What's the advantage of running the API in google app engine as opposed to a google cloud VM instance that you can just SSH into? Setting up letsencrypt on a VM instance is 10x easier than this (and in my experience everything else you need to do is 10x easier).
> Done! Your site is now HTTPS protected! Don’t forget to renew your cert in 3 months
This is not how Let's Encrypt is designed to work. Manually registering and then deploying a certificate and saying "don't forget to renew" does not make for a particularly high quality post.
That's a big part of why this post is disappointing. It may as well be two separate posts titled "how to manually obtain an LE cert", and "how to manually install a cert on GAE".
I was excited and thought they'd come up with a way of installing certs into GAE in an automated manner, since that's been the biggest blocker of automated LE usage on GAE.
Thought about automating it with a sequence of API calls (get challenge, automatically create handler, deploy solution, get cert, modify it, upload it). However, Google is working on an automated solution, and I'm not sure deploying something for the intermediate is necessary https://issuetracker.google.com/issues/35900034 (but I still need certs in the intermediate).
SSL certificates can now be updated in GAE using the gcloud command[1].
You could combine that with lego[2] to renew a Let's Encrypt SSL certificate via DNS Challenge to automate the process until native automation is implemented in GAE.
Agreed! I also wish there was an automated way to renew! However currently there isn't, and I doubt building out the tooling is worth it given Google appears to be working on an integration themselves: https://issuetracker.google.com/issues/35900034 -- in the intermediate, I still need certificates though.
The fact that setting up SSL on Google's platform in 2017 requires reading a long article and repeating steps is really bad publicity - if this post is official it ought to be embarrassing. AWS, Heroku, Cloudflare have all moved on to automated certificate management for all their hosted services.
I recently moved my static site from app engine to S3 and cloudfront so I could take advantage of ACM certificates (as well as playing around with some more terraform).
"LetsEncrypt issues SSL certificates by automatically verifying that you have ownership of the domain you claim you have."
Let's Encrypt does not verify ownership of domains. We verify control.
This is a common mistake, but the difference between ownership and control is significant so I'm just pointing this out for general educational purposes.
For the Container Engine part of GCP (and any Kubernetes installation really), this project automates everything away : https://github.com/jetstack/kube-lego
+1 well worth checking this tool out. Saved me a lot of effort setting up a GCP Kubernetes deployment two months ago. So far it has been a matter of set it and forget it.
34 comments
[ 3.1 ms ] story [ 94.0 ms ] threadCurrently relies on a fix to the appengine go SDK though: https://github.com/golang/appengine/pull/82
wow fuck medium
This is not how Let's Encrypt is designed to work. Manually registering and then deploying a certificate and saying "don't forget to renew" does not make for a particularly high quality post.
I was excited and thought they'd come up with a way of installing certs into GAE in an automated manner, since that's been the biggest blocker of automated LE usage on GAE.
You could combine that with lego[2] to renew a Let's Encrypt SSL certificate via DNS Challenge to automate the process until native automation is implemented in GAE.
[1] https://cloud.google.com/appengine/docs/standard/python/usin... [2] https://thornelabs.net/2016/11/08/use-lego-gcloud-dns-and-dn...
I've been waiting on API access to manage certs for a while.
This being said, I appreciate the tutorial.
http://docs.aws.amazon.com/acm/latest/userguide/acm-overview...
https://devcenter.heroku.com/articles/automated-certificate-...
https://www.cloudflare.com/ssl/
I recently moved my static site from app engine to S3 and cloudfront so I could take advantage of ACM certificates (as well as playing around with some more terraform).
Let's Encrypt does not verify ownership of domains. We verify control.
This is a common mistake, but the difference between ownership and control is significant so I'm just pointing this out for general educational purposes.