Creating SSL Certs For google app engine Using ZeroSSL And Let's Encrypt

Question

I'm trying to install ssl certificates created using the ZeroSSL.com page for Let's Encrypt, into the Google Cloud Platform. I followed the FREE SSL Certificate Wizard to do so. The ZeroSSL page generates four files in the process: domain-crt.txt domain-key.txt account-key.txt domain-csr.txt

The google Cloud Platform asks for two files: PEM encoded X.509 public key certificate Unencrypted PEM encoded RSA private key

I've made all the combinations, and followed all suggestion I could find in the web, but I had no success.

score 5 · Answer 1 · answered Sep 22 '16 at 19:48

I asked this to the zeroSSL people, and Alexander answers me with the solution.

SSL Certificate Wizard generates a longer more secure 4096 bits key by default, but Google only accepts 2048 bits key. So you should generate the new CSR separately first by using CSR Generator at https://zerossl.com/free-ssl/#csr and making sure you select 2048 bits. Then download the produced key and CSR (please note that this is the domain key, not the LE key) and then use the same LE key as you used originally and this new CSR with the SSL Certificate Wizard. At the last Wizard step, you might need to split the domain-crt.txt file in two. The first part between ---BEGIN CERTIFICATE----- and ---END CERTIFICATE----- will go into "Public key certificate" field. Finally, the content of domain-key.txt should be pasted into "Private key" field.

I m not clear can you please give this step by step. I got csr and after that I m not clear what you mentioned — Thusila Bandara, Jan 15 '19 at 05:15

GAEfan · Answer 2 · 2016-09-22T20:50:24.970

You can do this from the command line for free:

Install Certbot client:

$ sudo brew install wget
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x ./certbot-auto
$ ./certbot-auto --help

Then, to generate cert:

$ cd certbot (if not already there)
$ sudo ./certbot-auto certonly --debug -a manual -d www.yoursite.com -d yoursite.com (<--if you want naked too.)

You should get to a screen telling you the challenge url and response needed to verify domain. Add each & deploy. Leave each url working. (They will be needed for renewing.) If you do both naked and www, you will need to do the challenge urls twice, once for each subdomain. Finally, you should get this message:

Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.yoursite.com/fullchain.pem. Your cert will expire on 2016-xx-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew all of your certificates, run "certbot-auto renew"

Change directory to where pem files are placed:

$ cd /private/etc/letsencrypt/live/www.yoursite.com

Create unencrypted key (this is the one you upload to GAE. If fails, use the original privkey.pem):

$ sudo openssl rsa -in privkey.pem -out unencrypted_key.pem

Go to: https://console.cloud.google.com/appengine/settings/certificates?project=yoursite. Click on Upload a new SSL certificate

Open these PEM files in a text editor, and copy/paste the contents in the fields. (fullchain.pem is the public key. unencrypted_key.pem is the unencrypted private key.)

NOTE: Make sure you delete any trailing spaces or line feeds!

That should do it.

Debugging:

If, when you paste the certs into the GAE Settings page, you get an invalid error:

Make sure you delete any trailing line feeds or spaces!
If it still won't accept your PEM files, replace the code from unencrypted_key.pem with the code from the original privkey.pem

If you get homebrew error:

$ cd /usr/local/Library
$ sudo git pull origin master

if get augeas error:

$ brew install augeas

if get Warning: augeas-1.4.0 already installed, it's just not linked

$ sudo brew link augeas

if ExecutableNotFound:

$ brew install dialog

if get Warning: dialog-1.2-20150920 already installed, it's just not linked

$ sudo brew link dialog

Renewing:

$ cd certbot
$ ./certbot-auto certonly --debug --force-renew -a manual -d www.yoursite.com -d yoursite.com

( You may get an "unable to reach..." error, but the certs still created.) Change directory to where pem files are placed:

$ cd /private/etc/letsencrypt/live/www.yoursite.com

Create unencrypted key (this is the one you upload to GAE. If fails, use the original privkey.pem):

$ sudo openssl rsa -in privkey.pem -out unencrypted_key.pem

fullchain.pem is the public key.
unencrypted_key.pem is the unencrypted private key

Go to GAE Settings and install as outlined above.

Creating SSL Certs For google app engine Using ZeroSSL And Let's Encrypt

2 Answers2

Debugging:

Renewing: