The first test passes. The second test gives the following error: *concat.crt: O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate** * *error 20 at 0 depth lookup:unable to get local issuer certificate* However, as I understand it this is only relevant to the client and part of how the CloudFlare CA works. Is AppEngine still able to handle certs like this? As far as I can tell, the certificate matches the requirements. On Tue, May 10, 2016, at 09:55 PM, 'Nick (Cloud Platform Support)' via Google App Engine wrote: > Thanks for checking that. Another set of sanity-checks: you've run the > verification commands, to ensure the cert and your private key match? > > From the doc: > > openssl x509 -noout -modulus -in concat.crt | openssl md5 openssl rsa > -noout -modulus -in myserver.key.pem | openssl md5 > You should also be sure to verify the crt file itself > openssl verify -verbose -CAfile concat.crt concat.crt > > Also, are you sure that the certificate matches the requirements of > the platform[1]? > > Cheers, > > Nick > Cloud Platform Community Support > > On Tuesday, May 10, 2016 at 12:04:03 PM UTC-4, Simon Brown wrote: >> Thanks >> >> I only have one crt file, I believe that's how the CloudFlare CA >> works, so there's nothing to concatenate. Just in case, I just tried >> running the command from the docs on the one crt file and importing >> it, and I still get the same error. >> >> On Mon, May 9, 2016, at 07:48 PM, 'Nick (Cloud Platform Support)' via >> Google App Engine wrote: >>> Hey Simon, >>> >>> While this forum is meant for more high level discussion of the >>> platform and services, a specific issue like this being somewhat off >>> topic, I'll be happy to assist in narrowing down the scope of the >>> issue before advising that you post to either Stack Overflow[2] or >>> the Cloud Platform Public Issue Tracker[3]. >>> >>> Did you concatenate the certificates to create a *PEM encoded X.509 >>> public key certificate*? >>> >>> Regards, >>> >>> Nick >>> Cloud Platform Community Support >>> >>> On Friday, May 6, 2016 at 4:07:45 PM UTC-4, Simon Brown wrote: >>>> I use CloudFlare with App Engine and I'm trying to take advantage >>>> of their new CA[4], but I get an error when I try to import the >>>> cert into App Engine. I have also tried creating a self-signed >>>> cert, and no dice (except once in which it was imported, but didn't >>>> seem to work, so I tried again after which it stopped). >>>> >>>> Here is my process: >>>> >>>> 1. I run this command to generate a CSR: >>>> >>>> openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out >>>> server.csr >>>> >>>> 2. I paste the CSR into CloudFlare's utility and get back a PEM >>>> certificate. >>>> >>>> 3. I run the following command to convert my private key to a PEM >>>> key, as per the docs[5]: >>>> >>>> openssl rsa -in myserver.key -out myserver.key.pem >>>> >>>> 4. I go to certificates in App Engine and select the certificate >>>> from CloudFlare for the public key certificate and >>>> myserver.key.pem for the RSA private key. I get the following >>>> error message: >>>> >>>> The SSL certificate provided could not be inserted. >>>> >>>> Any suggestions on what I might be doing wrong? >>>> >>>> Thanks >>> >>> -- >>> You received this message because you are subscribed to a topic in >>> the Google Groups "Google App Engine" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/google-appengine/btN3G0qLbEg/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> To post to this group, send email to google- >>> [email protected]. >>> Visit this group at >>> https://groups.google.com/group/google-appengine. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/google-appengine/57598d6c-cee1-4fc6-86c2-ec2997bcc680%40googlegroups.com[6]. >>> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to a topic in > the Google Groups "Google App Engine" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/google-appengine/btN3G0qLbEg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to google- > [email protected]. > Visit this group at https://groups.google.com/group/google-appengine. > To view this discussion on the web visit > > https://groups.google.com/d/msgid/google-appengine/50d190c8-8e13-4b85-be7f-f3d1621fa247%40googlegroups.com[7]. > For more options, visit https://groups.google.com/d/optout.
Links: 1. https://cloud.google.com/appengine/docs/python/console/using-custom-domains-and-ssl#app_engine_support_for_ssl_certificates 2. http://stackoverflow.com 3. http://code.google.com/p/google-cloud-platform/issues/list 4. https://blog.cloudflare.com/cloudflare-ca-encryption-origin/ 5. https://cloud.google.com/appengine/docs/python/console/using-custom-domains-and-ssl#more_about_app_engine_support_for_ssl_certificates 6. https://groups.google.com/d/msgid/google-appengine/57598d6c-cee1-4fc6-86c2-ec2997bcc680%40googlegroups.com?utm_medium=email&utm_source=footer 7. https://groups.google.com/d/msgid/google-appengine/50d190c8-8e13-4b85-be7f-f3d1621fa247%40googlegroups.com?utm_medium=email&utm_source=footer -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/1462915665.2099215.604026809.5E21DDDE%40webmail.messagingengine.com. For more options, visit https://groups.google.com/d/optout.
