Error when adding SSL certificate
250 views
Skip to first unread message
Simon Brown
May 6, 2016, 4:07:45 PM5/6/16
to Google App Engine
I use CloudFlare with App Engine and I'm trying to take advantage of their new CA, but I get an error when I try to import the cert into App Engine. I have also tried creating a self-signed cert, and no dice (except once in which it was imported, but didn't seem to work, so I tried again after which it stopped).
Here is my process:
1. I run this command to generate a CSR:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
2. I paste the CSR into CloudFlare's utility and get back a PEM certificate.
3. I run the following command to convert my private key to a PEM key, as per the docs:
openssl rsa -in myserver.key -out myserver.key.pem
4. I go to certificates in App Engine and select the certificate from CloudFlare for the public key certificate and myserver.key.pem for the RSA private key. I get the following error message:
The SSL certificate provided could not be inserted.
Any suggestions on what I might be doing wrong?
Thanks
Nick (Cloud Platform Support)
May 9, 2016, 2:48:47 PM5/9/16
to Google App Engine
Hey Simon,
While this forum is meant for more high level discussion of the platform and services, a specific issue like this being somewhat off topic, I'll be happy to assist in narrowing down the scope of the issue before advising that you post to either Stack Overflow or the Cloud Platform Public Issue Tracker.
Did you concatenate the certificates to create a PEM encoded X.509 public key certificate?
Regards,
Nick
Cloud Platform Community Support
While this forum is meant for more high level discussion of the platform and services, a specific issue like this being somewhat off topic, I'll be happy to assist in narrowing down the scope of the issue before advising that you post to either Stack Overflow or the Cloud Platform Public Issue Tracker.
Did you concatenate the certificates to create a PEM encoded X.509 public key certificate?
Regards,
Nick
Cloud Platform Community Support
Simon Brown
May 10, 2016, 12:04:03 PM5/10/16
to google-a...@googlegroups.com
Thanks
I only have one crt file, I believe that's how the CloudFlare CA works, so there's nothing to concatenate. Just in case, I just tried running the command from the docs on the one crt file and importing it, and I still get the same error.
--You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group.To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-appengine/btN3G0qLbEg/unsubscribe.To unsubscribe from this group and all its topics, send an email to google-appengi...@googlegroups.com.To post to this group, send email to google-a...@googlegroups.com.Visit this group at https://groups.google.com/group/google-appengine.To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/57598d6c-cee1-4fc6-86c2-ec2997bcc680%40googlegroups.com.For more options, visit https://groups.google.com/d/optout.
Nick (Cloud Platform Support)
May 10, 2016, 4:55:39 PM5/10/16
to Google App Engine
Thanks for checking that. Another set of sanity-checks: you've run the verification commands, to ensure the cert and your private key match?
From the doc:
Also, are you sure that the certificate matches the requirements of the platform?
Cheers,
From the doc:
openssl x509 -noout -modulus -in concat.crt | openssl md5
openssl rsa -noout -modulus -in myserver.key.pem | openssl md5You should also be sure to verify the crt file itself
openssl verify -verbose -CAfile concat.crt concat.crtAlso, are you sure that the certificate matches the requirements of the platform?
Cheers,
Nick
Cloud Platform Community Support
To unsubscribe from this group and all its topics, send an email to google-appengine+unsubscribe@googlegroups.com.To post to this group, send email to google-appengine@googlegroups.com.
Simon Brown
May 10, 2016, 5:28:08 PM5/10/16
to google-a...@googlegroups.com
The first test passes.
The second test gives the following error:
concat.crt: O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
error 20 at 0 depth lookup:unable to get local issuer certificate
However, as I understand it this is only relevant to the client and part of how the CloudFlare CA works. Is AppEngine still able to handle certs like this?
As far as I can tell, the certificate matches the requirements.
To unsubscribe from this group and all its topics, send an email to google-appengi...@googlegroups.com.To post to this group, send email to google-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/50d190c8-8e13-4b85-be7f-f3d1621fa247%40googlegroups.com.
Nick (Cloud Platform Support)
May 13, 2016, 4:42:52 PM5/13/16
to Google App Engine
Hey Simon,
I'm unsure what might be causing that error, even when doing some extensive reading. It might be simply that your openssl system doesn't have knowledge of the root CA, or it might be something related to the .crt file itself. One thing I can ask is whether you've tried the issue within the past few hours? We had an issue with SSL certificates which has recently resolved, perhaps you were affected here.
Sincerely,
I'm unsure what might be causing that error, even when doing some extensive reading. It might be simply that your openssl system doesn't have knowledge of the root CA, or it might be something related to the .crt file itself. One thing I can ask is whether you've tried the issue within the past few hours? We had an issue with SSL certificates which has recently resolved, perhaps you were affected here.
Sincerely,
Nick
Cloud Platform Community Support
Reply all
Reply to author
Forward
0 new messages