Ssl for a saas on google app engine


I know there’s been quite a few posts on this in the forum and I’ve been reading through them trying to get what info I can but I still have a few questions.

Basically my SAAS currently runs on GAE (google app engine) which will automatically issue certs for me (for domains I have access to).

When users sign up to my app they get a url such as I could potentially give them a subdomain ie. if it makes the below easier.

I want to allow users to point custom domains to the app. For this I plan to get them to create a txt record so I can verify the domain, and then get them to use a cname record to point to my app.

I want to be able to issue certs on their behalf and so will use LetsEncrypt. I would use a HTTP based challenge after they’ve set-up the cname, except, as the app is on app engine, I can’t create the well-known file seeing as this is based on appengine standard - unless we can create a custom file (though then I wouldn’t know how to get the correct challenge out of the cli which would potentially live on a different server)?

As mentioned above, the certs may have to be issued from a different server to make this work based on how GAE works and then I use the GCloud apis to upload the certs to app engine.

Does anyone have any experience on this, or ideas on how I should approach this?


You have everything you need to respond to this request statelessly, without needing to coordinate anything between the GAE web frontends, or parsing CLI output.

The response you need to give is (rfc8555):

token || '.' || base64url(Thumbprint(accountKey))

token is the last part of the URL in /.well-known/acme-challenge/{token}. So that's easy.

The account thumbprint is predetermined and never changes for any single Let's Encrypt account. You just need to ensure that your code utilizes the same Let's Encrypt account key across any running instance of your webapp.

Stateless Mode · acmesh-official/ Wiki · GitHub is a demonstration of this type of stateless challenge response.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.