Implementing end-to-end HTTPS encryption with CloudFlare for Google App Engine applications.
Register the root domain with Google Cloud Platform at the following:
https://console.cloud.google.com/appengine/settings/domains?project=<Project_Id>
Add a record for the root (@
) or subdomain (sub.domain.com
) pointing to Google Cloud Platform.
Type Name Target TTL Proxy status
CNAME sub ghs.googlehosted.com Auto DNS-only
Ensure your SSL/TLS encryption mode is set to Full and not Full (strict).
Issue an Origin Certificate for the root and wildcard (*
) hostnames.
Navigate to SSL/TLS -> Origin Server -> Create Certificate and use the following configuration:
Private key type Hostnames Certificate Validity
RSA domain.com,*.domain.com 15 years
Using the PEM (Default)
Key format;
- Copy the Origin Certificate into a
domain.com-YYYY-MM-dd.pem
file - Copy the Private key into a
domain.com-YYYY-MM-dd.key
file
Edit the domain.com-YYYY-MM-dd.pem file and append the following Cloudflare Origin CA root certificate after the newly created certificate:
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
Open a terminal with OpenSSL
or install using the following (Mac OSX):
brew install openssl
Convert the private key to RSA with the following shell command:
openssl rsa -in domain.com-YYYY-MM-dd.key -out domain.com-RSA-YYYY-MM-dd.key
Navigate to the following URL in Google Cloud Platform to Upload a new certificate:
https://console.cloud.google.com/appengine/settings/certificates?project=<Project_Id>
Provide a Name for the certificate (e.g. CF-YYYY-MM-DD
) and upload the certificate and key.
- PEM encoded X.509 public key certificate: domain.com-YYYY-MM-dd.pem
- Unencrypted PEM encoded RSA private key: domain.com-RSA-YYYY-MM-dd.key
After uploading, select the name of the newly added certificate (e.g. CF-YYYY-MM-DD
)
Under Enable SSL for the following custom domains, select all domains that will use the corresponding certificate.
Domain name
✓ *.domain.com
✓ sub.domain.com
Update the CNAME
record to now be proxied through CloudFlare:
Type Name Target TTL Proxy status
CNAME sub ghs.googlehosted.com Auto Proxied
thank you @patmigliaccio, very useful :)