I'm reviving some antique code of mine that uses google app engine. The SSL certificate was self-signed and long expired so this time around I tried to use letsencrypt.
If you search you'll likely come across this post from 2015 which is mostly correct but has a few gotchas. I'm taking a few notes for next time I need to renew. I was doing this on Windows for a change.
Install
certbox.exeviapip install certbotRequest a certificate from letsencrypt:
certbot.exe certonly --manual --preferred-challenges=dns --email <your email> --agree-tos --no-eff-email --key-type rsa -d <your hostname>
I prefer the DNS challenge, I find adding a TXT record is easier than uploading some custom request handler.
Make sure to set --key-type rsa ! This is the important bit, certbot has switched to ECDSA keys by default and app engine only supports RSA.
- Convert the private key from "OpenSSH key" to "PEM encoded RSA key":
Make a copy of the private key that certbot downloaded (privkey2-rsa.pem below) and convert it: ssh-keygen.exe -p -N "" -m pem -t rsa -f privkey2-rsa.pem. See this SO post for more details.
- You can now upload the fullchain file and the key file to app engine. If you are getting errors such as "The private key you've selected does not appear to be valid." or "the certificate data is invalid", you didn't correctly configure to use RSA or didn't convert the key correctly.