-web-site build with Polymer with just HTML5 (no Python, no PHP, no Java,… and didn’t want any of them)
-I wanted to use the Google Cloud Shell to generate the certificate, just because.
-I wanted to create a certificate for with and without www.
The first certificate I used 3 months ago was from Comodo, free and only valid for 3 months. After reading about Let’s Encrypt and learning that Comodo was not very nice with the little guy, I’ve decided to move my certificate.
Docker on Google Cloud Shell
The first step is to activate a Shell Console from your Cloud console. Once logged, you can use docker to get and run an image with contains everything you need:
docker run -it -p 443:443 -p 8080:8080 -v "$(pwd)/ssl-keys:/etc/letsencrypt" quay.io/letsencrypt/letsencrypt:latest -a manual certonly
Next, you go through the interactive tools that ask you the following:
-domain name(s): I realised after I did mine that I could use here both none and www rather than repeating the process and have 2 certificates in Google App Engine.
-confirmation about sharing the IP address of the machine (I guessed it was OK).
Once this is done, you are asked to have on your web-site a specific string (challenge key), in a specific file, in a specific folder. You must have this ready before continuing (press Enter).
Make the challenge visible
This part of the process seems a bit more complicated than it is; just follow these few steps to make it easier:
1- create a folder in your web-site directory called “letsencrypt” (it could be something different)
2- in this folder, create a file using as filename the first part of the challenge key
3- insert in this file, the first part of the challenge key, a dot (.), and the 2nd part of the challenge key. To do that, you can use the suggested command from the Let’s Encrypt tool:
printf "%s" [challenge part1].[challenge part2] > letsencrypt/[challenge part1]
4- edit your app.yaml to make sure this file will be visible on the web. You need the following on top of “handlers:”:
- url: /\.well-known/acme-challenge/(.+)
5- deploy your app to Google App Engine, either from the command line or the Launcher.
6- once the deployment is successful, it is a good idea to test the URL given during the process before Let’s Encrypt tries to access it. Otherwise, if Let’s Encrypt fails to open the file, you will need to start the process from the beginning. The URL is displayed in the instructions (2nd line) and starts with http://…
7- Once all of the above is done, you can press Enter to continue the process and get your certificate.
Notes: If you have asked for multiple domains, you need to do a challenge for each, which means that you need to repeat 2 – 7. However, at the end, the good news is that you have just one certificate. Also, make sure to include the letsencrypt folder in your build process, if you have one (gulp, grunt,…).
Upload your new certificate
At the end of the verification, Let’s Encrypt will generate few folders and files but you need just 2 for Google App Engine. In /ssl-keys/live/[first domain]/ you will find:
–fullchain.pem: this is your public key certificate. It contains 2 certificates and both need to be copied in the 1st text area in the Add a new SSL certificate page in Google App Engine.
–privkey.pem: this is your private key but it needs to be converted to RSA with the following command:
opennssl rsa -in privkey.pem -out rsa.pem
opensssl is one of the tools included in Cloud Shell so no need to install it. It generates rsa.pem, this is your RSA private key, to be copied in the 2nd text area.
The easiest way to access these files is to use:
and then copy and paste the text. You could also use a bucket to copy and then download the .pem files.
You can then click upload to add this certificate. If it goes well, you are asked to confirm for which domain(s) the certificate is enabled.
The last step is to test and see if indeed your web-site is served over https and that the certificate is the one you just generated.
You might want to add:
in your app.yaml, to force every visit over https.
As the certificate is only valid for 3 months, the next step could be to have this process automated on a server, there are many how-to detailing the process but, if like me, you have only a few web-sites, a calendar reminder and a visit to this page would be as efficient.
You might be wondering with this page is not served as https, well the blog is not (yet!) on Google App Engine, only savina.net is.