Reputation: 135
Creating SSL Certs For google app engine Using ZeroSSL And Let's Encrypt
I'm trying to install ssl certificates created using the ZeroSSL.com page for Let's Encrypt, into the Google Cloud Platform. I followed the FREE SSL Certificate Wizard to do so. The ZeroSSL page generates four files in the process: domain-crt.txt domain-key.txt account-key.txt domain-csr.txt
The google Cloud Platform asks for two files: PEM encoded X.509 public key certificate Unencrypted PEM encoded RSA private key
I've made all the combinations, and followed all suggestion I could find in the web, but I had no success.
Upvotes: 5
Views: 2316
Answers (2)
Reputation: 11360
You can do this from the command line for free:
Install Certbot client:
$ sudo brew install wget
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x ./certbot-auto
$ ./certbot-auto --help
Then, to generate cert:
$ cd certbot (if not already there)
$ sudo ./certbot-auto certonly --debug -a manual -d www.yoursite.com -d yoursite.com (<--if you want naked too.)
You should get to a screen telling you the challenge url and response needed to verify domain. Add each & deploy. Leave each url working. (They will be needed for renewing.) If you do both naked and www, you will need to do the challenge urls twice, once for each subdomain. Finally, you should get this message:
- Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.yoursite.com/fullchain.pem. Your cert will expire on 2016-xx-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew all of your certificates, run "certbot-auto renew"
Change directory to where pem files are placed:
$ cd /private/etc/letsencrypt/live/www.yoursite.com
Create unencrypted key (this is the one you upload to GAE. If fails, use the original privkey.pem):
$ sudo openssl rsa -in privkey.pem -out unencrypted_key.pem
Go to: https://console.cloud.google.com/appengine/settings/certificates?project=yoursite. Click on Upload a new SSL certificate
Open these PEM files in a text editor, and copy/paste the contents in the fields. (fullchain.pem is the public key. unencrypted_key.pem is the unencrypted private key.)
NOTE: Make sure you delete any trailing spaces or line feeds!
That should do it.
Debugging:
If, when you paste the certs into the GAE Settings page, you get an invalid error:
Make sure you delete any trailing line feeds or spaces!
If it still won't accept your PEM files, replace the code from
unencrypted_key.pemwith the code from the originalprivkey.pem
If you get homebrew error:
$ cd /usr/local/Library
$ sudo git pull origin master
if get augeas error:
$ brew install augeas
if get Warning: augeas-1.4.0 already installed, it's just not linked
$ sudo brew link augeas
if ExecutableNotFound:
$ brew install dialog
if get Warning: dialog-1.2-20150920 already installed, it's just not linked
$ sudo brew link dialog
Renewing:
$ cd certbot
$ ./certbot-auto certonly --debug --force-renew -a manual -d www.yoursite.com -d yoursite.com
( You may get an "unable to reach..." error, but the certs still created.) Change directory to where pem files are placed:
$ cd /private/etc/letsencrypt/live/www.yoursite.com
Create unencrypted key (this is the one you upload to GAE. If fails, use the original privkey.pem):
$ sudo openssl rsa -in privkey.pem -out unencrypted_key.pem
fullchain.pem is the public key.
unencrypted_key.pem is the unencrypted private key
Go to GAE Settings and install as outlined above.
Upvotes: 2
Reputation: 135
I asked this to the zeroSSL people, and Alexander answers me with the solution.
SSL Certificate Wizard generates a longer more secure 4096 bits key by default, but Google only accepts 2048 bits key. So you should generate the new CSR separately first by using CSR Generator at https://zerossl.com/free-ssl/#csr and making sure you select 2048 bits. Then download the produced key and CSR (please note that this is the domain key, not the LE key) and then use the same LE key as you used originally and this new CSR with the SSL Certificate Wizard. At the last Wizard step, you might need to split the domain-crt.txt file in two. The first part between ---BEGIN CERTIFICATE----- and ---END CERTIFICATE----- will go into "Public key certificate" field. Finally, the content of domain-key.txt should be pasted into "Private key" field.
Upvotes: 5
Related Questions
- Google App Engine SSL with Let's Encrypt "could not be inserted"
- SSL certificate on Google App Engine not working properly
- Adding new SSL certificate in Google App Engine
- Google App Engine managed security only works for 'www' alias
- EV SSL-certificate on Google App Engine?
- Google App Engine with Let's Encrypt SSL in Php
- How do you configure SSL with google app engine with a custom domain using letsencrypt (2016)
- how to set-up SSL on google app engine (custom domain name )
- SSL on appengine
- SSL on Google App Engine trusted for Certificate