GAE - new SSL certificate has different CNAME from expired one

[Col Wilson]

We last renewed my SSL certificate two years ago - GAE was rather different then and we were using SNI+VIP.

This time I ordered the cert and when i went to install I needed to fiddle with my DNS settings to prove that I owned the domain name. This took a while, but I got there.

Finally I installed the new certificate using the developers console. That worked.

Next I associated the domain name with the new certificate. No obvious problems.

However when I checked my site at https://sub.mysite.com, the old certificate was still showing, I waited six hours, but it did not update.

What I do notice however is that the cname on the new certificate has changed. On the console the old certificate had:

CNAME to: ghs-svc-https-cXXXX.ghs-ssl.googlehosted.com

While the new one has:

CNAME to: ghs.googlehosted.com

 

and 

my DNS looks like:

;QUESTION

sub.mysite.com. IN TXT

;ANSWER

sub.mysite.com. 3599 IN CNAME ghs-svc-https-cXXXX.ghs-ssl.googlehosted.com.

So on the face of it it looks like a good idea to change that to point at ghs.googlehosted.com, but I'm worried because at the moment I (and paying customers) can still see sub.mysite.com albeit without SSL and surely fiddling with the DNS will break that too?

If you can offer any advice on this I'd be very thankful.

Col

[Adam (Cloud Platform Support)]

To clarify, you have 'ghs.googlehosted.com' specified as the Subject Alternate Name on the new certificate?

[Col Wilson]

No. This is a single domain certificate not an MDC cert.

Should this be an MDC? That's not what I got from the help pages.

If you'd like the account details I can PM you?

Col

[Adam (Cloud Platform Support)]

No, a single domain certificate is ok. It was unclear when you mentioned 'the CNAME on the new certificate has changed' which sounded like you had a SAN for 'ghs.googlehosted.com' on the new cert, which is unnecessary.

It sounds like what you mean is that the CNAME entry displayed in the console under 'Configure resource records' has changed to 'ghs.googlehosted.com'. This is because only SNI is supported for new configurations (which use 'ghs.googlehosted.com'), however the old CNAME used for VIPs will continue to function until VIPs are migrated to SNI at some point in the future.

For now, you should continue to use your existing CNAME mapping.