Setting Up Wildcard Routing with SAN Certificate

[Yue Chuan Lim]

Given that I have:

1. A custom domain name - example.com
   
2. An App Engine service named "abc"
   
3. A SAN certificate for the domains example.com, abc.example.com and www.example.com
   

How do I setup my custom domain such that accessing https://abc.example.com routes to the App Engine service "abc"?

I have no issues with setting up example.com and www.example.com to route traffic to the default service. HTTP requests to example.com and www.example.com correctly redirect to https://www.example.com (and this continues to be the case for all of the below configurations). A/AAAA records omitted for brevity.

I understand that the following settings have to be configured:

1. Google Cloud Console -> App Engine -> Settings -> Custom Domain ("Custom Domain Settings")
   
2. Google Cloud Console -> App Engine -> Settings -> SSL Certificates ("SSL Certificates Settings")
   
3. My DNS nameserver ("DNS Configuration")

I have tried the following configurations.

Wildcard Domain

Custom Domain Settings

• *.example.com
  

SSL Certificates Settings

• SSL enabled for example.com and www.example.com
  
• No option to enable SSL for *.example.com or abc.example.com
  

DNS Configuration

Tried all of the following configurations:

• CNAME - *.example.com to ghs.googlehosted.com. ONLY
  
• CNAME - abc.example.com to ghs.googlehosted.com. ONLY
  
• OTH of the above CNAME records
  

Results

Does not work. It appears that App Engine is not presenting the certificate for abc.example.com.

Chrome: ERR_CONNECTION_CLOSED

Firefox: Secure Connection Failed

My guess is that this configuration would work if I had a wildcard certificate for example.com.

Custom Subdomain

Custom Domain Settings

• abc.example.com
  

SSL Certificates Settings

• SSL enabled for example.com, www.example.com and abc.example.com
  

DNS Configuration

• CNAME - abc.example.com to ghs.googlehosted.com.
  

Results

Does not work as expected. App Engine routes traffic to the default service.

Wildcard Domain/Custom Subdomain Mix

Configuration #1

Custom Domain Settings

• *.example.com
  
• abc.example.com
  

SSL Certificates Settings

• SSL enabled for example.com, www.example.com and abc.example.com
  

DNS Configuration

• CNAME - abc.example.com to ghs.googlehosted.com.
  

Results

App Engine routes traffic to the default service.

Configuration #2

Custom Domain Settings

• *.example.com
  

SSL Certificates Settings

• SSL enabled for example.com and www.example.com
  
• No option to enable SSL for abc.example.com
  

DNS Configuration

• CNAME - abc.example.com to ghs.googlehosted.com.
  

Results

Does not work. App Engine does not present SSL certificate for abc.example.com.

Chrome: ERR_CONNECTION_CLOSED

Firefox: Secure Connection Failed

Configuration #3

Custom Domain Settings

• *.example.com
  
• * abc.example.com
  

SSL Certificates Settings

• SSL enabled for example.com, www.example.com and abc.example.com
  

DNS Configuration

Tried all of the following configurations:

• CNAME - abc.example.com to ghs.googlehosted.com. ONLY
  
• CNAME - *.example.com to ghs.googlehosted.com. ONLY
  
• BOTH of the above CNAME records
  

Results

App Engine routes traffic to the default service.

As an aside, tried posting to serverfault.com, post was rejected for looking too much like spam.

[Adam (Cloud Platform Support)]

Before you configured HTTPS, have you verified subdomain routing works using plain HTTP, as per 'How Requests are Routed'? For visibility, I'd also recommend refactoring your question to be able to post on ServerFault without the spam block.

[Yue Chuan Lim]

Bit late, but hopefully this helps whoever comes across this issue. Detailed answer below.

TL;DR, Non-wildcard SAN certificates are not supported by GAE. This is a known issue. You need a wildcard certificate. A workaround is to use a dispatch file.

Adam: Yes, plain HTTP requests work. Regarding ServerFault, eventually sufficiently mangled my question so that it would past the spam check. Got a response from Nicholas a few months in (late Dec 2016). Did not have time to respond to him then. Now the question is marked as abandoned by ServerFault and I can't respond to it. This is rather terrible.

Anyhow. Since my question is no longer visible on ServerFault, Nicholas's response on ServerFault is reproduced for prosperity.

 

Based on the linked note, this appears to be an SSL issue. Do the naked domain and subdomains/wildcard appear in the certificate when printing it to screen using openssl x509 -text -noout -in my_cert.crt? Do the appropriate domains appear listed in the SSL Certificates section of App Engine Settings? Does the uploaded certificate appear listed under SSL support in the App Engine Custom domains section? If any of the above are false, I'd recommend reviewing Using Custom Domains and SSL. – Nicholas Dec 27 '16 at 18:16

 

I would also suggest that this question is better suited for a discussion forum like the App Engine Google Group. I strongly advise you to post your questions there after having read through the previously linked article. – Nicholas Jan 2 at 21:47

In any case, I believe the correct answer is that non-wildcard SAN certificates are not supported by GAE. See issue 11781 (https://code.google.com/p/googleappengine/issues/detail?id=11781). There is a workaround involving the use of a dispatch file, subject to a limit of 20 (previously 10) routing rules. Alternatively, you can use a wildcard certificate.

I've personally tested a self-signed wildcard certificate and can confirm that it works as intended. That is, requests are routed to the correct module based on the sub-domain name.

This is a bit of a bummer as LetsEncrypt does not issue wildcard certificates and wildcard certificates are rather pricey.