unable to set up for Google App Engine #1480

Closed
arkarkark opened this Issue Nov 12, 2015 · 12 comments

Comments

Projects
None yet
10 participants
@arkarkark

I'm trying to generate an SSL cert to add to Google App Engine. I'll admit to not having a clue about what I'm doing.

I'm following instructions from here which send me to this console

It's asking for this:
image

when I run ./letsencrypt-auto certonly and enter wtwf.com for the domain I get back

Failed authorization procedure. wtwf.com (tls-sni-01): connection :: The server could not connect to the client for DV :: Failed to connect to host for DVSNI challenge

from what I gather from letsencrypt/acme-spec#19 it's trying to connect on port 443 to verify the domain (but I doubt that'll work until I have it set up, catch22?)

I also tried ./letsencrypt-auto -d wtwf.com certonly and even added in a -d www.wtwf.com too

running ./letsencrypt-auto certonly and typing www.wtwf.com gets me a Error creating new authz

I'm running all this on an El Capitan Mac I've run ./bootstrap/mac.sh

in /etc/letsencrypt I have lots of .pem files under csr/ and keys/

@dgrilli

This comment has been minimized.

Show comment
Hide comment
@dgrilli

dgrilli Nov 15, 2015

I think the only way you can obtain a certificate for the app engine is with the manual plugin in this way:

./letsencrypt-auto -t -a manual -d yourdomain.com auth

It will use the "file" challenge so it will show you a text string to put in a file.
Before press enter you have to create this file and upload it in your app engine and you have to be sure that app engine knows this is a static file in text/plain mime type.

An easy way could be to add this to your app.yaml file:

url: /.well-known/acme-challenge/(.+)
static_files: /.well-known/acme-challenge/\1
mime_type: text/plain
upload: /.well-known/acme-challenge/.*
application_readable: true

In front of "url" you have to put a dash followed from space and then "url". Sorry but the dash is converted from the editor

Then you can press enter a letsencrypt should be able to check the challenge.
When finish you should have your certificate in your pc: in linux is in /etc/letsencrpyt/live/ folder. I am not sure where in MacOsX.

Before to be able to upload the script on the google cloud console you also need to convert the private key in RSA. I can do that with this command:

openssl rsa -in privkey.pem -out privkeyRSA.pem

Now you are ready to upload cert and privatekey and enable https in your app engine.

I am not sure about the renew: I have not tried yet.

dgrilli commented Nov 15, 2015

I think the only way you can obtain a certificate for the app engine is with the manual plugin in this way:

./letsencrypt-auto -t -a manual -d yourdomain.com auth

It will use the "file" challenge so it will show you a text string to put in a file.
Before press enter you have to create this file and upload it in your app engine and you have to be sure that app engine knows this is a static file in text/plain mime type.

An easy way could be to add this to your app.yaml file:

url: /.well-known/acme-challenge/(.+)
static_files: /.well-known/acme-challenge/\1
mime_type: text/plain
upload: /.well-known/acme-challenge/.*
application_readable: true

In front of "url" you have to put a dash followed from space and then "url". Sorry but the dash is converted from the editor

Then you can press enter a letsencrypt should be able to check the challenge.
When finish you should have your certificate in your pc: in linux is in /etc/letsencrpyt/live/ folder. I am not sure where in MacOsX.

Before to be able to upload the script on the google cloud console you also need to convert the private key in RSA. I can do that with this command:

openssl rsa -in privkey.pem -out privkeyRSA.pem

Now you are ready to upload cert and privatekey and enable https in your app engine.

I am not sure about the renew: I have not tried yet.

@dgrilli

This comment has been minimized.

Show comment
Hide comment
@dgrilli

dgrilli Nov 15, 2015

Ah, I forgot:

when you upload the certificate in google cloud console you have to import the fullchain.pem

dgrilli commented Nov 15, 2015

Ah, I forgot:

when you upload the certificate in google cloud console you have to import the fullchain.pem

@SebastianBoyd

This comment has been minimized.

Show comment
Hide comment
@SebastianBoyd

SebastianBoyd Nov 19, 2015

It would be nice if this could be somehow integrated into the app engine console, but google would have to do that.

It would be nice if this could be somehow integrated into the app engine console, but google would have to do that.

@pde pde added this to the Wishlist milestone Nov 19, 2015

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Nov 19, 2015

Member

Really it should be Google that does this work, but in the mean time the most realistic option is a whole separate ACME client that's designed to pass HTTP01 challenges on App Engine for you.

Member

pde commented Nov 19, 2015

Really it should be Google that does this work, but in the mean time the most realistic option is a whole separate ACME client that's designed to pass HTTP01 challenges on App Engine for you.

@pde

This comment has been minimized.

Show comment
Hide comment
@pde

pde Nov 19, 2015

Member

Though maybe it could actually make sense to make this an authenticator and installer plugin for the Python client...

Member

pde commented Nov 19, 2015

Though maybe it could actually make sense to make this an authenticator and installer plugin for the Python client...

