-uploading.
Upvotes: 2
Related Questions
- How to convert a private key to an RSA private key?
- What is the difference between Google App Engine and Google Compute Engine?
- Unable to resolve "unable to get local issuer certificate" using git on Windows with self-signed certificate
- Generating GCP compatible Cloudflare SSL certificate
- Custom domains / catch all hostnames on Google App Engine
- Wildcard SSL certificate on Google App Engine + Cloudflare
- Wildcard certificate from Cloudflare 'Origin Certificates' is not working with Azure webApps
- Configuring Traefik for docker containers using Cloudflare wildcard and origin
- EV SSL-certificate on Google App Engine?
- The SSL certificate provided could not be inserted