Skip to content

Instantly share code, notes, and snippets.

Last active July 10, 2024 20:56
Show Gist options
  • Save patmigliaccio/d559035e1aa7808705f689b20d7b3fd3 to your computer and use it in GitHub Desktop.
Save patmigliaccio/d559035e1aa7808705f689b20d7b3fd3 to your computer and use it in GitHub Desktop.
Configuring Cloudflare SSL/TLS certificates on Google App Engine

Configuring Cloudflare SSL/TLS on Google App Engine

Implementing end-to-end HTTPS encryption with CloudFlare for Google App Engine applications.

Google App Engine - Custom Domains

Add Domains

Register the root domain with Google Cloud Platform at the following:<Project_Id>

Cloudfare DNS

Configure DNS Records for Google App Engine

Add a record for the root (@) or subdomain ( pointing to Google Cloud Platform.

Type    Name    Target                  TTL     Proxy status
CNAME   sub    Auto    DNS-only

Cloudfare SSL/TLS

Encryption in Full mode

Ensure your SSL/TLS encryption mode is set to Full and not Full (strict).

Origin Certificates and Private Keys

Issue an Origin Certificate for the root and wildcard (*) hostnames.

Navigate to SSL/TLS -> Origin Server -> Create Certificate and use the following configuration:

Private key type    Hostnames                  Certificate Validity
RSA       ,*    15 years 

Using the PEM (Default) Key format;

  • Copy the Origin Certificate into a file
  • Copy the Private key into a file

Edit the file and append the following Cloudflare Origin CA root certificate after the newly created certificate:



Converting to RSA

Open a terminal with OpenSSL or install using the following (Mac OSX):

brew install openssl

Convert the private key to RSA with the following shell command:

openssl rsa -in -out

Google App Engine - SSL Certificates

Uploading the Certificate

Navigate to the following URL in Google Cloud Platform to Upload a new certificate:<Project_Id>

Provide a Name for the certificate (e.g. CF-YYYY-MM-DD) and upload the certificate and key.

  • PEM encoded X.509 public key certificate:
  • Unencrypted PEM encoded RSA private key:

Assigning the Mapped Domains

After uploading, select the name of the newly added certificate (e.g. CF-YYYY-MM-DD)

Under Enable SSL for the following custom domains, select all domains that will use the corresponding certificate.

     Domain name
✓    *

Cloudfare DNS - Enable Proxy

Set Status to Proxied

Update the CNAME record to now be proxied through CloudFlare:

Type    Name    Target                  TTL     Proxy status
CNAME   sub    Auto    Proxied
Copy link

beheh commented Jan 2, 2023

With modern OpenSSL v3 you will need to specify -traditional to get the desired format. You can tell the difference because OpenSSL v3 will default to --BEGIN PRIVATE KEY-- instead of --BEGIN RSA PRIVATE KEY-- (which the Google Cloud Console will reject).

So instead of:

openssl rsa -in -out


openssl rsa -in -out -traditional

Copy link

Awesome. Thank you 🙏

Copy link

odmro commented Dec 15, 2023

Cloudflare Origin CA root certificate


Copy link

vicb commented May 23, 2024

Thank you so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment