Bipin Sasi Techie, Author of the book Leadership Puzzles You can follow me on X formerly called twitter @BipinSasi No comments

Let’s Encrypt with App Engine





Update, 10th March 2016: Please use letsencrypt-nosudo with the “ — file-based” option, and 2048 bit certs (not 4096 — App Engine can’t handle them).


I use Google App Engine often, even for my personal site. https is now cheap, we have SNI, and it should exist everywhere. My personal site is hosted on a custom domain: if you’re hosting only at  bipin.appspot.com , you already have https. Google is vouching for you.
So, Let’s Encrypt is here now. Instead of paying $xx/month for your SSL cert, you now have a free service, backed by the ISRG and other official-sounding organisations. Great! My site mostly contains trivial stuff anyway, but I want to practice what I preach. The main downside: Let’s Encrypt only offers certs for 3 months at a time. Be warned.
However, for some reason, Let’s Encrypt have opted for one of the most confusing setup flows ever. It’s somewhat easy, if you’re requesting a cert on the same machine you host on. But many folks aren’t, and really would just like to get the right files. This is how you do it.

Getting the cert

First, check out the client, and presume that you trust Let’s Encrypt to run sudo on your machine-

git clone https://github.com/letsencrypt/letsencrypt
letsencrypt/letsencrypt-auto certonly --manual
 
Answer some questions, and you’ll be prompted to make sure your web server ‘displays the following content’. In a separate terminal, head to the directory containing your app.yaml file and add, under handlers:-

- url: /.well-known
  static_dir: .well-known
 
Next, run the command suggested by the Let’s Encrypt tool.

printf "%s" long-secret-code-thing > .well-known/acme-challenge/secret-file-name-thing

Deploy your App Engine instance. Head back to the Let’s Encrypt client, hit enter, and you’ll be given a .pem and other files. Hooray!
Note that this guide is only for a single domain — I don’t serve sites on www, so this doesn’t bother me. You might need to repeat for more.
… what now?

Interacting with Google

You probably want to follow at least some of these steps. Google allows you to have App Engine configured on a custom domain in one of two ways-
  1. via the Google Cloud Platform / Developer Console
  2. via Google Domains
I use 2. but the steps are pretty similar for both. Open up the App Engine configuration page of Cloud Console for your project ID. Click Settings, and SSL Certificates. If you’re using approach 2. you can probably ignore any message about “verify ownership”. If you’re using 1., you might need to take a diversion now and follow the steps required.
Under the SSL Certificates page, choose to upload a new cert. The name doesn’t matter.
Let’s Encrypt has given you four files, so head over to that directory. If you’re on *nix, you may need to sudo for this bit — the files are by default owned by root. We need to upload one, and modify another.

Public Key

Your public key can be uploaded immediately: choose fullchain.pem and you’re done.

Private Key

You’ll need to modify your private key, found in privkey.pem. I’m not a SSL guru, so I’m not entirely clear why.
openssl rsa -in privkey.pem > privkey-rsa.pem
Now, choose privkey-rsa.pem. Upload and you’re done.

Done

That’s it. Try loading up your custom domain now over https. And, in what’s possibly the most important step of this whole excursion, be sure to now actually get your users to load your site securely!
You can do this either by redirecting them in code, or by sending a HSTS header. Unfortunately, if you’re actually a serious target for cyber-whatever, nefarious MITM attacks could still strip whatever approach you try from ever getting to your users. Have fun!

What Resume Screeners Look For

Sal Bipin Sasi
6 min read

How to Prepare for Technical Questions

Sal Bipin Sasi
6 min read

GENERAL CLIENT-SIDE STORAGE SECURITY

Sal Bipin Sasi
6 min read

Comments (0)

Post a Comment

Cancel