New SSL doesn't work
169 views
Skip to first unread message
Borislav Arapchev
Jul 29, 2017, 4:06:01 PM7/29/17
to Google App Engine
Hello
I moved my WP site into Google Cloud Hosting.
Its all fine now and I wanted to use SSL certificate as well.
The site before moving to Google had an Lets Encrypt free ssl / self signed/ and because Google warned me its not ok now I buy a new SSL from Comodo /Positive SSL/.
I installed it successfully - in SSL section, but when loading the site in a browser is says connection is not safe.
SSL checkers warn me that SSL is self signed - so .. is it possible the old SSL to be still working, instead the new one from Comodo, and how to fix it ?
Thank you so much in advance!
P.S.
site is ... mvir-cleaning .co.uk , if you want to check .
Yunkai Zhou
Jul 29, 2017, 6:42:34 PM7/29/17
to google-a...@googlegroups.com
Hi Borislav,
I just dealt with SSL for my site this week, so this topic is very fresh in my head...
First of all, you need to get a certificate that's at least DV level (Domain Validated). This normally involves DNS verification steps to verify you indeed own the domain. It looks like you have a self-signed certificate that didn't involve domain validation. If so, you might want to upgrade or get a new DV certificate.
After that, when you upload the certificate to AppEngine, you need to make sure to upload the full certificate chain, all the way to CA root. To verify this, you can check whether the .crt file includes multiple BEGIN CERTIFICATE / END CERTIFICATE sections.
I don't know specifically about Comodo, so I'll use my certificate from SSL.com as an example. For my domain, I get 4 crt files from SSL.com.
- my_domain.crt
- SSLcomDVCA_2.crt
- USERTrustRSAAddTrustCA.crt
- AddTrustExternalCARoot.crt
I then manually concatenate them together in this specific order, by running the command of:
- cat my domain.crt SSLcomDVCA_2.crt USERTrustRSAAddTrustCA.crt AddTrustExternalCARoot.crt > my_domain_chained.crt
I then upload the following pair of files to AppEngine.
- my_domain_chained.crt which has 4 BEGIN CERTIFICATE / END CERTIFICATE sections
- my_domain.key which has only 1 BEGIN RSA PRIVATE KEY / END RSA PRIVATE KEY section
Comodo probably will have a different chain, but the idea should be the same. You need to upload the chained crt, with your single key to AppEngine.
Hope this helps. Good luck!
--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/799058e5-1990-41a0-8431-78419cbd1acf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Borislav Arapchev
Jul 30, 2017, 12:04:25 AM7/30/17
to Google App Engine
Thank you so much, Yunkai!!
Ill check that, especially the concatenation part. :)
Blaine Garrett
Jul 30, 2017, 9:52:28 PM7/30/17
to Google App Engine
This post might be helpful: http://www.blainegarrett.com/2017/06/26/how-to-get-appengine-godaddy-android-to-actually-work/
My issue was with Godaddy, but I suspect it is the same issue as yours.
My issue was with Godaddy, but I suspect it is the same issue as yours.
Hope this helps.
~ Blaine
Borislav Arapchev
Jul 31, 2017, 5:38:18 AM7/31/17
to Google App Engine
I saw carefully this article.
2 things :
1 .
Its strange Google said my SSL is ok - see the pic
But after that all the SSL checkers see only my old SSL certificate - the self signed one /Lets encrypt/, not the new one from Comodo ?!!??
Do i need to clear some cache or delete the old SSL certificate from somewhere...?
2.
Im not familiar with this Linux commands so I have to contact a sysadmin, to do this .
Thank you, all the guys, that help me :)
Yannick (Cloud Platform Support)
Jul 31, 2017, 9:59:01 AM7/31/17
to google-a...@googlegroups.com
Hello Borislav, could you please confirm that you've followed the instructions on adding SSL to your custom domain with the new certificate and that you are indeed using this domain for App Engine and not another Google Cloud Platform product?
About the cat command, all it does in this example is concatenate the documents together. Any solid text editor (for instance Notepad++) will allow you to do the same manually, you simply have to be careful.
Borislav Arapchev
Jul 31, 2017, 10:43:13 AM7/31/17
to Google App Engine
Hello, Yannick!
Yes, I can confirm I did it carefully, step by step.
All seems fine.
I received no errors.
Now web -site is working fine, just showing the old /self signed/ SSL certificate :(
I ll try to make this operation, I work with Code editors.
Thank you.
Yes, I can confirm I did it carefully, step by step.
All seems fine.
I received no errors.
