Hi, I'm not sure if this old post is of interest of anyone, but just in case I recently worked on it: I don't know if cloudflare Full Strict is working with the cached version (proxy), but I got it work with the non-cached cloudflare dns. Since the request goes directly to AppEngine and CloudFlare only works as DNS server the let's encrypt certificate can be generated automatically in GAE. I'm worried that you may need to disable the cache every 4 months in order to get the new certificate (and I'm not sure if it works, we will see it in 4 months!)
As mentioned, if you re-enable the cache (proxy) when you have the let's encrypt certificate in you GAE, you will have again your CloudFlare SSL certificate for the proxy and it will talk to a valid Full Strict SSL certificate in GAE during 4 months. Cheers! Zorion El viernes, 6 de octubre de 2017, 1:44:39 (UTC+2), Leonard Austin escribió: > > I'm also interested in this post. I'm not sure how creating a sub domain > of w3.example.com helps as will it not just create a managed certificate > from LetsEncrypt for w3 (not naked or www)? I think LetsEncrypt uses DNS > verification, which I assume is something GAE is handling behind the > scenes. If cloudflare is turned on and sits between LetsEncrypt > verification method and App Engine then I'm not sure GCP is able to create > a DNS record that LetsEncrypt can see? > > > On Tuesday, 3 October 2017 03:05:32 UTC+1, Kamran (Google Cloud Support) > wrote: >> >> >> Managed security will need to check existence of canonical name (CNAME) >> record with the value of *ghs.googlehosted.com >> <http://ghs.googlehosted.com>* for your domain/subdomain. If you're >> serving *www.example.com <http://www.example.com>* on CloudFlare, you >> may map *w3.example.com <http://w3.example.com>* as custom sub-domain on >> GAE and enable managed security for it. Please try it and let me know how >> it works. >> >> >> >> >> On Monday, October 2, 2017 at 11:49:20 AM UTC-4, Leigh McCulloch wrote: >>> >>> While that works it's not completely secure, only Full SSL (strict) or >>> Full SSL (origin ca)* is, not plain Full SSL. In Full SSL mode Cloudflare >>> doesn't verify the common name on the certificate served by AppEngine which >>> is why it works as you described. If I enable Full SSL (strict) using the >>> setup you described it fails because the certificate AppEngine is serving >>> is for example.appspot.com and not example.com. >>> >>> What I had hoped to do was enable managed security on AppEngine so that >>> AppEngine served a certificate with the correct common name. But it seems >>> like AppEngine does DNS checks before allowing the certificate to work. >>> >>> Is there anyway to make this work? >>> >>> Leigh >>> >>> * Note: Full SSL (origin ca) is also not supported by AppEngine, because >>> AppEngine doesn't allow the use of certificates that have been signed by a >>> CA that isn't a trusted CA. >>> >>> -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/5b7384d9-7d18-4742-a7a1-5b3b9684a0fdo%40googlegroups.com.
