Using the connector
This page describes how to use the connector with the Google Cloud CLI and an HTTPS request.
|
If you’re getting a 200 status code response, but the connector isn’t performing the requested operation, it’s likely that there’s a YAML syntax error in your acme-account.yaml file. Make sure to validate your YAML file using a YAML validator, for example, Code Beautify. |
Using the connector with the Google Cloud CLI
The following are example commands for enrolling and renewing certificates using the Google Cloud CLI.
| By default, GCP allows enrolling or renewing of up to 10 certificates in a single call. If you need more than 10 certificates, contact GCP support. If an attempt is made to enroll a certificate for a domain that already has a certificate, the name of the existing certificate will be returned. |
Enroll a single-domain certificate
gcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "enroll", "domains": "ccmqa.com", "account": "demo2"}' \
--format=jsongcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "enroll", "domains": "ccmqa.com", "account": "demo2"}' \
--format=json \
--region=us-central1Enroll a multi-domain (SAN) or wildcard certificate
gcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "enroll", "domains": "*.ccmqa.com,d2.ccmqa.com,d3.ccmqa.com", \
"account": "demo2"}' \
--format=jsongcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "enroll", "domains": "*.ccmqa.com,d2.ccmqa.com,d3.ccmqa.com", \
"account": "demo2"}' \
--format=json \
--region=us-central1Specify the upload account
gcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "enroll", "domains": "ccmqa.com", "account": "demo2"}' \
--format=jsongcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "enroll", "domains": "ccmqa.com", "account": "demo2", "gcp_creds": "ewogICJ0eXBlIjogI...cnNlX2RvbWFpbiI6ICJnb2NvbSIKfQoK"}' \
--format=json \The following image shows a list of provisioned certificates on the Certificate tab of the Google Cloud Console.
Using the connector with HTTPS
The following are example commands for enrolling and renewing certificates using an HTTPS request.
|
By default, GCP allows enrolling or renewing of up to 10 certificates in a single call. If you need more than 10 certificates, please contact GCP support. If an attempt is made to enroll a certificate for a domain that already has a certificate, the name of the existing certificate will be returned. |
Enroll a single-domain certificate
curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"enroll","account":"demo2","domains":"ccmqa.com"}'curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"enroll","account":"demo2","domains":"ccmqa.com"}' \
--region=us-central1Enroll a multi-domain (SAN) or wildcard certificate
curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"enroll","account":"demo2","domains":"d1.ccmqa.com,d2.ccmqa.com"}'curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"enroll","account":"demo2","domains":"d1.ccmqa.com,d2.ccmqa.com"}' \
--region=us-central1The following image shows a list of provisioned certificates on the Certificate tab of the Google Cloud console.
Renew revoked certificates for a specific alias
curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"renew","account":"demo2"}'curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"renew","account":"demo2"}' \
--region=us-central1Renew all revoked certificates (for all aliases)
curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"renew"}'curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"renew"}' \
--region=us-central1Notes
-
Duplicate certificates for a specific domain are not allowed for a specific ACME account alias.
-
Multiple aliases can be defined for the same ACME account.
-
If you need different key sizes, you can create two aliases with the needed key sizes.
-
Make sure the signature algorithm of the server certificate matches the CA certificate. For example, the RSA server certificate should have the RSA CA chain, and the ECDSA server certificate should have the ECDSA CA chain. Please contact Sectigo support for more details.
Enabling auto-renewal and logging using Cloud Scheduler
The Cloud Scheduler service allows you to create a cronjob that will invoke the Cloud Function on a schedule. You can integrate the Cloud Scheduler service with the connector to trigger the Cloud Function that will check whether the certificate is eligible for renewal.
There are three ways to enable auto-renewal and logging:
-
set up a cronjob in Cloud Scheduler automatically using Terraform
-
set up a cronjob in Cloud Scheduler manually in the web interface
-
set up a cronjob on your Linux machine
Create a cronjob with Terraform
You can set up a cronjob in Cloud Scheduler automatically using Terraform.
For this, specify your own values for the google_cloud_schedulerjob resource block in the Terraform file and deploy it with the terraform init command.
resource "google_cloud_scheduler_job" "cloud_function_cronjob" {
name = var.scheduler_name
description = "CronJob for renew certificates"
schedule = "0 0 1 * *"
http_target {
http_method = "POST"
uri = var.http_trigger
body = base64encode("{\"action\":\"forcerenew\",\"account\":\"rsa_2048\"}")
oidc_token {
service_account_email = "${google_service_account.scheduler_sa.email}"
}
headers = {
Content-Type = "application/json"
}
}
}The following is a breakdown of this resource block:
-
name: The name of the Cloud Scheduler job
-
schedule: The interval at which certificates are renewed (the value in the sample file means the Cloud Function is triggered on the first day of every month at 12:00 AM)
-
uri: The trigger URL for invoking the Cloud Function with an HTTP request
-
body: The data that is sent in the body of an HTTP request to trigger the Cloud Function
-
service_account_email: The service account that provides permission for Cloud Scheduler to invoke the Cloud Function.
Create a cronjob in the web interface
To set up a cronjob manually in the Cloud Scheduler web interface:
-
Log in to the Cloud Scheduler console.
-
Click Create a job.
-
Give a name to the job and select the Region.
-
Define the schedule for the job in Frequency. For example, the string
0 0 1 * *will trigger the Cloud Function on the first day of every month at 12:00 AM. -
Select the timezone to be used for the job schedule.
-
Click Continue.
-
Select HTTP in the Target type.
-
Specify the HTTP trigger URL.
-
Select POST as the HTTP method.
-
Specify Body for an HTTP request.
-
Select Add OIDC token in Auth header.
-
Select the Service account that has permission to invoke the function.
-
Other tabs are optional and you may skip them.
-
Click Create to confirm the settings and create the job.
Create a cronjob on your Linux machine
To set up a cronjob on your Linux machine which calls the Cloud Function on a schedule, using the gcloud command:
-
Run
crontab -eon the terminal. -
Select an editor.
-
Add a cronjob that will trigger the function.
The following example triggers the function every week.
0 0 * * 7 * * gcloud functions call SectigoGCPCM-us-central1 \ --data '{"action":"forcerenew","account":"rsa_2048"}' -
Save the crontab file.
Attaching certificates to load balancers
The SectigoGCPCM_https_lb_example and SectigoGCPCM_ssl_lb_example archives contain sample Terraform configuration for provisioning and attaching certificates to external HTTP(S) load balancers and SSL proxy load balancers.
Add the external data source configuration to your main Terraform module.
The data source triggers the enroll.sh script that calls the Cloud Function to enroll a certificate and attach it to the target proxy for the load balancer.
The README.md file in the archive provides instructions on using the external data source.
The following is a sample data source configuration.
// Data source for enrolling a certificate
data "external" "example" {
program = ["/bin/bash","./enroll.sh","sectigohttpslb.ccmqa.com"]
}
output cert_name {
value = "${data.external.example.result.result}"
}
// Target HTTPS proxy for the load balancer
resource "google_compute_target_https_proxy" "default" {
depends_on = [
data.external.example
]
name = "example-target-proxy"
url_map = google_compute_url_map.default.id
ssl_certificates = ["${data.external.example.result.result}"]
}