Sunsetting double wildcard SSL certificate support for applications serving from appspot.com

855 views
Skip to first unread message

Christina Ilvento

unread,
Jan 10, 2013, 6:47:15 PM1/10/13
to google-a...@googlegroups.com
Hi All,

As part of our continued commitment to security and a standard platform, Google App Engine will soon stop publishing double wildcard SSL certificates for *.*.appspot.com, (e.g., https://version.application.appspot.com or https://www.application.appspot.com). This change will take effect no later than April, 2013. Please note that this only affects applications serving from appspot.com, and that any applications serving from custom domains will continue using their existing certificates. Furthermore, this only affects HTTPS access to your application and non-secure HTTP traffic will not be affected.

If you rely on HTTPS access to such URLs for your application, please change any application logic to use “-dot-” instead of “.”. For example, to access version “1” of application “myapp” use “https://1-dot-myapp.appspot.com” instead of “https://1.myapp.appspot.com”.

Developers for applications using this pattern as of 1/7/2013 have already received a notification email with instructions for identifying this pattern in their application.

Based on our analysis, fewer than 2,000 App Engine applications are currently using double wildcard SSL certificates on appspot.com and the majority of them are using the pattern of https://www.appid.appspot.com, which can safely be replaced with https://appid.appspot.com.

Thank you for your continued support of App Engine. If you have any questions or concerns about these changes, please feel free to email us at appengine-ssl-certific...@google.com with your application-id and we’ll be happy to assist you.


Regards,
Christina Ilvento on behalf of the Google App Engine Team

Carl Schroeder

unread,
Jan 11, 2013, 5:52:02 PM1/11/13
to google-a...@googlegroups.com
Somehow, my email notice of this policy landed in my gmail spam folder. ;)

*pats the eager to please spam filter algorithm on the head*

Perhaps feeding the spam filter less sugar before bedtime?
Hi All,

Thank you for your continued support of App Engine. If you have any questions or concerns about these changes, please feel free to email us at appengine-ssl-certificate-wildcard-...@google.com with your application-id and we’ll be happy to assist you.

Robert Kluin

unread,
Jan 13, 2013, 11:54:39 PM1/13/13
to google-a...@googlegroups.com
How will this impact people using secure only URLs that are testing a
new version of the app before making it default? I guess the
"versions" page in the admin console will be updated to use the -dot-
notation, so it will still be easy?


Robert
> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To post to this group, send email to google-a...@googlegroups.com.
> To unsubscribe from this group, send email to
> google-appengi...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/google-appengine?hl=en.

Julie Smith

unread,
Jan 14, 2013, 2:21:47 AM1/14/13
to google-a...@googlegroups.com
If your version is abc-1 in the versions page, and your app ID is myapp, then the full URL will be 

Marcel Manz

unread,
Jan 14, 2013, 5:12:11 AM1/14/13
to google-a...@googlegroups.com
Hi Christina

Will this "-dot-" solution work for public backends as well?

Br, Marcel

John Lowry

unread,
Jul 12, 2013, 1:03:39 AM7/12/13
to google-a...@googlegroups.com
We have completed sunsetting of the double wildcard SSL certificates. This email is to remind you to check that you do not have any clients that are sending requests to URLs with the pattern https://*.*.appspot.com/. For more details, see https://developers.google.com/appengine/docs/ssl.


On Thursday, January 10, 2013 3:47:15 PM UTC-8, Christina Ilvento wrote:
Hi All,

Thank you for your continued support of App Engine. If you have any questions or concerns about these changes, please feel free to email us at appengine-ssl-certificate-wildcard-...@google.com with your application-id and we’ll be happy to assist you.

Tobias Stepan

unread,
Jul 12, 2013, 1:02:17 PM7/12/13
to google-a...@googlegroups.com
We were one of the applications using the described logic. However, we didn't receive an email from you. Since this morning our app with several thousands of users is offline, and we have already received hundreds of complaints. To fix the issue we need to update our client and go through the App Store review, which even in the accelerated process will take some days. Overall, we will be offline for several days, receive bad ratings and loose a lot of users. Altogether this is really bad.

I would like to know:
1. how you can assure us, that we will receive an email the next time you implement such a significant change?
2. if there isn't a better way than email to inform your customers of such an important change (email can easily be lost in spam filters, etc.)?

Kind regards
Tobias


Tobias Stepan

unread,
Jul 15, 2013, 6:03:03 AM7/15/13
to google-a...@googlegroups.com
I wrote a longer and quite critical comment on Friday, because we had not been informed of this change, and the consequences for us have been pretty bad until today. So far the comment has not been released or replied to. Where is it?
Hi All,

Thank you for your continued support of App Engine. If you have any questions or concerns about these changes, please feel free to email us at appengine-ssl-certificate-wildcard-...@google.com with your application-id and we’ll be happy to assist you.

Chris Ramsdale

unread,
Jul 15, 2013, 3:58:18 PM7/15/13
to google-a...@googlegroups.com
Tobias,

Our apologies that this impacted your application and customers.  The initial communication was sent our several months ago with suggested changes that developers should make to transition off of double wildcard certs.  I realize that this may have missed your inbox.  Moving forward, these will be targeted emails that are sent from @google.com addresses, which should mitigate risk of falling into spam.  We will also distributed communications more broadly via this group as well as our blog.  Finally, longer-term, we will be adding these types of notifications to the Admin Console as well as the new Cloud Console.  

Also, we do utilize our support channel to distribute communications like these.  And, while we don't require the purchase of a support program, it does help in some cases.  Details of the support packages are available at https://cloud.google.com/support/packages.

If you can send me your application ID(s) directly, I can have our teams look into a potential fix that we can make platform-side.

-- Chris

Product Manager, Google App Engine


--
You received this message because you are subscribed to the Google Groups "Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-appengi...@googlegroups.com.
To post to this group, send email to google-a...@googlegroups.com.

Tobias Stepan

unread,
Jul 15, 2013, 5:51:04 PM7/15/13
to google-a...@googlegroups.com
Chris,

thanks for your email.

This morning we were able to implement a fix by offering a new version of our app. This is not a comfortable fix and we will loose some users, because everyone needs to update, but after all the trouble of the last days at least our service works again.

I just want to make sure something like this does not happen again. It is no problem to implement changes like that, if we are informed in a timely manner. You can be assured, that I (and also the other two admins of our application) will read every email from Google thoroughly. Provided that I get the email in the first place to tobias...@gmail.com

As well I will try to follow your blog and Twitter updates.

Tobias
> You received this message because you are subscribed to a topic in the Google Groups "Google App Engine" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-appengine/u2Tmtv8W6Bo/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to google-appengi...@googlegroups.com.
> To post to this group, send email to google-a...@googlegroups.com.
> Visit this group at http://groups.google.com/group/google-appengine.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

Mobile: +49 (0) 151 2415 8040
Email: tobias...@gmail.com
Follow me: www.tobiasstepan.com

Dan

unread,
Jul 27, 2013, 1:18:54 PM7/27/13
to google-a...@googlegroups.com
How does this affect modules? I see the modules documentation says they can be accessed by  http[s]://mobile‑frontend.simple‑sample.appspot.com for example. However if I access a module with https I get an invalid certificate error. 

Am I missing something or is there an error with the documentation? I have created issue https://code.google.com/p/googleappengine/issues/detail?id=9752 just in case there is.


Hi All,

Thank you for your continued support of App Engine. If you have any questions or concerns about these changes, please feel free to email us at appengine-ssl-certificate-wildcard-...@google.com with your application-id and we’ll be happy to assist you.
Reply all
Reply to author
Forward
0 new messages