Setup Let’s Encrypt SSL on Google Appengine

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.

“Let’s Encrypt” is a really great initiative (and a tool) that, I hope, will improve security of the modern web. It have very nice client, that will do all work automatically (unfortunately it’s not yet supported by Google Appengine). It’s supposed to run on target server, where it can validate domain and configure your Apache/Nginx/etc. But in of Appengine we don’t have such server, so have to generate and upload SSL certificate manually. I’ll show you how.

First of all, we need to download and setup Let’s Encrypt client app. This app will require bunch of external dependencies also. As you probably will use a dev machine for this, it will be quite complicated (and it didn’t work on my Mac, actually). So I suggest to run it as a Docker app, that will be much simpler:

That will pull official client (see also Notice that you’ll get your result keys in ./ssl-keys dir. And -a manual certonly will run client in manual mode.

Or, if you decided to install Lets Encrypt client into your system, you can call it directly:

App will ask few standard questions, like your email and domain name. Use domain name already mapped and used by Appengine app, I mean if it’s with `www.` then enter with `www`.


And finally you’ll get a “challenge“:


Do not press ENTER for now. You need to setup your Appengine server to reply to this challenge. Basically it’s a “code” that your domain should answer with when Let’s Encrypt server for domain validation.

Now you have to configure your server play this game. For Java you could use following servlet:

and add to web.xml:

(for Python version you can use this:

Now deploy your app, and press “ENTER” in your letsencrypt app. That’s it. You got your keys in ./ssl-keys dir.

Now you have to upload certificate to Appengine itself (yes, manually too). You also need to convert private key to compatible format (replace with your actual domain):

Upload both cert.pem and privkey_fixed.pem at Appengine Setting page


… setup your domain:

You got it! Now open your app with using SSL. But don’t forget to renew certificate in 90 days.

Let’s Encrypt expects that this process going to be automated, including server challenge config, and deployment of final SSL certificate. I hope Google will improve this process, maybe they will integrate it into gcloud client. At least there are a Issue ticket for this


Igor Artamonov

Professional software developer since 2001, have been writing code since 1995. Data processing for Cloud, Ethereum & Blockchain