Let’s Encrypt on Google App Engine

Let’s Encrypt is a pretty awesome initiative to provide free SSL certificates to make creating a secure website easy. It comes with support for automatic installation on Apache and nginx, but requires some extra work for other servers.

Here’s how to use it with App Engine. I used Google Cloud Shell to run these commands.

Download the client:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Generate the certificate:

sudo ./letsencrypt-auto -a manual certonly

Part of the process is a challenge and response verification that you own the domain. You’ll see something like this:

Make sure your web server displays the following content at                                                                                                                             
http://www.example.com/.well-known/acme-challenge/[challenge] before continuing:
[response]
Content-Type header MUST be set to text/plain.
...
Press ENTER to continue

You’ll get a message like this for each domain. Don’t press enter until you create a handler for each request. I did this with a handler that looked like this:

class LetsEncryptHandler(RequestHandler):

    def get(self, challenge):
        self.response.headers['Content-Type'] = 'text/plain'
        responses = {
                    '[challenge 1]': '[response 1]',
                    '[challenge 2]': '[response 2]'
                }
        self.response.write(responses.get(challenge, ''))

application = WSGIApplication([
    ('/.well-known/acme-challenge/([\w-]+)', LetsEncryptHandler),
])

After deploying your site, and pressing enter, you should hopefully end up with some certificates. Unfortunately, you need to convert the private key to RSA pem format using OpenSSL to use it with App Engine.

You’ll need to copy and paste the output from the next two commands into the SSL certificate upload form at App Engine > Settings > SSL Certificates. It’s easiest to open a new tab since the upload dialog covers the console.

Get your private key.

sudo openssl rsa -inform pem -in /etc/letsencrypt/live/www.example.com/privkey.pem -outform pem | less

Get your public key certificate.

sudo less /etc/letsencrypt/live/www.example.com/fullchain.pem

After uploading, you can associate the new certificate with a custom domain.

Note that /etc/letsencrypt is not persisted through Cloud Shell restarts, so if you need to keep your private key, you can copy it to your home directory or save it.

 
498
Kudos
 
498
Kudos

Now read this

Setting up Auto Scaling on EC2

This post is specifically about Ubuntu, but the process is similar for other operating systems. You’ll need to have an S3 bucket, and know how to launch EC2 instances. Here’s a quick overview of the process: Create a bootstrap script... Continue →