Announcing SSL for GAE Custom Domains in the Developers Console
1,769 views
Skip to first unread message
Lorne Kligerman
Sep 15, 2015, 8:10:30 PM9/15/15
to Google App Engine
At long last, we are happy to announce that your App Engine custom domains and SSL security can now be configured within the Google Developers Console.
For many historical reasons, this functionality was split between the Developers Console and the Google Apps Admin console. With this change, the Apps Admin console is no longer needed which will make your setup much more simple and straightforward.
Rest assured that all existing domains and certificates will continue to serve as normal.
If you have an existing App Engine application serving over a custom domain and SSL certificate, you will have to verify ownership of your domain in the Developers Console here. Once verified, you will see all of your existing certificates and the domain to which they belong.
For those just getting started, simply follow the instructions on the Custom Domains and SSL Certificates tabs. For more details you can check out the full documentation here.
This is just the beginning of a larger project that is under way to help you quickly get your app online, brand it properly with your own domain, make it as secure as possible, and manage the setup with ease among your organization, however large or small.
Cheers and thanks for your patience,
The Cloud Custom Domains SSL Team.
husayt
Sep 15, 2015, 8:30:32 PM9/15/15
to Google App Engine
Lorne this is great. Thanks.
One other thing missing on ssl front is SSL support for GCS hosted static websites. We use them a lot for our clients and find them extremely useful.
But we can't do https websites yet and that is proving a problem.
Do you know if there is a ticket on it we can star? Or maybe you have some news on that front.
Thanks.
Huseyn
Nick
Sep 15, 2015, 8:47:48 PM9/15/15
to Google App Engine
Its great to finally see this change.
PK
Sep 15, 2015, 9:20:21 PM9/15/15
to google-a...@googlegroups.com
Hi Lorne,
this is great news.
Should we anticipate any downtime because of DNS sync or other issues while moving the SSL custom domain from Google Apps to the new way?
Since I already have a Google Apps SSL domain I clicked on the link and got me to a page that states: “SSL support for custom domains is currently only supported via Google Apps”, is this just an out of date UI?
--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/a2504267-23f6-4413-bb4c-6e3588925da8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Darshan-Josiah Barber
Sep 15, 2015, 9:23:29 PM9/15/15
to Google App Engine
Awesome! However, I've run into two problems -- one of which I solved, and probably calls for updated documentation (or smarter upload script), the other of which I'm stuck on. I believe I followed the instructions correctly.
1. For the last step, when we upload myserver.key.pem, the console was not accepting my file. After verifying that I copied and pasted the two openssl commands correctly (didn't leave something out), I had the idea of only using the parts from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY-----. (The second openssl command had generated a bunch of stuff above this.)
Once I did that, the console happily accepted the files, so now both the Custom Domains and SSL Certificates tabs show that I'm up and running. However, my browsers won't connect over HTTPS. To figure out what's wrong, I did this:
I get this output:
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.mydomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.mydomain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.mydomain.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[ the cert]
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.mydomain.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1880 bytes and written 472 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: CC113DA3B12B60C564E7E273900C9E874D2D2CC236E2F5DD2BABDFEE86FF00B5
Session-ID-ctx:
Master-Key: D316B81F54D126A53DF1BA6B75E22F0C0DD616C3105106DCBB366011B0F8FFFDDBA9D4E545B47690D56D1F036DABD96B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1442365904
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
Googling hasn't helped me understand the issue, and I'm new to this. I'd be happy to ask on StackOverflow, but I thought I'd start by posting here, since this is a minutes-old feature and the problem may well be on your end. (And I thought others should be aware of the first issue, which I solved.)
Thanks!
1. For the last step, when we upload myserver.key.pem, the console was not accepting my file. After verifying that I copied and pasted the two openssl commands correctly (didn't leave something out), I had the idea of only using the parts from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY-----. (The second openssl command had generated a bunch of stuff above this.)
