I have the following setup (adresses are made up obv): * A top domain purchased via Namecheap - mygame.xyz * An App Engine app - https://mygame-123456.appspot.com/ * A Cloudflare account.
My wish is to have all traffic go through Cloudflare so that I can have DDoS protection and SSL. Cloudflare offers free SSL certificates but despite following instructions from both Google App Engine: https://cloud.google.com/appengine/docs/standard/python/using-custom-domains-and-ssl#adding_ssl_to_your_custom_domain and Cloudflare: https://blog.cloudflare.com/cloudflare-ca-encryption-origin/ I cannot get it to work. I have tried multiple combinations but always get the same error message from App Engine: """ Error The SSL certificate provided could not be inserted. Send feedback """ Why can't App Engine say what is actually wrong? That would make it easy to fix it, now I have to guess. How I have generated the certificate and key: 1. Let Cloudflare generate a CSR, cert and key. a. Cloudflare generates a cert and key for mygame.xyz and *.mygame.xyz. b. I convert the key with "openssl rsa -in private.key -out private.key.pem". The result private.key.pem looks like: -----BEGIN RSA PRIVATE KEY----- MksWFdks... ...dwdFFEjwdh -----END RSA PRIVATE KEY----- c. I convert the cert with "openssl x509 -inform PEM -in cf_cert.crt > cf_x509.pem", nothing changes, cf_x509.pem is exactly the same. d. I concat the certs: "cat cf_x509.pem root_x509.pem > concat_x509.pem" and the resulting file looks like: -----BEGIN CERTIFICATE----- SJdj... ...djdfheUSj -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- UUhhfhejd... ...kLkdIIWJj -----END CERTIFICATE----- 2. Generate a CSR with Google's instructions: a. openssl req -nodes -newkey rsa:2048 -keyout [MY_PRIVATE_KEY].key -out [MY_CSR].csr b. Use the CSR to generate a cert at Cloudflare. c. Same procedure as in (1). I have verified that the key is 2048 bits, that the key and cert match and that the cert is valid with: * openssl rsa -in private.key.pem -text -noout * openssl x509 -noout -modulus -in concat.pem | openssl md5 * openssl rsa -noout -modulus -in private.key.pem | openssl md5 * openssl verify -verbose -CAfile concat.pem concat.pem I have tried various combos with subdomains (only mygame.xyz, mygame.xyz and *.mygame.xyz, etc). I have tried converting both the generated cert and the root cert to pem but nothing happens for any of them. I have also tried with just the generated cert and no root CA. * It seems like an easy fix on Google's side - just say what the problem is when you don't accept the cert. Why don't you? * What could it still be that I am doing wrong? * I have verified ownsership of the domain and put the A and AAAA and CNAMEs at Namecheap and I use the nameservers of Cloudflare. * What subdomains should I use in the cert? I only really need mygame.xyz and www.mygame.xyz. * Is there a known problem with Cloudflare generated certs and App Engine? -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/4b791fc9-9e20-4a1c-81de-a523c7569cd5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
