Sectigo.com
Shop Enterprise Partners Resources

Using the connector

This page describes how to use the connector with the Google Cloud CLI and an HTTPS request.

If you’re getting a 200 status code response, but the connector isn’t performing the requested operation, it’s likely that there’s a YAML syntax error in your acme-account.yaml file. Make sure to validate your YAML file using a YAML validator, for example, Code Beautify.

Using the connector with the Google Cloud CLI

The following are example commands for enrolling and renewing certificates using the Google Cloud CLI.

By default, GCP allows enrolling or renewing of up to 10 certificates in a single call. If you need more than 10 certificates, contact GCP support. If an attempt is made to enroll a certificate for a domain that already has a certificate, the name of the existing certificate will be returned.

Enroll a single-domain certificate

  • Default region

  • Specific region

gcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "enroll", "domains": "ccmqa.com", "account": "demo2"}' \
--format=json
gcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "enroll", "domains": "ccmqa.com", "account": "demo2"}' \
--format=json \
--region=us-central1

Enroll a multi-domain (SAN) or wildcard certificate

  • Default region

  • Specific region

gcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "enroll", "domains": "*.ccmqa.com,d2.ccmqa.com,d3.ccmqa.com", \
"account": "demo2"}' \
--format=json
gcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "enroll", "domains": "*.ccmqa.com,d2.ccmqa.com,d3.ccmqa.com", \
"account": "demo2"}' \
--format=json \
--region=us-central1

The following image shows a list of provisioned certificates on the Certificate tab of the Google Cloud Console.

Issued certificates in GCP

Renew revoked certificates for a specific alias

  • Default region

  • Specific region

gcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "renew", "account": "d365_tuesday"}' \
--format=json
gcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "renew", "account": "d365_tuesday"}' \
--format=json \
--region=us-central1

Renew all revoked certificates (for all aliases)

  • Default region

  • Specific region

gcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "renew"}' \
--format=json
gcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "renew"}' \
--format=json \
--region=us-central1

Using the connector with HTTPS

The following are example commands for enrolling and renewing certificates using an HTTPS request.

By default, GCP allows enrolling or renewing of up to 10 certificates in a single call. If you need more than 10 certificates, please contact GCP support. If an attempt is made to enroll a certificate for a domain that already has a certificate, the name of the existing certificate will be returned.

Enroll a single-domain certificate

  • Default region

  • Specific region

curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"enroll","account":"demo2","domains":"ccmqa.com"}'
curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"enroll","account":"demo2","domains":"ccmqa.com"}' \
--region=us-central1

Enroll a multi-domain (SAN) or wildcard certificate

  • Default region

  • Specific region

curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"enroll","account":"demo2","domains":"d1.ccmqa.com,d2.ccmqa.com"}'
curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"enroll","account":"demo2","domains":"d1.ccmqa.com,d2.ccmqa.com"}' \
--region=us-central1

The following image shows a list of provisioned certificates on the Certificate tab of the Google Cloud console.

Issued certificates in GCP

Renew revoked certificates for a specific alias

  • Default region

  • Specific region

curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"renew","account":"demo2"}'
curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"renew","account":"demo2"}' \
--region=us-central1

Renew all revoked certificates (for all aliases)

  • Default region

  • Specific region

curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"renew"}'
curl -X POST -H "Authorization: Bearer $(gcloud auth print-identity-token)" \
'https://us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1' \
-H "Content-Type:application/json" \
--data '{"action":"renew"}' \
--region=us-central1

Notes

  • Duplicate certificates for a specific domain are not allowed for a specific ACME account alias.

  • Multiple aliases can be defined for the same ACME account.

  • If you need different key sizes, you can create two aliases with the needed key sizes.

  • Make sure the signature algorithm of the server certificate matches the CA certificate. For example, the RSA server certificate should have the RSA CA chain, and the ECDSA server certificate should have the ECDSA CA chain. Please contact Sectigo support for more details.