Now web -site is working fine, just showing the old /self signed/ SSL certificate :(
I ll try to make this operation, I work with Code editors.
Thank you.
събота, 29 юли 2017 г., 23:06:01 UTC+3, Borislav Arapchev написа:
Borislav Arapchev
Jul 31, 2017, 4:07:37 PM7/31/17
to Google App Engine
I have certificate's
- publik key
- private key
- bundle
Google needs only public and private key - could it be the problem ?
събота, 29 юли 2017 г., 23:06:01 UTC+3, Borislav Arapchev написа:
Borislav Arapchev
Jul 31, 2017, 4:24:09 PM7/31/17
to Google App Engine
I dont see Notepadd ++ to support PEM format files ???
Yannick (Cloud Platform Support)
Aug 1, 2017, 12:11:00 PM8/1/17
to google-a...@googlegroups.com
Hello Borislav, if you already have a pre-concatenated bundle of certificates that is what you should be using.
Ah and FYI a PEM file is a text file, so any proper text editor should work should you need to concatenate manually.
Ah and FYI a PEM file is a text file, so any proper text editor should work should you need to concatenate manually.
Borislav Arapchev
Aug 1, 2017, 3:12:29 PM8/1/17
to Google App Engine
Yannick
Google Cloud Console doesnt accept the bundle
it says
Error
The SSL certificate provided could not be inserted.
Blaine Garrett
Aug 2, 2017, 9:45:51 AM8/2/17
to google-appengine
But after that all the SSL checkers see only my old SSL certificate
It is possible that it will take several hours to propagate the change, similar to dns changes. For me, it took up to 30 minutes for SSLLabs to reflect the change.
Also, if your your old certificate is listed in the GAE console still, you will need to uncheck "Enable SSL for the following custom domains". Be sure it is checked for the new certificate.
Cheers,
~ Blaine
--
You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-appengine/0sQRiXOiR4M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-appengine+unsubscribe@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/8d0562c5-9b54-4054-841f-f4812274c313%40googlegroups.com.
Yannick (Cloud Platform Support)
Aug 2, 2017, 3:12:59 PM8/2/17
to Google App Engine
Then you cannot take this shortcut and must concatenate the relevant files. This is an important step of the process that cannot be skipped.
Borislav Arapchev
Aug 3, 2017, 9:07:46 AM8/3/17
to Google App Engine
Guys, thank you so much for your answers!
But .. I just can NOT make it :(
So ... I m going to pay you, to concatenate the files, so I to upload them.
If you want to do this, give me your email or write me, to send you the files.
I tried over a week, and no result, so .. I need your help.
Ill pay for that, it s important to me.
Boris
But .. I just can NOT make it :(
So ... I m going to pay you, to concatenate the files, so I to upload them.
If you want to do this, give me your email or write me, to send you the files.
I tried over a week, and no result, so .. I need your help.
Ill pay for that, it s important to me.
Boris
Anastasios Hatzis
Aug 3, 2017, 10:38:24 AM8/3/17
to Google App Engine
Borislav,
one of my GAE projects also uses a COMODO Positive SSL. If you have a Mac (or Linux or BSD or ....) machine, you will have a "cat" command line tool installed. In that case, you can concatenate the certificate rather easily. I have applied this in 2016, but I hope it works exactly the same way today (they sometimes change the way how they deliver their certificates).
In a shell cd into the directory that contains your SSL certificate and the CA certificate bundle:
cat www_example_com.crt www_example_com.ca-bundle > www_example_com_BUNDLE.crt
(replace example_com by your actual domain)
However, if you have trouble, I'll try. Just email all the certificate files to my email address that COMDO has sent to you. Do not mail the private key or the CSR file you have provided to COMODO when you purchased the certificate!
Ani
Yannick (Cloud Platform Support)
Aug 3, 2017, 11:02:50 AM8/3/17
to google-a...@googlegroups.com
Hello Borislav,
Are you absolutely sure that your Wordpress site is running on App Engine? It sounds much more likely that it is running on Compute Engine in which case none of the instructions you've received here are of use to you. The right forum for compute engine would have been gce-discussion, not the App Engine forums.
If this is the case there are no instructions specific to the Google Cloud Platform for you to follow. You should be following the process for adding SSL to any WordPress installation/VM. A quick search brought up this guide and this video guide which should help put you on the right path.
Borislav Arapchev
Aug 3, 2017, 11:31:42 AM8/3/17
to Google App Engine
Yannick, You are totally right.
Im new in Google Cloud so I made a mistake.
Thank you so much.
I ll check the resources u gave me.
Reply all
Reply to author
Forward
0 new messages