Google Appengine SSL certificates - "The SSL certificate provided could not be inserted", tried everything!

[Garth Bannister]

I have the following setup (adresses are made up obv):

* A top domain purchased via Namecheap - mygame.xyz

* An App Engine app - https://mygame-123456.appspot.com/

* A Cloudflare account.

My wish is to have all traffic go through Cloudflare so that I can have DDoS protection and SSL.

Cloudflare offers free SSL certificates but despite following instructions from both Google App Engine:

https://cloud.google.com/appengine/docs/standard/python/using-custom-domains-and-ssl#adding_ssl_to_your_custom_domain

and Cloudflare:

https://blog.cloudflare.com/cloudflare-ca-encryption-origin/

I cannot get it to work.

I have tried multiple combinations but always get the same error message from App Engine:

"""

Error  

The SSL certificate provided could not be inserted.  

Send feedback

"""

Why can't App Engine say what is actually wrong? That would make it easy to fix it, now I have to guess.

How I have generated the certificate and key:

1. Let Cloudflare generate a CSR, cert and key.

a. Cloudflare generates a cert and key for mygame.xyz and *.mygame.xyz.

b. I convert the key with "openssl rsa -in private.key -out private.key.pem". The result private.key.pem looks like:

-----BEGIN RSA PRIVATE KEY-----  

MksWFdks...  

...dwdFFEjwdh  

-----END RSA PRIVATE KEY-----

c. I convert the cert with "openssl x509 -inform PEM -in cf_cert.crt > cf_x509.pem", nothing changes,

cf_x509.pem is exactly the same.

d. I concat the certs: "cat cf_x509.pem root_x509.pem > concat_x509.pem" and the resulting file looks like:

-----BEGIN CERTIFICATE-----  

SJdj...  

...djdfheUSj  

-----END CERTIFICATE-----  

-----BEGIN CERTIFICATE-----  

UUhhfhejd...  

...kLkdIIWJj  

-----END CERTIFICATE----- 

2. Generate a CSR with Google's instructions:

a. openssl req -nodes -newkey rsa:2048 -keyout [MY_PRIVATE_KEY].key -out [MY_CSR].csr

b. Use the CSR to generate a cert at Cloudflare.

c. Same procedure as in (1).

I have verified that the key is 2048 bits, that the key and cert match and that the cert is valid with:

* openssl rsa -in private.key.pem -text -noout

* openssl x509 -noout -modulus -in concat.pem | openssl md5

* openssl rsa -noout -modulus -in private.key.pem | openssl md5

* openssl verify -verbose -CAfile concat.pem concat.pem

I have tried various combos with subdomains (only mygame.xyz, mygame.xyz and *.mygame.xyz, etc).

I have tried converting both the generated cert and the root cert to pem but nothing happens for any of them.

I have also tried with just the generated cert and no root CA.

* It seems like an easy fix on Google's side - just say what the problem is when you don't accept the cert. Why don't you?

* What could it still be that I am doing wrong?

    * I have verified ownsership of the domain and put the A and AAAA and CNAMEs at Namecheap and I use the nameservers of Cloudflare.

* What subdomains should I use in the cert? I only really need mygame.xyz and www.mygame.xyz.

* Is there a known problem with Cloudflare generated certs and App Engine?

[George (Cloud Platform Support)]

Hello Garth, 

The stated purpose of your attempt to connect via Cloudflare is: "I can have DDoS protection and SSL". It may be the moment to stress the fact that these features are offered by the App Engine already.

Cloudflare's Flexible SSL mode encrypts traffic from browsers to CloudFlare, but no traffic from CloudFlare to a site's origin server. Quoting from Cloudflare's SSL FAQ: 

"What does flex and full SSL mean?

• Flexible SSL:
  • SSL is terminated at the Cloudflare edge servers. Everything between your client and Cloudflare is encrypted, but between Cloudflare and your origin server is not encrypted."

More detail from "Using Custom Domains and SSL": 

"App Engine supports the following certificate types:

Single Domain/Hostname

Self-signed

Wildcard

Subject Alternative Name (SAN) / Multi Domain

It requires some things of your certificates and keys:

Private Key and Certificate should be uploaded in PEM format.

Private Keys must not be encrypted.

A certificate file can contain at most five certificates; this number includes chained and intermediate certificates.

All subject names on the host certificate should match or be subdomains of the user's verified domains.

Private keys must use RSA encryption.

Maximum allowed key modulus: 2048 bits

If the host certificate requires an intermediate or chained certificate (as many Certificate Authorities (CAs) issue), you will need to append the intermediate or chained certificates to the end of the public certificate file.

Some App Engine features use special subdomains. For example, an application can use subdomains to address application services, or to address different versions of your application. To use these with SSL, it makes sense to set up a SAN or wildcard certificate. Wildcard certificates only support one level of subdomain."

In your SAN or wildcard certificate you should take care of the mygame.xyz and www.mygame.xyz. 

[Garth Bannister]

Hi

Thanks for your reply! I know about the various options of SSL at Cloudflare. I will use full (strict) which means SSL all the way to my server and back to the user. I will not use flexible. Google's DDoS protection is just blacklisting while Cloudflare offers real protection.

For the cert, I did take care of mygame.xyz and www.mygame.xyz (one of the many combos I tried) but still no luck. What else could it be?

[George (Cloud Platform Support)]

As long as your certificate covers all the domain names and sub-domains you need, they should work. The issue above was linked to the flexible Cloudflare certificates, not the way your custom domain coverage. 

[Garth Bannister]

They do cover all. I tried both mydomain.xyz and www.mydomain.xyz in one cert as well as mydomain.xyz and *.mydomain.xyz.

It says (under Upload certificates):

"The custom domain feature has been migrated here from Google Apps. To get started, verify ownership of the domain in step 1."

That is done though, I got the A and AAAA and CNAME from that and http is working so it must be verified.

Wyy does it still say that then?

Also, what about the expiration time for the certificate, does it matter if it is 1 year of 15 years or something else?

[pdknsk]

I assume you upload the certificate and key as files. You should try pasting, which does some client-side checks in JavaScript. If that yields no different results, you could try to use the API directly, which may provide more verbose error messages.

https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1beta/apps.authorizedCertificates/create

https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1beta/apps.authorizedCertificates#CertificateRawData

Works in the browser ("Try this API"). If that goes through, the other steps like domain-mapping can still be done from the regular App Engine settings page.

[pdknsk]

Or you could try gcloud, which also uses the API.

https://cloud.google.com/sdk/gcloud/reference/beta/app/ssl-certificates/

[Garth Bannister]

gcloud beta app ssl-certificates create --certificate=C:/.../public.pem --display-name=mycert --private-key=C:/.../private.pem

ERROR: (gcloud.beta.app.ssl-certificates.create) Error Response: [400] Invalid certificate. `CertificateRawData` must contain a PEM encoded x.509 public key certificate, with header and footer included, and an unencrypted PEM encoded RSA private key, with header and footer included and with size at most 2048 bits. The requested private key and public certificate must match.

https://appengine.googleapis.com/v1beta/apps/appname-123456/authorizedCertificates?alt=json

Still does not say the exact error. That makes it really hard for me to find the error because I do things as the instructions say and I have also tried a lot of combinations.

The last I tried with the above method had the Common name=www.mydomain.xyz which covers both www.mydomain.xyz and mydomain.xyz right?

The header and footers are the ----- BEGIN... ------ and ----- END ... ----- right?

There should not be anything before or after that (unless it is another certificate)?

[Garth Bannister]

I can't figure out how to use that API. I copy paste the raw certificate and key data but that does not work. Or is it the local path I should put there? Anyhow, the EXECUTE button is always grey so I cannot click it.

[George (Cloud Platform Support)]

In such a situation, you may add value to the investigation by double-checking your certificate with validity and exactitude of details. Once the certificate itself is proven OK, we would be more confident investigating further. 

[pdknsk]

You don't need to try the API now, as it would only return the exact same error. Anyway, it's a known issue apparently.

https://issuetracker.google.com/issues/35901054

[Garth Bannister]

Thanks pdknsk! At least now I know that it does not work. I can do without, in worst case I have to buy one from Digicert or somewhere else.

This issue can be closed then!