Let’s Encrypt with App Engine
Update, 10th March 2016: Please use letsencrypt-nosudo with the “ — file-based” option, and 2048 bit certs (not 4096 — App Engine can’t handle them).
I use Google App Engine often, even for my personal site. https is now cheap, we have SNI, and it should exist everywhere. My personal site is hosted on a custom domain: if you’re hosting only at bipin.appspot.com , you already have https. Google is vouching for you.
So,
Let’s Encrypt is here now. Instead of paying $xx/month for your SSL
cert, you now have a free service, backed by the ISRG and other
official-sounding organisations. Great! My site mostly contains trivial
stuff anyway, but I want to practice what I preach. The main downside: Let’s Encrypt only offers certs for 3 months at a time. Be warned.
However,
for some reason, Let’s Encrypt have opted for one of the most confusing
setup flows ever. It’s somewhat easy, if you’re requesting a cert on
the same machine you host on. But many folks aren’t, and really would
just like to get the right files. This is how you do it.
Getting the cert
First, check out the client, and presume that you trust Let’s Encrypt to run sudo on your machine-
git clone https://github.com/letsencrypt/letsencrypt letsencrypt/letsencrypt-auto certonly --manual
Answer some questions, and you’ll be prompted to make sure your web server ‘displays the following content’. In a separate terminal, head to the directory containing your app.yaml file and add, under handlers:-
- url: /.well-known static_dir: .well-known
Next, run the command suggested by the Let’s Encrypt tool.
printf "%s" long-secret-code-thing > .well-known/acme-challenge/secret-file-name-thing
Deploy your App Engine instance. Head back to the Let’s Encrypt client, hit enter, and you’ll be given a .pem and other files. Hooray!
Note that this guide is only for a single domain — I don’t serve sites on www, so this doesn’t bother me. You might need to repeat for more.
… what now?
Interacting with Google
You probably want to follow at least some of these steps. Google allows you to have App Engine configured on a custom domain in one of two ways-
- via the Google Cloud Platform / Developer Console
- via Google Domains
I use 2. but the steps are pretty similar for both. Open up the App Engine configuration page of Cloud Console for your project ID. Click Settings, and SSL Certificates. If you’re using approach 2. you can probably ignore any message about “verify ownership”. If you’re using 1., you might need to take a diversion now and follow the steps required.
Under the SSL Certificates page, choose to upload a new cert. The name doesn’t matter.
Let’s Encrypt has given you four files, so head over to that directory. If you’re on *nix, you may need to sudo for this bit — the files are by default owned by root. We need to upload one, and modify another.
Public Key
Your public key can be uploaded immediately: choose fullchain.pem and you’re done.
Private Key
You’ll need to modify your private key, found in privkey.pem. I’m not a SSL guru, so I’m not entirely clear why.
openssl rsa -in privkey.pem > privkey-rsa.pem
Now, choose privkey-rsa.pem. Upload and you’re done.
Done
That’s it. Try loading up your custom domain now over https. And, in what’s possibly the most important step of this whole excursion, be sure to now actually get your users to load your site securely!
You can do this either by redirecting them in code, or by sending a HSTS header. Unfortunately, if you’re actually a serious target for cyber-whatever, nefarious MITM attacks could still strip whatever approach you try from ever getting to your users. Have fun!
Comments (0)
Post a Comment
Cancel