Setup Let’s Encrypt SSL on Google Appengine

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open.

“Let’s Encrypt” is a really great initiative (and a tool) that, I hope, will improve security of the modern web. It have very nice client, that will do all work automatically (unfortunately it’s not yet supported by Google Appengine). It’s supposed to run on target server, where it can validate domain and configure your Apache/Nginx/etc. But in of Appengine we don’t have such server, so have to generate and upload SSL certificate manually. I’ll show you how.

First of all, we need to download and setup Let’s Encrypt client app. This app will require bunch of external dependencies also. As you probably will use a dev machine for this, it will be quite complicated (and it didn’t work on my Mac, actually). So I suggest to run it as a Docker app, that will be much simpler:

That will pull official client (see also https://quay.io/repository/letsencrypt/letsencrypt). Notice that you’ll get your result keys in ./ssl-keys dir. And -a manual certonly will run client in manual mode.

Or, if you decided to install Lets Encrypt client into your system, you can call it directly:

App will ask few standard questions, like your email and domain name. Use domain name already mapped and used by Appengine app, I mean if it’s with `www.` then enter with `www`.

cllient-screen

And finally you’ll get a “challenge“:

client-challenge

Do not press ENTER for now. You need to setup your Appengine server to reply to this challenge. Basically it’s a “code” that your domain should answer with when Let’s Encrypt server for domain validation.

Now you have to configure your server play this game. For Java you could use following servlet:

and add to web.xml:

(for Python version you can use this: http://blog.seafuj.com/lets-encrypt-on-google-app-engine)

Now deploy your app, and press “ENTER” in your letsencrypt app. That’s it. You got your keys in ./ssl-keys dir.

Now you have to upload certificate to Appengine itself (yes, manually too). You also need to convert private key to compatible format (replace www.example.com with your actual domain):

Upload both cert.pem and privkey_fixed.pem at Appengine Setting page https://console.developers.google.com/appengine/settings/certificates?project=&moduleId=default

upload-cert

… setup your domain:
setup-domain

You got it! Now open your app with using SSL. But don’t forget to renew certificate in 90 days.

Let’s Encrypt expects that this process going to be automated, including server challenge config, and deployment of final SSL certificate. I hope Google will improve this process, maybe they will integrate it into gcloud client. At least there are a Issue ticket for this https://code.google.com/p/googleappengine/issues/detail?id=12535

Share this post: Tweet about this on TwitterShare on RedditShare on FacebookShare on LinkedInShare on TumblrShare on StumbleUponShare on Google+Email this to someone
 

Igor Artamonov

Professional software developer since 2001, have been writing code since 1995. Data processing for Cloud, Ethereum & Blockchain

 
  • larryfreeman

    Thanks very much! That worked beautifully! :-)

  • Christiaan Hees

    Thanks, I got it working based on this tutorial for my small Go app :)
    One thing to watch out for is that you have to add the certificate of letsencrypt (https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem.txt) to your cert.pem to make the chain complete. Without this I got errors in iOS and Android devices.

  • Paul Ceccato

    thanks for that, but the stingy 90 days expiry and the fact that you have to manually upload the certificate to app engine every 90 days makes letsencrypt not very compelling for Google app engine

  • joantune

    +1 Thanks for this!

  • bennypowers

    thanks for the steps this was helpful. here’s a sample challenge response i used in my node app:

    app.get(‘/.well-known/acme-challenge/CHALLENGECODE’, (req, res) => {
    res.send(‘RESPONSECODE’);
    });

    any word on automatic renewal?

  • Dan

    I found it was better to use fullchain1.pem than cert1.pem for the top public key certificate. With cert1.pem I was getting NET:ERR_CERT_AUTHORITY_INVALID on Android and a B grade on SSL checkers. With fullchain1.pem everything works and SSL checkers give an A.