Once I did that, the console happily accepted the files, so now both the Custom Domains and SSL Certificates tabs show that I'm up and running. However, my browsers won't connect over HTTPS. To figure out what's wrong, I did this:
I get this output:
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.mydomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.mydomain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.mydomain.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[ the cert]
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.mydomain.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1880 bytes and written 472 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: CC113DA3B12B60C564E7E273900C9E874D2D2CC236E2F5DD2BABDFEE86FF00B5
Session-ID-ctx:
Master-Key: D316B81F54D126A53DF1BA6B75E22F0C0DD616C3105106DCBB366011B0F8FFFDDBA9D4E545B47690D56D1F036DABD96B
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1442365904
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
Googling hasn't helped me understand the issue, and I'm new to this. I'd be happy to ask on StackOverflow, but I thought I'd start by posting here, since this is a minutes-old feature and the problem may well be on your end. (And I thought others should be aware of the first issue, which I solved.)
Thanks!
Jeff Schnitzer
Sep 15, 2015, 9:31:28 PM9/15/15
to Google App Engine
Hurray!
Thanks,
Jeff
--
Darshan-Josiah Barber
Sep 15, 2015, 9:59:19 PM9/15/15
to Google App Engine
I may have figured out what my issue is. Rereading the documentation my slowly and carefully, I noticed this tidbit:
That sounds like it's probably my issue. I'll try to figure out how to do what it says now!
If the host certificate requires an intermediate or chained certificate (as many Certificate Authorities (CAs) issue), you will need to append the intermediate or chained certificates to the end of the public certificate file.
That sounds like it's probably my issue. I'll try to figure out how to do what it says now!
Majid Manzarpour
Sep 15, 2015, 10:13:55 PM9/15/15
to Google App Engine
Great!
Is it possible to redirect a naked domain over SSL if the domain is already being used by Google Apps? it seems like it wants to take over the A record for the naked domain to work?
Darshan-Josiah Barber
Sep 15, 2015, 10:19:06 PM9/15/15
to Google App Engine
Nope, that wasn't the issue; it was already taken care if in step 7. However, for whatever reason, everything is working now!
Panayiotis Lipiridis
Sep 16, 2015, 4:31:01 AM9/16/15
to Google App Engine
I didn't find out how could I redirect from naked SSL domain to www for example.
Panayiotis Lipiridis
Sep 16, 2015, 5:36:09 AM9/16/15
to Google App Engine
oki.. that worked, I just had to add it to the list. But is it possible to redirect automatically to www as it does with the http (no SSL works)?
We used to have that setting under Google Apps for Work console.. but now I cannon find it in the new one. Where do we setup the automatic redirects for naked domains?
Lorne Kligerman
Sep 16, 2015, 1:33:54 PM9/16/15
to Google App Engine
Thanks for all the quick feedback! No downtown was expected or took place during this migration and launch. The work involved here didn't touch the basics of how the applications are being served, but just the configuration.
@PK, good catch on the reference to the old UI, we'll get that cleaned up right away.
@Jeff, the set of domains each administrator can view are those that they have personally verified.
We're looking into solutions for the naked domain issue, stay tuned for more details.
Cheers,
Lorne.
tom saffell
Sep 16, 2015, 5:49:55 PM9/16/15
to Google App Engine
Thank you for making the change - it's much appreciated!
I tried adding the records on name.com (our registrar and DNS provider) and got an error "The Record Host field is invalid."
Anyone have this working with name.com?
thanks
tom
husayt
Sep 16, 2015, 7:07:14 PM9/16/15
to Google App Engine
Hi Lorne,
naked domains been mentioned here, which is a big problem. We really need to get that resolved. Also naked domains for GCS hosted static websites (Non ssl, since ssl is not available there) is a huge issue.
Would be great if Google would support SSL and naked domains on all range of different hosting options provided. This is just necessary.
Thanks
Andrew Greene
Sep 18, 2015, 4:04:51 PM9/18/15
to Google App Engine
SSL on naked domains work. Add the A and AAAA records.
Then go to the dev console. Click on SSL Certs, then click the box next to your naked domain. It works!
Daniel Florey
Nov 20, 2015, 7:49:41 AM11/20/15
to Google App Engine
Is there still a way that companies can add app engine apps to their domain without the need to change the configuration of the app?
I've been using this feature for a long time, but I cannot find a way to enable companies to map their own domains to our app anymore without manual interaction from our side :-(
Reply all
Reply to author
Forward
0 new messages