Let's Encrypt Certbot for usage in Google Cloud Shell for Google App Engine.
By default Certbot is not usable in Google Cloud shell as the machine resets after some time. This will help you with that.
- Open up Google Cloud Shell in Google Cloud Console.
- Clone the project somewhere in your home-directory:
git clone git@github.com:LowieHuyghe/certbot-gae.git
- Move into the new directory:
cd certbot-gae
certbot-auto-gae
andfix-privkey-gae
should be executable by default. If not, run:
chmod a+x certbot-auto-gae fix-privkey-gae
- Run
certbot-auto-gae
like you would runcertbot-auto
Note: The directory should be located in the home-directory. The machine resets after some time only leaving the home-directory intact. We need the intact directory so we don't lose your config and accounts.
- Start requesting an SSL-certificate:
certbot-auto-gae certonly --manual
Answer the initial questions, supply your domains and stop at the moment
you have to serve the acme-challenges on the web-server. Don't press
Enter till it does so.
2. In another terminal, add the following handler to the app.yaml
of
your application:
- url: /\.well-known/acme-challenge/([\w\d_-]+)$
static_files: public/.well-known/acme-challenge/\1
upload: public/\.well-known/acme-challenge/([\w\d_-]+)$
secure: optional
This will make the acme-challenges accessible. 3. Add the acme-challenges provided by the certbot to your application:
printf "%s" acme-challenge-content > public/.well-known/acme-challenge/acme-challenge-file
- Deploy the app to Google App Engine and make sure that the acme-challenge is reachable and correct.
- Go back to the certbot waiting for your approval to check, and press Enter.
- If everything went well, the new certificate will be located in
config/live/yourdomain.com
. - In Google App Engine, you can serve the
fullchain.pem
-file as public key certificate, and theprivkey-rsa.pem
-file as RSA private key to your new SSL-certificate. Detailed instructions on how to do this can be found in the Official Documentation. - Browse secure!
Note: Google App Engine expects an RSA private key instead of the default private key given by Let's Encrypt. The default key should be converted to an RSA key by
fix-privkey-gae
incertbot-auto-gae
. If not, runfix-privkey-gae
to convert the existing private keys.
- Thorogood, S. (2015). Let’s Encrypt with App Engine