I use google app engine trying to add ssl for custom domain. I use naked domain. After "PEM encoded X.509 public key certificate" and "Unencrypted PEM encoded RSA private key" uploaded. "The SSL certificate provided could not be inserted." is returned. I use https://www.sslchecker.com check private key/ssl match. It matches. What's wrong? I use key size "RSA 2048", nothing wrong ordering the concatenated certificates. Thank you.
I spent a long time working with this error and found a solution for my problem here:
http://qiita.com/yogurito/items/550b50b262418e93da22
If I understand correctly, the key file needed to be without a password, so running:
openssl rsa -in appengine.key -out appengine-nopass.key
provided a key that GAE liked.
Related
I think AddDeveloperSigningCredential() is not working for deployment.AddDeveloperSigningCredential() is only working for development environment. Therefore I use AddSigningCredential() for production environment, but getting certificate does not have a private key error in log file. How can I continue to resolve it? Please guide me. Thanks.
My code in IdentityServer Startup.cs
enter image description here
You are searching for the certificate in StoreName.CertificateAuthority. How did you put the certificate there? Is it imported there without the private key. You can try to create a self-signed certificate in the StoreName.My. And search for it there instead. But if you already have a certificate to use you have to be sure to first export it from the original store and including the private key and then import in the store where you search for it.
/Hans
I'm trying to configure SSL for Google Cloud's App Engine.
You can upload your own custom SSL certificate + private key in GCP (see screenshot).
I'm using Cloudflare for DNS, and would like to use the "Full (strict)" SSL policy in Cloudflare. This would mean I have to add a certificate and key, created by Cloudflare, in GCP (in same screenshot).
I've managed to convert the private key to a valid (PEM) format that GCP will accept. The only thing not working is the Certificate part.
When entering both certificate and key in GCP, upon clicking upload, the following error is returned:
The certificate data is invalid. Please ensure that the private key and public certificate match.
After some googling, I found the following resources on GCP's documentation, explaining I need a have the full certificate-chain uploaded in the certificate field. So next thing I tried, is to concat my certificate from cloudflare together with the root certificate of cloudflare itself, as explained in the GCP docs.
So I ran the following command to create this chain:
cat domain.crt cloudflare-root-ca.crt > concat.crt
... and uploaded that one in GCP in the certificate field.
That didn't work either, even while the checksums of both private key and the certificate-chain match as explained by GCP docs, by running:
openssl x509 -noout -modulus -in concat.crt | openssl md5
openssl rsa -noout -modulus -in myserver.key.pem | openssl md5
...and comparing the md5 outputs.
So now I'm completely without Idea's. GCP's error messages are limited to the one above, and one other saying your PK is not a valid format.
Same problems when trying via CLI (gcloud)
When trying this process through the cli gcloud, we get the same errors.
Trying the following command:
gcloud app ssl-certificates create --display-name example.com --certificate ./cloudflare-concat.crt --private-key cloudflare-pk.key
...yields the following error:
ERROR: (gcloud.app.ssl-certificates.create)
INVALID_ARGUMENT: Invalid certificate.
`CertificateRawData` must contain a PEM encoded x.509 public key certificate, with header and footer included,
and an unencrypted PEM encoded RSA private key, with header and footer included and with size at most 2048 bits.
The requested private key and public certificate must match.
Any help on uploading a valid certificate (from Cloudflare) and private key in GCP is much appreciated.
Update 1
I found this (cached) paged describing all the root and intermediate certs of Cloudflare. I've tried a couple of them to concatenate agains my domain cert, but no luck so far. It's also not clear which one to use...
Update 2
I've beginning to think that this won't work, ever. Because I'm using an 'Origin Certificate' from Cloudflare, I believe this is a self-signed cert from Cloudflare itself, meaning that App Engine won't ever recognize this as valid.
The reason I think this is the case, is because I tried to use the cfssl tool from cloudflare to 'create a bundle-cert' automatically. The response I get from running
cfssl bundle -cert domain.crt
Returns the following result:
[INFO] bundling certificate for {Country:[] Organization:[CloudFlare, Inc.] OrganizationalUnit:[CloudFlare Origin CA] Locality:[] Province:[] StreetAddress:[] PostalCode:[] SerialNumber: CommonName:CloudFlare Origin Certificate Names:[{Type:2.5.4.10 Value:CloudFlare, Inc.} {Type:2.5.4.11 Value:CloudFlare Origin CA} {Type:2.5.4.3 Value:CloudFlare Origin Certificate}] ExtraNames:[]}
{"code":1220,"message":"x509: certificate signed by unknown authority"}
Extra info
I'm using a free Cloudflare subscription.
