No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Simon Lackerbauer 8db5b614b6 Create LICENSE 1 year ago
LICENSE Create LICENSE 1 year ago
README.md clarification 2 years ago
app.yaml initial howto + files 2 years ago
letsencrypt.py initial howto + files 2 years ago

README.md

gcloud-letsencrypt-flask

Aim and assumptions

This quick HOWTO is aimed at gcloud users who are just playing around/getting into the Google App Engine. I’m assuming you completed the tutorial which left you with an initial small flask app that’s currently deployed and you now want to secure your connection via custom domain with a free letsencrypt certificate. The custom domain is already added and serving via an unsecured connection.

You’ve set up gcloud on your local machine and cloned the repo with the example flask app.

Acknowledgements

This howto is based almost entirely on Sean Fujiwara’s blog post from November 2015, when, I assume, the Google App Engine did not yet use flask (at least not as the preferred python App Engine tutorial framework).

Actual HOWTO

Step 1

Set up certbot on your local system, either by getting the self-updating script from the EFF

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

or by installing certbot with your distribution’s package manager. With Archlinux use pacman -S certbot. The advantage of setting up certbot locally is that the /etc/letsencrypt directory will be persistent, allowing for easier updating.

Step 2

Download the letsencrypt.py from this repo (clone and cp, copy&paste, whatever floats your goat) and add it to your app’s main directory.

Add a new handler above the .* handler in your app.yaml:

- url: /\.well-known/acme-challenge/.*
  script: letsencrypt.app
  secure: never

If you’ve changed nothing else from the Google tutorial yet, you can probably also just download the app.yaml from this repo and overwrite yours.

Step 3

Generate the challenge-response credentials with certbot.

If you’ve downloaded the file, you’ll have to do

./certbot-auto -a manual certonly

and let it install some stuff, if you’ve used your distribution’s package manager, you should be able to do

sudo certbot -a manual certonly

The script will then ask for an email address and for all the domains you want to secure. Put in the domains you’ve previously entered via custom domains in your app’s settings.

Step 4

The script will ask you to set up the challenge-response pairs for each domain individually like so:

Make sure your web server displays the following content at
http://www.example.com/.well-known/acme-challenge/[challenge] before continuing:
[response]
Content-Type header MUST be set to text/plain.
...
Press ENTER to continue

Copy the various challenges and responses into the credentials dict in letsencrypt.py. Don’t press enter yet when you’ve reached the final CN entry you want in your certificate! That immediately starts the auth process and you need to deploy the app first.

Step 5

Deploy the app. If you’re working locally and have set up gcloud, check if you’re in the correct project, otherwise change with

gcloud config set project <project-name>

and then use

gcloud app deploy

in the app directory to deploy your app. If you want, you can check the URL in the output above and look if it serves and matches the expected response. If everything’s deployed alright, you can now press enter in the terminal where certbot is running.

Step 6

The certbot script should now tell you congratulations and inform you where your certificate is (it should be /etc/letsencrypt/live/). Follow the instructions in Sean Fujiwara’s blog post and convert your private key with

sudo openssl rsa -inform pem -in /etc/letsencrypt/live/www.example.com/privkey.pem -outform pem | less

Then get your public certificate with

sudo less /etc/letsencrypt/live/www.example.com/fullchain.pem

and upload your key and certificate to app engine (App Engine -> Settings -> SSL Certificates -> Upload a new certificate).

Step 7

Call up your custom domain with https in front (if you used my app.yaml, the app should serve securely by default - that means it will automatically forward to a secure connection no matter what) and see if everything’s running smoothly.

Updating your certificates

To update your certificates, just follow the above howto again from Step 3. Be sure to keep your system updated.