Skip to content

Instantly share code, notes, and snippets.

@patmigliaccio

patmigliaccio/install-cf-gae-ssl.md

Last active July 10, 2024 20:56
Show Gist options
  • Save patmigliaccio/d559035e1aa7808705f689b20d7b3fd3 to your computer and use it in GitHub Desktop.
Save patmigliaccio/d559035e1aa7808705f689b20d7b3fd3 to your computer and use it in GitHub Desktop.
Download ZIP
Configuring Cloudflare SSL/TLS certificates on Google App Engine
Raw
install-cf-gae-ssl.md

Configuring Cloudflare SSL/TLS on Google App Engine

Implementing end-to-end HTTPS encryption with CloudFlare for Google App Engine applications.

Google App Engine - Custom Domains

Add Domains

Register the root domain with Google Cloud Platform at the following:

https://console.cloud.google.com/appengine/settings/domains?project=<Project_Id>

Cloudfare DNS

Configure DNS Records for Google App Engine

Add a record for the root (@) or subdomain (sub.domain.com) pointing to Google Cloud Platform.

Type    Name    Target                  TTL     Proxy status
CNAME   sub     ghs.googlehosted.com    Auto    DNS-only

Cloudfare SSL/TLS

Encryption in Full mode

Ensure your SSL/TLS encryption mode is set to Full and not Full (strict).

Origin Certificates and Private Keys

Issue an Origin Certificate for the root and wildcard (*) hostnames.

Navigate to SSL/TLS -> Origin Server -> Create Certificate and use the following configuration:

Private key type    Hostnames                  Certificate Validity
RSA                 domain.com,*.domain.com    15 years

Using the PEM (Default) Key format;

  • Copy the Origin Certificate into a domain.com-YYYY-MM-dd.pem file
  • Copy the Private key into a domain.com-YYYY-MM-dd.key file

Edit the domain.com-YYYY-MM-dd.pem file and append the following Cloudflare Origin CA root certificate after the newly created certificate:

...
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
...

Converting to RSA

Open a terminal with OpenSSL or install using the following (Mac OSX):

brew install openssl

Convert the private key to RSA with the following shell command:

openssl rsa -in domain.com-YYYY-MM-dd.key -out domain.com-RSA-YYYY-MM-dd.key

Google App Engine - SSL Certificates

Uploading the Certificate

Navigate to the following URL in Google Cloud Platform to Upload a new certificate:

https://console.cloud.google.com/appengine/settings/certificates?project=<Project_Id>

Provide a Name for the certificate (e.g. CF-YYYY-MM-DD) and upload the certificate and key.

  • PEM encoded X.509 public key certificate: domain.com-YYYY-MM-dd.pem
  • Unencrypted PEM encoded RSA private key: domain.com-RSA-YYYY-MM-dd.key

Assigning the Mapped Domains

After uploading, select the name of the newly added certificate (e.g. CF-YYYY-MM-DD)

Under Enable SSL for the following custom domains, select all domains that will use the corresponding certificate.

     Domain name
✓    *.domain.com
✓    sub.domain.com

Cloudfare DNS - Enable Proxy

Set Status to Proxied

Update the CNAME record to now be proxied through CloudFlare:

Type    Name    Target                  TTL     Proxy status
CNAME   sub     ghs.googlehosted.com    Auto    Proxied
@beheh
Copy link

beheh commented Jan 2, 2023

With modern OpenSSL v3 you will need to specify -traditional to get the desired format. You can tell the difference because OpenSSL v3 will default to --BEGIN PRIVATE KEY-- instead of --BEGIN RSA PRIVATE KEY-- (which the Google Cloud Console will reject).

So instead of:

openssl rsa -in domain.com-YYYY-MM-dd.key -out domain.com-RSA-YYYY-MM-dd.key

use

openssl rsa -in domain.com-YYYY-MM-dd.key -out domain.com-RSA-YYYY-MM-dd.key -traditional

@supermacro
Copy link

Awesome. Thank you 🙏

@odmro
Copy link

odmro commented Dec 15, 2023

Cloudflare Origin CA root certificate

**https://developers.cloudflare.com/ssl/static/origin_ca_ecc_root.pem**

@vicb
Copy link

vicb commented May 23, 2024

Thank you so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment