Google App Engine SSL with Let's Encrypt "could not be inserted"

Question

When trying to "Add a new SSL certificate" using App Engine's Settings tab that was generated with Let's Encrypt via Google App Engine's console results in a dialog error and a 400 response to the POST request.

Error
"The SSL certificate provided could not be inserted."

A previously generated (about 2 months ago - not yet expired of course) SSL key/certificate via the exact same method is inserted just fine - but any newly generated one does not. I attempted both traditional Let's Encrypt and the relatively new Certbot method. Also tried multiple subdomains, naked domains, singular domains and each results in the same error.

I've seen several people spec that --rsa-key-size 2048 solved the same issue, but I've tried specifying that as well (even though it is the default for Certbot as is). Other answers have been "waiting 2 hours and now its working" - looking for a real solution as unreliable inserts and expired certs can become a real pain.

Answer 1

I generated the wildcard certificate for my domain using CERTBOT. The important part here is the --key-type argument. Otherwise GAE will reject the certificate:

sudo certbot certonly --manual --preferred-challenges=dns --key-type rsa

This command generated 4 files. The ones that I used are the fullchain.pem and the privkey.pem. For the privkey I also changed the header and footer from this:

-----BEGIN PRIVATE KEY-----
           <key>
-----END PRIVATE KEY-----

to this:

-----BEGIN RSA PRIVATE KEY-----
           <key>
-----END RSA PRIVATE KEY-----

And for some reason the input for importing the private key did not work properly. I had to copy/past directly.

Answer 2

I had this problem. I had generated the certificates in the Google Cloud Shell.

I was first trying to use the fullchain.pem, but this did not work.

/etc/letsencrypt/live/mydomain.com/cert.pem

I issued sudo less /etc/letsencrypt/live/whysaurus.com/cert.pem in the google cloud shell, and uploaded that as the pem 509 cert in appengine, and then it was accepted.

Answer 3

I ran into similar problems as well a few weeks ago when trying to upload my new certificate using the same recipe I successfully used before.

What worked for me in the end was:

• copy-pasting the entire content of the certificate file into the box marked Or paste the public key certificate in the box below:

and,

• copy-pasting just the full key at the end of my private key .pem file into the box marked Or paste the RSA private key in the box below: (though I don't exactly recall if I included the leading -----BEGIN RSA PRIVATE KEY----- and tailing -----END RSA PRIVATE KEY----- lines or not).

I (kinda blindly) made several attempts for each of the 2 copy-paste operations with whatever crossed my mind - the success/failure feedback is immediate.

Side note - you may want to also double-check your certificate, in my case the 1st certificate file I managed to upload successfully was an incomplete one (missing intermediate entities), which appeared to be working fine from my desktop, but was failing when browsing from Android, I had to re-generate another one. I used digicert to confirm the problem and verify the 2nd certificate (following suggestions from an SO answer, of course ;)

Answer 4

If you use certbot in Apache it defaults to 4096. So force key length to 2048.

certbot-auto --rsa-key-size 2048 From docs [https://certbot.eff.org/docs/using.html]

This creates PEM certificates in /etc/letsencrypt/live/example.net

Convert to RSA (change the url in cmd to your site).

sudo openssl rsa -inform pem -in /etc/letsencrypt/live/example.net/privkey.pem -outform pem > rsaprivatekey.pem

Above command is from this blog post http://blog.seafuj.com/lets-encrypt-on-google-app-engine. This also explains how to setup your webapp2 webserver.

Go to App Engine > Settings > SSL Certificates

Upload fullchain.pem Upload rsaprivatekey.pem

The file upload button works fine - no need to paste unless its more secure.