gsutil copying LetsEncrypt domain verification not working

2
votes

When using the LetsEncrypt certbot to generate an SSL certificate for my domain, I am prompted to make a file available at my domain to verify my control at my domain:

http://example.com/.well-known/acme-challenge/XXXXXX

However when I try to upload that file to my Google Cloud Storage bucket I get the following error:

$ gsutil rsync -R . gs://example.com Building synchronization state... Starting synchronization Copying file://./.well-known/acme-challenge/XXXXXX [Content-Type=application/octet-stream]... BadRequestException: 400 ACME HTTP challenges are not supported. Does Google Cloud Storage expressly forbid URLs with "acme challenge" in the path? Is it possible to setup a LetsEncrypt certificate for a domain hosted at a Google Cloud Storage bucket?

1
google-cloud-storagelets-encrypt
cloud.google.com/storage/docs/naming#objectnames - Konstantin V. Salikhov
LOL: "Object names cannot start with .well-known/acme-challenge." Turns out you can verify your domain control for LetsEncrypt/certbot by creating a TXT record instead of creating and uploading the file: certbot.eff.org/docs/using.html#manual - maxm
@maxm: The reason is that "my_bucket.storage.googleapis.com" is also a domain name, but it's not one for which you should be able to get a certificate. If you own the example.com domain and happen to use CNAME records to serve content from GCS, registering ownership of the domain is no problem, but for simplicity and consistency we simply ban that object name for all buckets. - Brandon Yarbrough
@BrandonYarbrough -- thanks, makes sense. I have found it quite difficult to setup SSL for a GCS bucket with a custom domain - maxm
@BrandonYarbrough Now that GCS verifies the domain ownership it would be great to remove the restriction as it would then be possible to use certbot with Google Loadbalancer and GCS buckets more easily - dflorey

1 Answers

3
votes

We worked around this by exposing /.well-known/acme-challenge as an endpoint and storing the challenge at a different directory that is allowed by Cloud Storage. When LE hits that endpoint we retrieve the generated challenge from it's directory and serialize it in the response.