How to get a free TLS Certificate from Google Cloud Platform with acme
Application preparation for account
First open Google sign in page, log in to your Google account, then go to Google Cloud Platform and create a new Google Cloud Project (if required).
Open the application form while staying logged in, fill it out and wait for Google to send you an email.
Get a Google Cloud Project ID
Open https://console.cloud.google.com/apis/dashboard ,
click on your project name in the top left corner, and you will see your Project ID in the pop-up list.
Get the Account Key
Enable the API
Open the following link to enable the API, where
Open the link and click “Enable”, then wait for “API is enabled” to appear on the right side to close the page.
Then open the “Google Cloud Shell” (click on the CloudShell icon in the top right corner to activate it).
Wait for the assignment to complete and enter the following command in the Shell window.
gcloud config set project <Project ID> gcloud beta publicca external-account-keys create
The “Provide authorization for Cloud Shell” pop-up will appear, so click Authorize.
After execution, the output will be similar to the following; note that you should not execute this command without receiving an email from Google, as it will return that the command does not exist.
Created an external account key [b64MacKey: xxx keyId: xxx] Request a certificate
Execute the following command to install ACME automatically, and replace your email address
curl https://get.acme.sh | sh -s email=<EMAIL>
Register an account
acme.sh --register-account -m <EMAIL> --server google \ --eab-kid xxxx \ --eab-hmac-key xxxxxxxxxx
acme.sh -f --server google --issue \ -d test.domain \ -w "/home/root/web/certs/main" \ --reloadcmd "/etc/init.d/nginx reload"
If you want the ECC certificate you can specify the key type
acme.sh -f --server google --issue \ -d test.domain --keylength ec-256\ -w "/home/root/web/certs/main" \ --reloadcmd "/etc/init.d/nginx reload"
-w parameter specifies the location of the certificate output.
--reloadcmd specifies the restart command for your http server, in this example is
Certificate Trust Chain
Free certificates are issued by GTS CA 1P5. The trust chain as following:
Your certificate -> GTS CA 1P5 -> GTS Root R1 .
Google Free TLS Certificate advantages and disadvantages (Pros and Cons) compare with Let’s Encrypt
- You can set the validity period of the issued certificate; (maximum 90 days, minimum 1 day) Supports multiple domain names and wildcards; (same as Let’s Encrypt)
- Supports DNS validation and file validation only, not email validation; (same as Let’s Encrypt)
- Supports IP addresses, but only allows the owner of the IP address block to authenticate; (not supported by Let’s Encrypt at this time)
- IDN (International Domain Name, encoded using Punycode, like xn-1.xn-2) is not supported. (already supported by Let’s Encrypt)
- Currently issued certificates, even if you choose ECC type, the intermediate certificate of the certificate chain is RSA (Let’s Encrypt already supports full chain ECC)
The supported validation types are: dns-01 , but you specified: http-01
To apply wildcard certificate, need use DNS authentication instead of http. e.g.: