Skip to content

Instantly share code, notes, and snippets.

@phongthanfz

phongthanfz/install-cf-gae-ssl.md

Forked from patmigliaccio/install-cf-gae-ssl.md
Created February 17, 2022 10:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save phongthanfz/880fa686a328616c083922bb206acff3 to your computer and use it in GitHub Desktop.
Save phongthanfz/880fa686a328616c083922bb206acff3 to your computer and use it in GitHub Desktop.
Download ZIP
Configuring Cloudflare SSL/TLS certificates on Google App Engine
Raw
install-cf-gae-ssl.md

Configuring Cloudflare SSL/TLS on Google App Engine

Implementing end-to-end HTTPS encryption with CloudFlare for Google App Engine applications.

Google App Engine - Custom Domains

Add Domains

Register the root domain with Google Cloud Platform at the following:

https://console.cloud.google.com/appengine/settings/domains?project=<Project_Id>

Cloudfare DNS

Configure DNS Records for Google App Engine

Add a record for the root (@) or subdomain (sub.domain.com) pointing to Google Cloud Platform.

Type    Name    Target                  TTL     Proxy status
CNAME   sub     ghs.googlehosted.com    Auto    DNS-only

Cloudfare SSL/TLS

Encryption in Full mode

Ensure your SSL/TLS encryption mode is set to Full and not Full (strict).

Origin Certificates and Private Keys

Issue an Origin Certificate for the root and wildcard (*) hostnames.

Navigate to SSL/TLS -> Origin Server -> Create Certificate and use the following configuration:

Private key type    Hostnames                  Certificate Validity
RSA                 domain.com,*.domain.com    15 years

Using the PEM (Default) Key format;

  • Copy the Origin Certificate into a domain.com-YYYY-MM-dd.pem file
  • Copy the Private key into a domain.com-YYYY-MM-dd.key file

Edit the domain.com-YYYY-MM-dd.pem file and append the following Cloudflare Origin CA root certificate after the newly created certificate:

...
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
...

Converting to RSA

Open a terminal with OpenSSL or install using the following (Mac OSX):

brew install openssl

Convert the private key to RSA with the following shell command:

openssl rsa -in domain.com-YYYY-MM-dd.key -out domain.com-RSA-YYYY-MM-dd.key

Google App Engine - SSL Certificates

Uploading the Certificate

Navigate to the following URL in Google Cloud Platform to Upload a new certificate:

https://console.cloud.google.com/appengine/settings/certificates?project=<Project_Id>

Provide a Name for the certificate (e.g. CF-YYYY-MM-DD) and upload the certificate and key.

  • PEM encoded X.509 public key certificate: domain.com-YYYY-MM-dd.pem
  • Unencrypted PEM encoded RSA private key: domain.com-RSA-YYYY-MM-dd.key

Assigning the Mapped Domains

After uploading, select the name of the newly added certificate (e.g. CF-YYYY-MM-DD)

Under Enable SSL for the following custom domains, select all domains that will use the corresponding certificate.

     Domain name
✓    *.domain.com
✓    sub.domain.com

Cloudfare DNS - Enable Proxy

Set Status to Proxied

Update the CNAME record to now be proxied through CloudFlare:

Type    Name    Target                  TTL     Proxy status
CNAME   sub     ghs.googlehosted.com    Auto    Proxied
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment