
How to use Let's Encypt with Google Cloud Platform - tomasreimers
https://medium.com/google-cloud/lets-encrypt-and-google-app-engine-in-2017-7cfe0928768e
======
RKearney
> Done! Your site is now HTTPS protected! Don’t forget to renew your cert in 3
> months

This is not how Let's Encrypt is designed to work. Manually registering and
then deploying a certificate and saying "don't forget to renew" does not make
for a particularly high quality post.

~~~
charlieegan3
It's hard to auto renew on GAE; in fact, I don't know how to config auto
renew.

~~~
aliasnexus0
SSL certificates can now be updated in GAE using the gcloud command[1].

You could combine that with lego[2] to renew a Let's Encrypt SSL certificate
via DNS Challenge to automate the process until native automation is
implemented in GAE.

[1]
[https://cloud.google.com/appengine/docs/standard/python/usin...](https://cloud.google.com/appengine/docs/standard/python/using-
custom-domains-and-
ssl#transferring_mappings_from_a_serving_certificate_to_a_new_certificate) [2]
[https://thornelabs.net/2016/11/08/use-lego-gcloud-dns-and-
dn...](https://thornelabs.net/2016/11/08/use-lego-gcloud-dns-and-dns-
challenge-to-generate-lets-encrypt-ssl-certificates.html)

~~~
subway
Oh hot damn!

I've been waiting on API access to manage certs for a while.

------
jaas
"LetsEncrypt issues SSL certificates by automatically verifying that you have
ownership of the domain you claim you have."

Let's Encrypt does not verify ownership of domains. We verify control.

This is a common mistake, but the difference between ownership and control is
significant so I'm just pointing this out for general educational purposes.

~~~
tomasreimers
Thank you! Good point.

------
sudhirj
The fact that setting up SSL on Google's platform in 2017 requires reading a
long article and repeating steps is really bad publicity - if this post is
official it ought to be embarrassing. AWS, Heroku, Cloudflare have all moved
on to automated certificate management for all their hosted services.

[http://docs.aws.amazon.com/acm/latest/userguide/acm-
overview...](http://docs.aws.amazon.com/acm/latest/userguide/acm-
overview.html)

[https://devcenter.heroku.com/articles/automated-
certificate-...](https://devcenter.heroku.com/articles/automated-certificate-
management)

[https://www.cloudflare.com/ssl/](https://www.cloudflare.com/ssl/)

~~~
tomasreimers
Yup! I even link to the Amazon one in the tutorial, Google's is coming soon
([https://issuetracker.google.com/issues/35900034](https://issuetracker.google.com/issues/35900034)),
and in the meanwhile this helps you get a cert.

~~~
sudhirj
Is this App Engine specific? Or will this also apply to
[https://cloud.google.com/load-balancing/](https://cloud.google.com/load-
balancing/) ?

------
renaudg
For the Container Engine part of GCP (and any Kubernetes installation really),
this project automates everything away : [https://github.com/jetstack/kube-
lego](https://github.com/jetstack/kube-lego)

~~~
basetensucks
+1 well worth checking this tool out. Saved me a lot of effort setting up a
GCP Kubernetes deployment two months ago. So far it has been a matter of set
it and forget it.

------
charlieegan3
I wrote up a gist for my own memory:
[https://gist.github.com/charlieegan3/37c854f50198711a1b5e216...](https://gist.github.com/charlieegan3/37c854f50198711a1b5e216b8dd57e99)
\- it runs certbot in a container rather than installing it.

I recently moved my static site from app engine to S3 and cloudfront so I
could take advantage of ACM certificates (as well as playing around with some
more terraform).

------
mikecb
Click of a button certs with automated renewal is coming.

~~~
emddudley
Do you have any links with more information on this?

~~~
advisedwang
[https://issuetracker.google.com/issues/35900034](https://issuetracker.google.com/issues/35900034)

------
advisedwang
Google is going to be providing automatic SSL Certs soon:
[https://issuetracker.google.com/issues/35900034](https://issuetracker.google.com/issues/35900034)

------
bg0
Renewing/replacing certificates, especially with App Engine, is the bane of my
existence. I couldn't possibly imagine doing this every 3 months.

This being said, I appreciate the tutorial.

------
superasn
Isn't it possible to call a Dns api and Google's Api to set the Txt record in
dns and cleanup hook to set the certificates in Google respectively?

~~~
tomasreimers
People have different DNSs. I'm using Namecheap and GAE for example.

------
danielecook
I'm looking for a way to automate the process. Has anyone got any ideas?

~~~
hatstand
Work in progress but:
[https://github.com/hatstand/gacertsbot/blob/master/appengine...](https://github.com/hatstand/gacertsbot/blob/master/appengine/README.md)

Currently relies on a fix to the appengine go SDK though:
[https://github.com/golang/appengine/pull/82](https://github.com/golang/appengine/pull/82)

~~~
bg0
Wait so does this work?

~~~
hatstand
Should do if you manually patch your local SDK.

------
finnn
>Sign up to enjoy the full Medium experience.

wow fuck medium

------
43224gg252
What's the advantage of running the API in google app engine as opposed to a
google cloud VM instance that you can just SSH into? Setting up letsencrypt on
a VM instance is 10x easier than this (and in my experience everything else
you need to do is 10x easier).

~~~
bg0
For a lot of smaller projects, running google app engine is 10x easier (and
cheaper) then worry about a VM.

