Update SSL certificate on app engine is not working

256 views
Skip to first unread message

Luis Manuel Parrondo Merino

unread,
Apr 6, 2016, 2:22:25 AM4/6/16
to Google App Engine
Hi there,

I've uploaded a new SSL certificate via https://console.cloud.google.com/appengine/settings/certificates?project=[project-id]  because the old certificate is about to expire.
I've enabled the new certificate for my app by entering in 'Edit certificate' and then selecting 'Enable SSL for the following custom domains'.
I tested the app via Chrome, FF, Safari and openssl and I always get the old certificate. Even after 24 hours.

As a separate test, I've enabled the new SSL certificate in a separate app that didn't have an SSL set up before, and I can see in Chrome that the new certificate is being served.

----

This is the openssl command I use:
echo | openssl s_client -connect luisma.zeetings.com:443 2>/dev/null | openssl x509 -noout -dates

And this is the custom domain I'm trying to setup: luisma.zeetings.com

Thanks


Nicholas (Google Cloud Support)

unread,
Apr 7, 2016, 12:31:33 PM4/7/16
to Google App Engine
I've seen this take sometimes as long as 48 hours. Is App Engine still serving the old certificate at the moment? I'm currently not getting any successful handshake when attempting to connect to https://about.zeetings.com (https://luisma.zeetings.com is redirected) so it seems as no certificate is served at all. If the new certificate is valid and has worked with a different application, would it be too risky to try removing the old certificate entirely to see if the new certificate is served?

Luis Manuel Parrondo Merino

unread,
Apr 8, 2016, 9:55:58 AM4/8/16
to Google App Engine
Thanks Nicholas,

I've continued doing more testing and I can see some differences between applications that:
(a) had a SSL certificate configured using the old appspot console
(b) never had a SSL certificate

In case (a) the changes I make seem to be totally ignored. For example https://luisma.zeetings.com/home (/home doesn't do a redirect) keeps using the old certificate, even thought the new one was configured a couple of days ago.
In case (b) the changes take effect after a few minutes. 

I might be wrong, but I have the impression that migrated SSL configurations aren't working properly. 

> would it be too risky to try removing the old certificate entirely to see if the new certificate is served?

Well, if the new certificate is never served, that will be my last resort, but I would prefer not to do that. I still have one month to find a less risky solution.

Thanks
Reply all
Reply to author
Forward
0 new messages