@ping

This comment has been minimized.

Show comment
Hide comment
@ping

ping Nov 20, 2015

I was able to generate and install the LE cert for GAE via the manual plugin.
OSX Mavericks

  1. Generate private key and csr

    $ openssl req -newkey rsa:2048 -keyout example.com.private.key -nodes -sha512 -subj "/CN=example.com" -reqexts SAN -out example.com.csr.der -outform der -config <(cat /System/Library/OpenSSL/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com"))
    
  2. Two files should be generated: example.com.private.key and example.com.csr.der

  3. Run ./letsencrypt-auto

    ./letsencrypt-auto certonly -a manual --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview --csr example.com.csr.der
    
  4. Depending on your app, you will need to make changes to generate the verification text response as prompted. If you're generating the cert for both www. and the naked domain, you will be challenged twice with 2 different texts.

  5. When the certificate and chain files are successfully generated, go to https://console.developers.google.com/project/_/appengine/settings/certificates and choose "Upload a new certificate".

  6. For "Unencrypted PEM encoded RSA private key", upload example.com.private.key
    For "PEM encoded X.509 public key certificate", upload 0001_chain.pem

  7. Proceed as the app engine console instructs. If all goes well, you will be given the choice to enable the uploaded SSL cert for your domain.

ping commented Nov 20, 2015

I was able to generate and install the LE cert for GAE via the manual plugin.
OSX Mavericks

  1. Generate private key and csr

    $ openssl req -newkey rsa:2048 -keyout example.com.private.key -nodes -sha512 -subj "/CN=example.com" -reqexts SAN -out example.com.csr.der -outform der -config <(cat /System/Library/OpenSSL/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com"))
    
  2. Two files should be generated: example.com.private.key and example.com.csr.der

  3. Run ./letsencrypt-auto

    ./letsencrypt-auto certonly -a manual --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview --csr example.com.csr.der
    
  4. Depending on your app, you will need to make changes to generate the verification text response as prompted. If you're generating the cert for both www. and the naked domain, you will be challenged twice with 2 different texts.

  5. When the certificate and chain files are successfully generated, go to https://console.developers.google.com/project/_/appengine/settings/certificates and choose "Upload a new certificate".

  6. For "Unencrypted PEM encoded RSA private key", upload example.com.private.key
    For "PEM encoded X.509 public key certificate", upload 0001_chain.pem

  7. Proceed as the app engine console instructs. If all goes well, you will be given the choice to enable the uploaded SSL cert for your domain.

@jscissr

This comment has been minimized.

Show comment
Hide comment
@jscissr

jscissr Dec 4, 2015

The appengine issue is here: https://code.google.com/p/googleappengine/issues/detail?id=12535 It looks like Google will work on it 😄 👍

jscissr commented Dec 4, 2015

The appengine issue is here: https://code.google.com/p/googleappengine/issues/detail?id=12535 It looks like Google will work on it 😄 👍

@duanev

This comment has been minimized.

Show comment
Hide comment
@duanev

duanev Dec 22, 2015

I'm just serving simple static pages in Google Cloud with no launched "app" or software packages but setting up the app.yaml was a royal PITA. With the help from above (thanks dgrilli!), here's what I finally got to work. (ps. I'm on Arch Linux and there is a package for letsencrypt so pacman -S letsencrypt installs the tools and letsencrypt-auto is not needed)

  1. (you must be root) # letsencrypt certonly --manual <your_domain>
  2. Accept "log my IP"
  3. A challenge url and text will be printed. Open a different terminal and leave this one waiting. Add a file in your google cloud project's root directory (where the app.yaml file is found) like acme.txt and place the challenge text inside followed by a newline.
  4. Add an entry in your app.yaml at the top of handlers: like the one described below.
  5. (assuming you have done gcloud auth login) git add app.yaml acme.txt , git commit -m cert , git push -u origin master
  6. cd ..; gcloud preview app deploy default/app.yaml
  7. Test the challenge url in a browser, the challenge text should appear in the main browser window.
  8. Press Enter in the terminal running the letsencrypt command, it should complete and generate the fullchain.pem file.
  9. Change a terminal current directory to a place where your browser can upload files and run # openssl rsa -in /etc/letsencrypt/keys/XXXX_key-letsencrypt.pem -out privkey-rsa.pem where XXXX is the latest version. (pacman -S openssl will install this tool)
  10. Copy /etc/letsencrypt/live/<your_domain>/fullchain.pem to the current directory.
  11. Using Google Cloud Console got to: Menu -> App Engine -> Settings -> SSL Certificates -> Upload , and fill in the form, uploading the two files you just moved to the above directory.
  12. Delete the .pem files in the current directory to mitigate unexpected propagation ...

