How to enable Managed SSL on App Engine when using CloudFlare CDN

[Leigh McCulloch]

Hi!

I've attempted to enable the new Managed Security (SSL/TLS) with AppEngine on one of my domains, but it's been unable to activate because of DNS issues. I've got the domain setup with CloudFlare and this means that requests go to AppEngine via Cloudflare. Cloudflare serves SSL for my domain to visitors, but I'm wanting to activate the Managed SSL so that the connection between AppEngine and CloudFlare is via TLS on a trusted certificate.

How do I enable Managed TLS on my domain without disabling Cloudflare?

Thanks,

Leigh

[Kamran (Google Cloud Support)]

Hello Leigh,

I think creating a CNAME record on CloudFlare pointing to <your_app_id>.appspot.com should address full SSL configuration. Let me know if this helps.

[Leigh McCulloch]

While that works it's not completely secure, only Full SSL (strict) or Full SSL (origin ca)* is, not plain Full SSL. In Full SSL mode Cloudflare doesn't verify the common name on the certificate served by AppEngine which is why it works as you described. If I enable Full SSL (strict) using the setup you described it fails because the certificate AppEngine is serving is for example.appspot.com and not example.com.

What I had hoped to do was enable managed security on AppEngine so that AppEngine served a certificate with the correct common name. But it seems like AppEngine does DNS checks before allowing the certificate to work.

Is there anyway to make this work?

Leigh

* Note: Full SSL (origin ca) is also not supported by AppEngine, because AppEngine doesn't allow the use of certificates that have been signed by a CA that isn't a trusted CA.

[Kamran (Google Cloud Support)]

Managed security will need to check existence of canonical name (CNAME) record with the value of ghs.googlehosted.com for your domain/subdomain. If you're serving www.example.com on CloudFlare, you may map w3.example.com as custom sub-domain on GAE and enable managed security for it. Please try it and let me know how it works.

[Leonard Austin]

I'm also interested in this post. I'm not sure how creating a sub domain of w3.example.com helps as will it not just create a managed certificate from LetsEncrypt for w3 (not naked or www)? I think LetsEncrypt uses DNS verification, which I assume is something GAE is handling behind the scenes. If cloudflare is turned on and sits between LetsEncrypt verification method and App Engine then I'm not sure GCP is able to create a DNS record that LetsEncrypt can see? 

[Zorion Arrizabalaga]

Hi,

I'm not sure if this old post is of interest of anyone, but just in case I recently worked on it:

I don't know if cloudflare Full Strict is working with the cached version (proxy), but I got it work with the non-cached cloudflare dns. Since the request goes directly to AppEngine and CloudFlare only works as DNS server the let's encrypt certificate can be generated automatically in GAE.

I'm worried that you may need to disable the cache every 4 months in order to get the new certificate (and I'm not sure if it works, we will see it in 4 months!)

As mentioned, if you re-enable the cache (proxy) when you have the let's encrypt certificate in you GAE, you will have again your CloudFlare SSL certificate for the proxy and it will talk to a valid Full Strict SSL certificate in GAE during 4 months.

Cheers!

Zorion