renewed & installed SSL cert... but GAE still serving old one?

Adam Sah

unread,

Sep 13, 2017, 12:14:23 PM9/13/17

to Google App Engine

Has anyone else seen this? I'm nervous that I'll have an emergency outage in 30 days...

I've installed new SSL certs and ran the tests.

installation

from https://console.cloud.google.com/appengine/settings/certificates

	Name	Expiration date	Mapped domains
	Certificate for *.<domain>.com, <domain>.com	October 9, 2017	(none) <== the old certificate
	my-cert-1	November 8, 2018	<domain>.com, *.<domain>.com, www.<domain>.com <== new certificate

seen from outside google

from https://www.ssllabs.com/ssltest/analyze.html (I waited 48 hours -- still showing the old cert, ditto other SSL cert checking services...)

Valid from	Tue, 11 Aug 2015 00:00:00 UTC
Valid until	Mon, 09 Oct 2017 23:59:59 UTC (expires in 26 days, 7 hours)

Google's instructions to verify certs

seen in https://cloud.google.com/appengine/docs/standard/python/using-custom-domains-and-ssl#app_engine_support_for_ssl_certificates

Verify your SSL certificate and private key:

To verify that the private key and certificate match, you can use the openssl x509 and openssl rsacommands. Examples:
```
openssl x509 -noout -modulus -in concat.crt | openssl md5
openssl rsa -noout -modulus -in myserver.key.pem | openssl md5
```
Both the openssl x509 and openssl rsa commands should return the same output.

$ openssl x509 -noout -modulus -in mycert.crt | openssl md5; openssl rsa -noout -modulus -in mycert.key.pem | openssl md5

315a794cca913774a0e8f8...hidden...

To verify that a certificate and its CA chain are valid, you can use the openssl verify command. For example:
```
openssl verify -verbose -CAfile concat.crt concat.crt
```

$ cat STAR_mycert.crt AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > concat.crt

$ openssl verify -verbose -CAfile concat.crt concat.crt

concat.crt: OK

thanks!

adam

Shivam(Google Cloud Support)

unread,

Sep 13, 2017, 1:39:43 PM9/13/17

to Google App Engine

Could you check again using www.ssllabs.com I can notice that correct certificate has taken effect.

Adam Sah

unread,

Sep 13, 2017, 2:11:33 PM9/13/17

to Google App Engine

Ssllabs.com is still reporting

Valid from Tue, 11 Aug 2015 00:00:00 UTC

Valid until Mon, 09 Oct 2017 23:59:59 UTC (expires in 26 days, 5 hours)

Where are you seeing the new certificate?

Shivam(Google Cloud Support)

unread,

Sep 13, 2017, 3:21:02 PM9/13/17

to Google App Engine

At the same place i.e. https://www.ssllabs.com/ssltest/analyze.html

Enter your domain name i.e. bbfdirect.com and you can see the following:

Valid from Sat, 09 Sep 2017 00:00:00 UTC

Valid until Thu, 08 Nov 2018 23:59:59 UTC (expires in 1 year and 1 month)

Try to use a different browser or incognito window.

Reply all

Reply to author

Forward