Configuring Cloudflare SSL/TLS certificates on Google App Engine

install-cf-gae-ssl.md

Configuring Cloudflare SSL/TLS on Google App Engine

Implementing end-to-end HTTPS encryption with CloudFlare for Google App Engine applications.

Google App Engine - Custom Domains

Add Domains

Register the root domain with Google Cloud Platform at the following:

https://console.cloud.google.com/appengine/settings/domains?project=<Project_Id>

Cloudfare DNS

Configure DNS Records for Google App Engine

Add a record for the root (@) or subdomain (sub.domain.com) pointing to Google Cloud Platform.

Type    Name    Target                  TTL     Proxy status
CNAME   sub     ghs.googlehosted.com    Auto    DNS-only

Cloudfare SSL/TLS

Encryption in Full mode

Ensure your SSL/TLS encryption mode is set to Full and not Full (strict).

Origin Certificates and Private Keys

Issue an Origin Certificate for the root and wildcard (*) hostnames.

Navigate to SSL/TLS -> Origin Server -> Create Certificate and use the following configuration:

Private key type    Hostnames                  Certificate Validity
RSA                 domain.com,*.domain.com    15 years 

Using the PEM (Default) Key format;

• Copy the Origin Certificate into a domain.com-YYYY-MM-dd.pem file
• Copy the Private key into a domain.com-YYYY-MM-dd.key file

Edit the domain.com-YYYY-MM-dd.pem file and append the following Cloudflare Origin CA root certificate after the newly created certificate:

• cloudflare_origin_ecc.pem

...
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
...

Converting to RSA

Open a terminal with OpenSSL or install using the following (Mac OSX):

brew install openssl

Convert the private key to RSA with the following shell command:

openssl rsa -in domain.com-YYYY-MM-dd.key -out domain.com-RSA-YYYY-MM-dd.key

Google App Engine - SSL Certificates

Uploading the Certificate

Navigate to the following URL in Google Cloud Platform to Upload a new certificate:

https://console.cloud.google.com/appengine/settings/certificates?project=<Project_Id>

Provide a Name for the certificate (e.g. CF-YYYY-MM-DD) and upload the certificate and key.

• PEM encoded X.509 public key certificate: domain.com-YYYY-MM-dd.pem
• Unencrypted PEM encoded RSA private key: domain.com-RSA-YYYY-MM-dd.key

Assigning the Mapped Domains

After uploading, select the name of the newly added certificate (e.g. CF-YYYY-MM-DD)

Under Enable SSL for the following custom domains, select all domains that will use the corresponding certificate.

     Domain name
✓    *.domain.com
✓    sub.domain.com

Cloudfare DNS - Enable Proxy

Set Status to Proxied

Update the CNAME record to now be proxied through CloudFlare:

Type    Name    Target                  TTL     Proxy status
CNAME   sub     ghs.googlehosted.com    Auto    Proxied

Very useful and concise. We had this EXACT issue where secure session tokens were not being issued by a node.js app running in Google App Engine, because the connection from Cloudflare proxy to GAE was not https. This solution probably also applies to other container environments like AWS Elastic Beanstalk.

Thank you for taking the time to share this with the community!

With modern OpenSSL v3 you will need to specify -traditional to get the desired format. You can tell the difference because OpenSSL v3 will default to --BEGIN PRIVATE KEY-- instead of --BEGIN RSA PRIVATE KEY-- (which the Google Cloud Console will reject).

So instead of:

openssl rsa -in domain.com-YYYY-MM-dd.key -out domain.com-RSA-YYYY-MM-dd.key

use

openssl rsa -in domain.com-YYYY-MM-dd.key -out domain.com-RSA-YYYY-MM-dd.key -traditional

Awesome. Thank you 🙏

Cloudflare Origin CA root certificate

**https://developers.cloudflare.com/ssl/static/origin_ca_ecc_root.pem**

Thank you so much!