(and here is the app.yaml insert - markdown won't let me inline this)

 - url: /.well-known/acme-challenge/IdJh2tPenuHk5NUns2uaS9AXooLuTl_fHzSbxxxXXXxx
   static_files: acme.txt
   mime_type: text/plain
   upload: acme.txt

duanev commented Dec 22, 2015

I'm just serving simple static pages in Google Cloud with no launched "app" or software packages but setting up the app.yaml was a royal PITA. With the help from above (thanks dgrilli!), here's what I finally got to work. (ps. I'm on Arch Linux and there is a package for letsencrypt so pacman -S letsencrypt installs the tools and letsencrypt-auto is not needed)

  1. (you must be root) # letsencrypt certonly --manual <your_domain>
  2. Accept "log my IP"
  3. A challenge url and text will be printed. Open a different terminal and leave this one waiting. Add a file in your google cloud project's root directory (where the app.yaml file is found) like acme.txt and place the challenge text inside followed by a newline.
  4. Add an entry in your app.yaml at the top of handlers: like the one described below.
  5. (assuming you have done gcloud auth login) git add app.yaml acme.txt , git commit -m cert , git push -u origin master
  6. cd ..; gcloud preview app deploy default/app.yaml
  7. Test the challenge url in a browser, the challenge text should appear in the main browser window.
  8. Press Enter in the terminal running the letsencrypt command, it should complete and generate the fullchain.pem file.
  9. Change a terminal current directory to a place where your browser can upload files and run # openssl rsa -in /etc/letsencrypt/keys/XXXX_key-letsencrypt.pem -out privkey-rsa.pem where XXXX is the latest version. (pacman -S openssl will install this tool)
  10. Copy /etc/letsencrypt/live/<your_domain>/fullchain.pem to the current directory.
  11. Using Google Cloud Console got to: Menu -> App Engine -> Settings -> SSL Certificates -> Upload , and fill in the form, uploading the two files you just moved to the above directory.
  12. Delete the .pem files in the current directory to mitigate unexpected propagation ...

(and here is the app.yaml insert - markdown won't let me inline this)

 - url: /.well-known/acme-challenge/IdJh2tPenuHk5NUns2uaS9AXooLuTl_fHzSbxxxXXXxx
   static_files: acme.txt
   mime_type: text/plain
   upload: acme.txt
@walkr

This comment has been minimized.

Show comment
Hide comment
@walkr

walkr Jan 31, 2016

@duanev Thank you! It worked for me. 👍🏽

walkr commented Jan 31, 2016

@duanev Thank you! It worked for me. 👍🏽

@GeekLad

This comment has been minimized.

Show comment
Hide comment
@GeekLad

GeekLad May 16, 2016

I was able to configure the app.yaml by just creating a static directory:

- url: /.well-known/acme-challenge
  static_dir: acme-challenge
  mime_type: text/plain

I just created files in a directory called acme-challenge, with the appropriate filenames and contents.

When I ran the letsencrypt command, I wanted to verify the root domain as well as the www subdomain. Using a static_dir made it easier to deal with the multiple files since I only needed to edit the app.yaml once.

GeekLad commented May 16, 2016

I was able to configure the app.yaml by just creating a static directory:

- url: /.well-known/acme-challenge
  static_dir: acme-challenge
  mime_type: text/plain

I just created files in a directory called acme-challenge, with the appropriate filenames and contents.

When I ran the letsencrypt command, I wanted to verify the root domain as well as the www subdomain. Using a static_dir made it easier to deal with the multiple files since I only needed to edit the app.yaml once.

@bmw

This comment has been minimized.

Show comment
Hide comment
@bmw

bmw Jun 2, 2016

Contributor

While not trivial, it appears that users have figured out how to use Certbot with Google App engine so I'm closing this issue. Post a comment yelling at me if you'd like me to reconsider.

Contributor

bmw commented Jun 2, 2016

While not trivial, it appears that users have figured out how to use Certbot with Google App engine so I'm closing this issue. Post a comment yelling at me if you'd like me to reconsider.

@arkarkark

This comment has been minimized.

Show comment
Hide comment
@arkarkark

arkarkark Nov 30, 2016

All the replies here really helped thanks. I ended up forking letsencrypt-nosudo and writing a teeny handler that would accept well known facts (password protected) and managed to automate almost all the process.

You can see the results here
https://github.com/arkarkark/letsencrypt-nosudo

When the cert signer needs well known facts to be served, it posts them to your app engine (no need to keep deploying for each hostname to serve from). Right now I'm putting the result in pbcopy so I can just paste it into the google cloud ssl cert page. Hopefully sometime there'll be an api (or gcloud command) for that or even just full gcloud/appengine integration.

All the replies here really helped thanks. I ended up forking letsencrypt-nosudo and writing a teeny handler that would accept well known facts (password protected) and managed to automate almost all the process.

You can see the results here
https://github.com/arkarkark/letsencrypt-nosudo

When the cert signer needs well known facts to be served, it posts them to your app engine (no need to keep deploying for each hostname to serve from). Right now I'm putting the result in pbcopy so I can just paste it into the google cloud ssl cert page. Hopefully sometime there'll be an api (or gcloud command) for that or even just full gcloud/appengine integration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment