Cloudflare Origin Certificate with Google App Engine

1 view
Skip to first unread message

Andrei via StackOverflow

unread,
Oct 22, 2016, 9:44:04 AM10/22/16
to google-appengin...@googlegroups.com

Same here, seems like CloudFlare Origin certificates are not publicly trusted, this may be the issue.

CF support encourages to contact Google.

Update:

Bundling, i.e. "appending the appropriate root to your certificate and re-uploading" (Patrick) CloudFlare CA root Cert and Public certificates together does not help.

Same error message from Google App Engine: "The SSL certificate provided could not be inserted."



Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/37079547/cloudflare-origin-certificate-with-google-app-engine/37087010#37087010

Patrick via StackOverflow

unread,
Oct 22, 2016, 9:44:06 AM10/22/16
to google-appengin...@googlegroups.com

CloudFlare PM here for Origin CA. A few comments/questions:

  1. Are you specifying RSA upfront, i.e., during issuance? Strange that you'd have to convert from RSA to RSA if so. If you're specifying ECDSA may be that GAE doesn't support those key types.
  2. As another answer indicated, our Origin CA certificates are intended to be used behind CloudFlare. By default they are leaf-only and have been reduced to the absolute minimum size that will work with our edge. Please see this blog post that I wrote for more details: https://blog.cloudflare.com/cloudflare-ca-encryption-origin.
  3. We've noticed that some software, e.g., cPanel, that can't determine a path all the way to a trusted root can be placated by appending our Origin CA root certificate. You can find these certificates here, one for RSA and one for ECDSA: https://support.cloudflare.com/hc/en-us/articles/218689638-What-are-the-root-certificate-authorities-CAs-used-with-CloudFlare-Origin-CA-. I would try appending the appropriate root to your certificate and re-uploading.


Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/37079547/cloudflare-origin-certificate-with-google-app-engine/37106942#37106942

Rohit Manglik via StackOverflow

unread,
Oct 22, 2016, 9:44:10 AM10/22/16
to google-appengin...@googlegroups.com

As mentioned at https://support.cloudflare.com/hc/en-us/articles/221856168-How-to-install-an-Origin-CA-certificate-using-Google-App-Engine?flash_digest=c5309955213af4e33d15d0f9d2de9a4a186c10d2

At the present time, Google App Engine only allows the uploading of certificates that are either self-signed or are signed by a publicly trusted certificate authority (CA).

CloudFlare's CA for origin certificates is not publicly trusted, so Google App Engine currently returns an error when an Origin CA certificate is uploaded: "The SSL certificate provided could not be inserted."

We've reached out to Google regarding this policy decision and will update this article if the behavior changes.



Please DO NOT REPLY directly to this email but go to StackOverflow:
http://stackoverflow.com/questions/37079547/cloudflare-origin-certificate-with-google-app-engine/40192817#40192817
Reply all
Reply to author
Forward
0 new messages