user@webserver:~$ wget https://dl.eff.org/certbot-auto
user@webserver:~$ chmod a+x ./certbot-auto
user@webserver:~$ ./certbot-auto --help

runtime: php55
handlers:
  - url: /.well-known/acme-challenge/.*
    script: acme-challenge.php
env_variables:
  GS_BUCKET: [YOUR_BUCKET_ID]

<?php

$path = explode('/', $_SERVER['PATH_INFO']);
$verifyName = end($path);

if (file_exists('gs://' . getenv('GS_BUCKET') . '/ssl/' . $verifyName)) {
  $fileContents = file_get_contents('gs://' . getenv('GS_BUCKET') . '/ssl/' . $verifyName);
  echo $fileContents;
} else {
  http_response_code(404);
  die();
}

runtime: go
api_version: go1.8

handlers:
- url: /.*
  script: _go_app

package main

import (
	"net/http"
	"fmt"
	"github.com/gorilla/mux"
	"google.golang.org/appengine"
	"google.golang.org/appengine/log"
	"cloud.google.com/go/storage"
	"io/ioutil"
  "os"
	"context"
)

func init() {
	route := mux.NewRouter()
	route.HandleFunc("/", index)
	route.HandleFunc("/.well-known/acme-challenge/{encrypt}", acmeChallenge)
	http.Handle("/", route)
}

func index(w http.ResponseWriter, r *http.Request) {
	fmt.Fprint(w, "Hello World")
}

func acmeChallenge(w http.ResponseWriter, r *http.Request) {
	vars := mux.Vars(r)
	encrypt := vars["encrypt"]
	var ctx context.Context
	ctx = appengine.NewContext(r)
	client, err := storage.NewClient(ctx)
	if err != nil {
		log.Errorf(ctx, "failed to create client: %v", err)
		w.WriteHeader(500)
		return
	}
	defer client.Close()
	bucketName := os.Getenv("GS_BUCKET")
	cBucket := client.Bucket(bucketName)
	rc, err := cBucket.Object(encrypt).NewReader(ctx)
	if err != nil {
		log.Errorf(ctx, "readFile: unable to open file from bucket %q, file %q: %v", bucketName, encrypt, err)
		w.WriteHeader(404)
		return
	}
	defer rc.Close()
	slurp, err := ioutil.ReadAll(rc)
	if err != nil {
		log.Errorf(ctx, "readFile: unable to open file from bucket %q, file %q: %v", bucketName, encrypt, err)
		w.WriteHeader(404)
		return
	}
	fmt.Fprint(w, string(slurp))
}

#!/bin/bash
# for debugging purpose only
set -x

echo $CERTBOT_VALIDATION | gsutil cp -a project-private - gs://my-bucket/ssl/$CERTBOT_TOKEN

set +x

#!/bin/bash
set -x

PROJECT_NAME=your-project-id

#gcloud config set project $PROJECT_NAME

NOW=$(date +"%y/%m/%d")

openssl rsa -in $RENEWED_LINEAGE/privkey.pem -out $RENEWED_LINEAGE/privkeyrsa.pem

CERTID=$(gcloud beta app ssl-certificates create \
  --display-name $PROJECT_NAME-$NOW \
  --certificate $RENEWED_LINEAGE/fullchain.pem \
  --private-key $RENEWED_LINEAGE/privkeyrsa.pem \
  --project $PROJECT_NAME --format='value(id)')

for domain in $RENEWED_DOMAINS; do
  gcloud beta app domain-mappings update $domain --certificate-id $CERTID --project $PROJECT_NAME
done

set +x

certbot-auto certonly --manual --manual-public-ip-logging-ok \
--preferred-challenges http --manual-auth-hook /[FULLPATH]/auth-hook.sh \
--renew-hook /[FULLPATH]/renew-hook.sh -d your-domain.com -d www.your-domain.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/asdf.jhbae.in/fullchain.pem. Your cert will
   expire on 2017-11-19. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

# m h  dom mon dow   command
7 3 * * * /FULL/PATH/TO/certbot-auto renew --quiet