Hosting: Reprovisioning SSL certs without A records (as per 'connect domain' > 'advanced' setup)

[Som]

Hi there,

Is it possible to reprovision SSL certs for our custom domains without A records in place e.g. by relying on TXT records or some other form of verification? In the same way the advanced 'connect domain' flow allows for a seamless hosting transition.

Alternatively is it possible to provide a custom SSL cert on a Blaze plan (I see this question has been answered a number of times previously, but not since 2018).

Thanks!

A little bit of context:

We are a charity and our primary website is a Firebase application on a Blaze plan. Recently the Firebase SSL cert for our connected domain expired, shutting down our site over Christmas - which is also the year's peak donation period. Our active HSTS policy only compounded things.

All of our web properties (12+) use Cloudflare as a DNS proxy; primarily for the many crucial security and performance enhancements the service enables. Importantly, this also affords us a custom SSL for our end-users (so no other domain names are listed alongside our own), but also - when an SSL cert is in place on the server - end-to-end encryption between proxy and host.

Firebase support have instructed us to disable the DNS cache, and leave it disabled permanently, in order for the SSL cert to be reprovisioned and remain active. However doing so will necessarily (due to HSTS) take our site offline until the cert is ready and then disable all of the Cloudflare add-on services that we rely on. Which unfortunately is really not a viable solution.

We love Firebase, it's an amazing product that enables us to provide a world-class, stack-heavy experience to tens of thousands of unique monthly users without the complexity, cost or resources that a system like this should demand. We simply couldn't afford to operate the way we do without it.

And while we have (very) limited resources, we strongly believe in the importance of our user's security, and would be willing to pay for the ongoing SSL cert provisioning if at all possible.

Given the power of GCP, and the fact that provisioning a cert without A records is possible (i.e. when initially connecting a domain), I am really hoping that a workaround isn't completely outside the realms of possibility.

Really appreciate people taking the time to read this and for any suggestions!

[Michael Bleigh]

A few things to note:

1. We are unable to renew certificates for domains that are not pointing their A records to Firebase Hosting. Our Certificate Authority authorization attempts are not retryable, and so we need to be certain that the DNS is pointing to Firebase Hosting to be able to properly renew. There is no equivalent of advanced setup for renewals, unfortunately.
   
   
2. We do not recommend enabling CloudFlare's proxy layers in front of Firebase Hosting in general, it's true. For Firebase Hosting CloudFlare will likely result in performance penalties, not improvements, as Firebase Hosting is already served off of a low-latency global CDN and adding an additional proxy layer only slows things down and also creates potential for double-cache issues.
   
   
3. For Blaze customers, we do not offer "bring your own" certificate but we do offer unshared certificates that do not have other domains. If you write into support that's something we can do.

For your specific scenario, please write into support and reference this thread and my response. Ask the support folks to assign the issue to me. I think we'll be able to help you work this out.

-Michael

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/904e407b-0a59-43b4-bd80-4ba9290e4808%40googlegroups.com.

[Som]

Thanks very much for the quick response Michael. All understood. I've responded to the original support ticket, hopefully hear back soon.

Cheers!

To unsubscribe from this group and stop receiving emails from it, send an email to fireba...@googlegroups.com.