Enabling auto-renewal and logging using Cloud Scheduler

The Cloud Scheduler service allows you to create a cronjob that will invoke the Cloud Function on a schedule. You can integrate the Cloud Scheduler service with the connector to trigger the Cloud Function that will check whether the certificate is eligible for renewal.

There are three ways to enable auto-renewal and logging:

  • set up a cronjob in Cloud Scheduler automatically using Terraform

  • set up a cronjob in Cloud Scheduler manually in the web interface

  • set up a cronjob on your Linux machine

Create a cronjob with Terraform

You can set up a cronjob in Cloud Scheduler automatically using Terraform. For this, specify your own values for the google_cloud_schedulerjob resource block in the Terraform file and deploy it with the terraform init command.

resource "google_cloud_scheduler_job" "cloud_function_cronjob" {
    name         = var.scheduler_name
    description  = "CronJob for renew certificates"
    schedule     = "0 0 1 * *"
    http_target {
        http_method = "POST"
        uri = var.http_trigger
        body = base64encode("{\"action\":\"forcerenew\",\"account\":\"rsa_2048\"}")
        oidc_token {
            service_account_email = "${google_service_account.scheduler_sa.email}"
        }
        headers = {
            Content-Type = "application/json"
        }
    }
}

The following is a breakdown of this resource block:

  • name: The name of the Cloud Scheduler job

  • schedule: The interval at which certificates are renewed (the value in the sample file means the Cloud Function is triggered on the first day of every month at 12:00 AM)

  • uri: The trigger URL for invoking the Cloud Function with an HTTP request

  • body: The data that is sent in the body of an HTTP request to trigger the Cloud Function

  • service_account_email: The service account that provides permission for Cloud Scheduler to invoke the Cloud Function.

Create a cronjob in the web interface

To set up a cronjob manually in the Cloud Scheduler web interface:

  1. Log in to the Cloud Scheduler console.

  2. Click Create a job.

  3. Give a name to the job and select the Region.

  4. Define the schedule for the job in Frequency. For example, the string 0 0 1 * * will trigger the Cloud Function on the first day of every month at 12:00 AM.

  5. Select the timezone to be used for the job schedule.

    Define the schedule in Cloud Scheduler

  6. Click Continue.

  7. Select HTTP in the Target type.

  8. Specify the HTTP trigger URL.

  9. Select POST as the HTTP method.

  10. Specify Body for an HTTP request.

  11. Select Add OIDC token in Auth header.

  12. Select the Service account that has permission to invoke the function.

  13. Other tabs are optional and you may skip them.

  14. Click Create to confirm the settings and create the job.

    Configure the execution in Cloud Scheduler

Create a cronjob on your Linux machine

To set up a cronjob on your Linux machine which calls the Cloud Function on a schedule, using the gcloud command:

  1. Run crontab -e on the terminal.

  2. Select an editor.

  3. Add a cronjob that will trigger the function.

    The following example triggers the function every week.

    0 0 * * 7 * * gcloud functions call SectigoGCPCM-us-central1 \
--data '{"action":"forcerenew","account":"rsa_2048"}'

  4. Save the crontab file.

Attaching certificates to load balancers

The SectigoGCPCM_https_lb_example and SectigoGCPCM_ssl_lb_example archives contain sample Terraform configuration for provisioning and attaching certificates to external HTTP(S) load balancers and SSL proxy load balancers.

Add the external data source configuration to your main Terraform module. The data source triggers the enroll.sh script that calls the Cloud Function to enroll a certificate and attach it to the target proxy for the load balancer. The README.md file in the archive provides instructions on using the external data source.

The following is a sample data source configuration.

// Data source for enrolling a certificate
data "external" "example" {
  program = ["/bin/bash","./enroll.sh","sectigohttpslb.ccmqa.com"]
}

output cert_name {
  value = "${data.external.example.result.result}"
}

// Target HTTPS proxy for the load balancer
resource "google_compute_target_https_proxy" "default" {
  depends_on = [
    data.external.example
  ]
  name             = "example-target-proxy"
  url_map          = google_compute_url_map.default.id
  ssl_certificates = ["${data.external.example.result.result}"]
}