Everything works fine when using the 'flexible' setting from Cloudflare,
But I would like to use the 'full (strict)' setting
I discovered a recent blogpost, describing how to solve this.
After following the steps described, the certificate was accepted in Google Cloud, and everything worked for the 'full (strict) ssl' option in cloudflare!
In short: it involved a bit of tweaking the keys, by manually adding 'RSA' to it, as described in the blogpost.
See this link:
https://blog.woohoosvcs.com/2019/11/running-google-app-engine-behind-cloudflare/
EDIT:
This is probably the same end-result as using the shell commands as described by #Andrei
Can you please verify you are using free Cloudflare or paid Cloudflare account.
Because if you are free using than I think SSL strict is not going to work make it flexible and redirect all HTTP request to https request.
When trying to "Add a new SSL certificate" using App Engine's Settings tab that was generated with Let's Encrypt via Google App Engine's console results in a dialog error and a 400 response to the POST request.
Error
"The SSL certificate provided could not be inserted."
A previously generated (about 2 months ago - not yet expired of course) SSL key/certificate via the exact same method is inserted just fine - but any newly generated one does not. I attempted both traditional Let's Encrypt and the relatively new Certbot method. Also tried multiple subdomains, naked domains, singular domains and each results in the same error.
I've seen several people spec that --rsa-key-size 2048 solved the same issue, but I've tried specifying that as well (even though it is the default for Certbot as is). Other answers have been "waiting 2 hours and now its working" - looking for a real solution as unreliable inserts and expired certs can become a real pain.
If you use certbot in Apache it defaults to 4096. So force key length to 2048.
certbot-auto --rsa-key-size 2048
From docs [https://certbot.eff.org/docs/using.html]
This creates PEM certificates in /etc/letsencrypt/live/example.net
Convert to RSA (change the url in cmd to your site).
sudo openssl rsa -inform pem -in /etc/letsencrypt/live/example.net/privkey.pem -outform pem > rsaprivatekey.pem
Above command is from this blog post http://blog.seafuj.com/lets-encrypt-on-google-app-engine. This also explains how to setup your webapp2 webserver.
Go to App Engine > Settings > SSL Certificates
Upload fullchain.pem
Upload rsaprivatekey.pem
The file upload button works fine - no need to paste unless its more secure.
I ran into similar problems as well a few weeks ago when trying to upload my new certificate using the same recipe I successfully used before.
What worked for me in the end was:
copy-pasting the entire content of the certificate file into the box marked Or paste the public key certificate in the box below:
and,
copy-pasting just the full key at the end of my private key .pem file into the box marked Or paste the RSA private key in the box below: (though I don't exactly recall if I included the leading -----BEGIN RSA PRIVATE KEY----- and tailing -----END RSA PRIVATE KEY----- lines or not).
I (kinda blindly) made several attempts for each of the 2 copy-paste operations with whatever crossed my mind - the success/failure feedback is immediate.
Side note - you may want to also double-check your certificate, in my case the 1st certificate file I managed to upload successfully was an incomplete one (missing intermediate entities), which appeared to be working fine from my desktop, but was failing when browsing from Android, I had to re-generate another one. I used digicert to confirm the problem and verify the 2nd certificate (following suggestions from an SO answer, of course ;)
I had this problem. I had generated the certificates in the Google Cloud Shell.
I was first trying to use the fullchain.pem, but this did not work.
/etc/letsencrypt/live/mydomain.com/cert.pem
I issued
sudo less /etc/letsencrypt/live/whysaurus.com/cert.pem
in the google cloud shell, and uploaded that as the pem 509 cert in appengine, and then it was accepted.
I have a problem with keypair and certificate generate in token using csp or pkcs, and i must to distict this then i want to know
"How to check certificate and key pair created by CSP or PKCS ??".
You should check their respective API as the first step.
For PKCS, you should read PKCS11 standard as mentioned on: http://www.rsa.com/rsalabs/node.asp?id=2133
This API interface will contains the method to check on the certificate.
Take note that in general, CSP is used by only Microsoft Product, while PKCS is used by the other software vendors.
Can anyone tell me how to verify the Password-based P12 file using openssl? Logic or sample code will be much helpful.
You can find a code sample that :
- opens a pkcs#12 file with password
- extracts the private key and certificates
in the openssl source code at :
./demos/pkcs12/pkread.c