‘Out of the Box’ HTTPS on GCP with nginx and Let’s Encrypt

Sun Jul 07, 2019 · 408 words

GCP

Often, while experimenting with Compute Engine on GCP, we need to set up a webserver.

Ideally, we’d want to create a VM which starts “out of the box” with HTTPS pre-configured, as that’s how we’ll test most of our applications anyway. Spending time configuring HTTPS again and again doesn’t sound like fun, and also increases the chances of making a mistake.

The following is a script to set up nginx and Let’s Encrypt automatically. It can be used as a startup script. It’s designed for Centos 7 but the script is easily adapted to Debian-based or other OSes.

If you use any other webserver, you’ll have to do some more work to configure Let’s Encrypt – here’s a Java example.

You can type the startup script inline, or put it in a file accessible to the gcloud command, or store the script in a Cloud Storage bucket. This page has more information, but the key options are:

--metadata startup-script=CONTENTS: Supply the startup script contents directly with this key.

--metadata startup-script-url=URL: Supply a Google Cloud Storage URL to the start script file with this key.

--metadata-from-file startup-script=FILE: Supply a locally stored start up script file (you can keep small files in Cloud Shell, although obviously this doesn’t scale well).

Below, we’ve used --metadata-from-file for simplicity.

This is nginx-tls.sh, save it where your gcloud command can find it, e.g. on the Cloud Shell filesystem.

sudo yum -y update
sudo yum -y install epel-release certbot-nginx nginx
sudo systemctl start nginx
# you must have a domain name you own and have access to DNS management for that domain
sudo sed -i 's/server_name  _/server_name  SUBDOMAIN.YOURDOMAIN.COM/g' /etc/nginx/nginx.conf
sudo systemctl reload nginx
sudo certbot register --email YOUR@EMAIL.COM --no-eff-email --agree-tos
# For https://yourdomain.com use -d YOURDOMAIN.COM
sudo certbot --nginx -d SUBDOMAIN.YOURDOMAIN.COM --redirect
sudo systemctl enable nginx
# the schedule below will run every month -- change as needed
(sudo crontab -l 2>/dev/null; echo "14 3 5 */1 * /usr/bin/certbot renew --quiet") | sudo crontab -

…and create your Compute Engine VM thus:

gcloud compute --project=YOUR_PROJECT instances create \
    YOUR_MACHINE_NAME \
    --zone=YOUR_REGION --machine-type=YOUR_MACHINE_TYPE \
    --subnet=YOUR_VPC_NAME \
    --address=RESERVED_IP_ADDRESS \
    --network-tier=PREMIUM --maintenance-policy=MIGRATE \
    --service-account=... \
    --scopes=... \
    --tags=webserver --image=centos-7-v20190619 --image-project=centos-cloud \
    --boot-disk-size=30GB --boot-disk-type=pd-standard \
    --boot-disk-device-name=YOUR_MACHINE_NAME \
    --metadata-from-file startup-script=./nginx-tls.sh

Note that:

The IP address specified in --address= must be a reserved IP address.
The firewall rules for this machine must be configured to allow ingress for tcp:80,443. In this example, this rule is applied on the webserver target tag.