问题
Cloudflare recently released origin certs. I can generate one for my domain but am not able to upload it to app engine. After getting the cert and key from cloudflare, I have to run openssl rsa -in old -out new on the key to convert it to an RSA key. Using this key and the cert, app engine shows the following error:
The SSL certificate provided could not be inserted.
With no additional information it's difficult to know what's going on here.
回答1:
CloudFlare PM here for Origin CA. A few comments/questions:
- Are you specifying RSA upfront, i.e., during issuance? Strange that you'd have to convert from RSA to RSA if so. If you're specifying ECDSA may be that GAE doesn't support those key types.
- As another answer indicated, our Origin CA certificates are intended to be used behind CloudFlare. By default they are leaf-only and have been reduced to the absolute minimum size that will work with our edge. Please see this blog post that I wrote for more details: https://blog.cloudflare.com/cloudflare-ca-encryption-origin.
- We've noticed that some software, e.g., cPanel, that can't determine a path all the way to a trusted root can be placated by appending our Origin CA root certificate. You can find these certificates here, one for RSA and one for ECDSA: https://support.cloudflare.com/hc/en-us/articles/218689638-What-are-the-root-certificate-authorities-CAs-used-with-CloudFlare-Origin-CA-. I would try appending the appropriate root to your certificate and re-uploading.
回答2:
As mentioned at https://support.cloudflare.com/hc/en-us/articles/221856168-How-to-install-an-Origin-CA-certificate-using-Google-App-Engine?flash_digest=c5309955213af4e33d15d0f9d2de9a4a186c10d2
At the present time, Google App Engine only allows the uploading of certificates that are either self-signed or are signed by a publicly trusted certificate authority (CA).
CloudFlare's CA for origin certificates is not publicly trusted, so Google App Engine currently returns an error when an Origin CA certificate is uploaded: "The SSL certificate provided could not be inserted."
We've reached out to Google regarding this policy decision and will update this article if the behavior changes.
回答3:
05/DEC/2019 UPDATE: App Engine now supports Cloudflare Origin CA certificates.
One must convert private key to RSA format:
$ openssl rsa -in {key-name}.key -out {key-name-rsa}.key
and enable Cloudflare proxying (make sure cloud icon is orange in DNS settings).
Same here, seems like CloudFlare Origin certificates are not publicly trusted, this may be the issue.
CF support encourages to contact Google.
Update:
Bundling, i.e. "appending the appropriate root to your certificate and re-uploading" (Patrick) CloudFlare CA root Cert and Public certificates together does not help.
Same error message from Google App Engine: "The SSL certificate provided could not be inserted."
来源:https://stackoverflow.com/questions/37079547/cloudflare-origin-certificate-with-google-app-engine