0

I have to renew my certificate on Google App Engine but when I enter my new public certificate and private key, I have got an error "cannot parse certificate"

I have tried with RapidSSL and Letsencrypt and both fail

Here is my process to get the keys (with Letsencrypt):

  1. sudo ./certbot-auto certonly -–manual -d www.mysite.fr -m my-mail@o.fr –-agree-tos
  2. I get the result after successful challenge : "Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.mysite.fr/fullchain.pem"
  3. sudo cat /etc/letsencrypt/live/www.mysite.fr/fullchain.pem and then copy/paste in the "PEM encoded X.509 public key certificate" textarea of the Google cloud SSL config
  4. sudo openssl rsa -in /etc/letsencrypt/live/www.mysite.fr/privkey.pem -out rsa.pem
  5. cat rsa.pem and then copy/paste in the "Unencrypted PEM encoded RSA private key" textarea of the Google cloud SSL config

When I press the Google cloud SSL config button "Upload" I get the error "could not parse certificate". Any clue?

I have the message at the top of SSL certificate page: "The SSL feature has been migrated here from Google Apps. To get started, verify ownership of your domains by completing step 1 here." Could this cause the cryptyc error message "could not parse certificate"?

When I click on the "here" link in the message, I go through all steps but I do not want to configure my DNS A and AAAA as CNAME seems enough to make it run today and I have mail and other subdomains handled by my DNS config of today. I don't want to break it all. Does anyone from Google know how it works behind the scenes?

EDIT : Finally not a DNS problem or partially unverified ownership. Worked well with Let's encrypt. It was a copy/paste side effect inserting invisible chars that makes google parsing fail. Would be nice to improve the service by scraping invisible chars before parsing. A quick win? I would recommend to never use copy/paste for keys and certificate! The Google Cloud Console has a way to download files on your own computer and then you can upload them to the App Engine without being corrupted.

frank
  • 438
  • 1
  • 5
  • 19
  • After pasting in each box click on the side - the box will get immediately red and a msg will indicate if something's wrong - this way you know which of the pasted info GAE doesn't like. Other than that I just successfully uploaded my ceritifcate again w/ the copy-paste method, see http://stackoverflow.com/a/38319855/4495081. Maybe also check your certificate(s)? – Dan Cornilescu Jan 13 '17 at 01:00

2 Answers2

2

First: Make sure there is no trailing line feed in either field. Delete any trailing spaces or line feeds. That is a common error, and one that App Engine engineers should fix.

If that isn't the issue, try using /etc/letsencrypt/live/www.mysite.fr/privkey.pem as the "Unencrypted PEM encoded RSA private key". Again, with no trailing spaces or line feeds.

GAEfan
  • 11,244
  • 2
  • 17
  • 33
  • It was indeed an invisible char problem. It is quite tricky and long to fix it. But I finally found a way to download the key & certificate files from the google cloud console, so no more need to copy/paste. NB : the second paragraph is a bad idea, privekey.pem does not work at all as it is not unencrypted. – frank Jan 15 '17 at 18:26
0

The best way to include your certificate into GCC, is to upload the pem files directly.

Public Cert <- Cert.pem    
Chain <- Full Chain.pem    
Private Key <- Private.pem

Don't use copy/paste as they will often fail.

Alan Runo
  • 11
  • 1