Configure Wildcard SSL to Google Compute Engine with Google Cloud DNS + HAProxy + Docker

Photo by pixabay.com

Hi everyone! With me again and again to share some experience, though or opinion about technology related with software engineering field. On previous story, we learn about configuring domain and subdomain to Google Compute Engine with Google Cloud DNS. Both of the story can be found here: https://medium.com/@bismobaruno/4832900e353b and https://medium.com/@bismobaruno/1cb956c6a542

We also successfully configure Wildcard SSL with Amazon EC2 + NGINX + Docker: https://medium.com/@bismobaruno/a33e657d8149

Today, we will try to configure the same output but in Google environment using HAProxy as load balancer, and of course, still using Docker!

The explanation about SSL, what and why we use SSL already explained on the configure Wildcard SSL story that I mentioned before. So in this part, we can jump directly into the technical side.

1. Setup Docker Compose

Following the installation from official Docker web https://docs.docker.com/compose/install/#install-compose

Download the current stable release of Docker Compose:

sudo curl -L "https://github.com/docker/compose/releases/download/1.25.5/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

Apply executable permissions to the binary:

sudo chmod +x /usr/local/bin/docker-compose

Test installation:

docker-compose --version
Picture 1 Check Docker Compose Version

2. Create SSL Certificate

We will using https://www.sslforfree.com/ for getting the free SSL certificate. Visit the page and put our domain, also the wildcard for subdomain into the form. Next, click Create Free SSL Certificate button for continue the process.

Picture 2 Create SSL Certificate

Use Manually verify domain since we just have one option when we want implement Wildcard SSL.

Picture 3 Manual Verify Domain

We will get some information TXT record and need to input the new record data on our DNS server.

Picture 4 TXT Record Value

Go to GCP console https://console.cloud.google.com/ and choose Cloud DNS submenu from Network services menu.

Picture 5 Go to Cloud DNS Service

Choose the Zone that we want to add the record.

Picture 6 Choose Zone

Click Add record set button.

Picture 7 Add Record Set

Fill the information based on https://www.sslforfree.com/ for the example:

  • DNS Name: _acme-challenge
  • Resource Record Type: TXT with TTL 1 second
  • TXT data: two value data from sslforfree.com

Click Create button for save the data.

Picture 8 Create Record

Back to https://www.sslforfree.com/ and we can do a verification before download the certificate.

Picture 9 Verify TXT Record

Result of verification (if we have no issue)

Picture 10 TXT Record Verification Result

Result of download SSL certificate. Click Download All SSL Certificate Files because we need it to setup the SSL on the server.

Picture 11 Download All SSL Certificate Files

3. Configure SSL Certificate

Now, it’s time for configure the certificate to HAProxy. We will setup the incoming request can be served over HTTPS / 443 port.

Extract our downloaded certificates on previous step. We will have 3 certificates as follows:

  • ca_bundle.crt
  • certificate.crt
  • private.key

Because we need .pem file for configure the SSL to HAProxy, first we should bundle all certificatse into .pem extension.

We can do it manual and make sure the certificate structure will be like this:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

Or using command:

echo "$(cat certificate.crt)" >> practice-gcp.site.pem
echo "$(cat ca_bundle.crt)" >> practice-gcp.site.pem
echo "$(cat private.key)" >> practice-gcp.site.pem

Copy the certificate into server. Let say we will put it on haproxy directory under $HOME path.

gcloud compute scp practice-gcp.site.pem instance-1:/home/momo/haproxy

Modify HAProxy config file. We added some line and the final config will be like this:

Create docker-compose.yml file because we will switch into docker compose for running the service:

We need stop the HAProxy current service, and re-run using docker compose. First find the container id user docker ps:

docker ps

Stop the container with docker stop command:

docker stop [CONTAINER ID]

Run the service by docker-compose command:

docker-compose up -d

4. Setup Firewall Rules

Go to GCP console https://console.cloud.google.com/ and choose Firewall rules submenu from VPC network menu.

Picture 12 Go to Firewall Rules Service

Create new rule by clicking CREATE FIREWALL RULE button.

Picture 13 Create Firewall Rule

Fill the information for the rule, we just modify Name, Target tags, Source IP ranges, tcp ports and leave the rest by default. Next, click CREATE button for save the rule.

Picture 14 Fill Firewall Rule Information (1)
Picture 15 Fill Firewall Rule Information (2)

5. Testing

After we done with all step, we can testing our SSL is working fine. Just open our domain and subdomain through web browser with HTTPS protocol.

Picture 16 Accessing Domain with HTTPS
Picture 17 Valid Domain Certificate
Picture 18 Accessing Subdomain with HTTPS
Picture 19 Valid Subdomain Certificate

Yeeaaay!! It’s works!! We have valid certificate for both!

Hope you enjoy it, I’m happy if this article useful for you! Happy Pointing!

Thank you!

Others story that still related

Software Engineer | Traveler | Guitarist | J-Lovers