I'm doing a server-side GTM setup. I managed to set up a Google cloud App engine.
I added a custom domain (verified with Google webmaster central, added DNS records etc.).
I can see in the Cloud settings that the custom domain (actually it's a subdomain) is set up, using also Google-managed, auto-renewing SSL.
So, everything looks fine except when I try to access this custom domain (directly or while doing a GTM container preview), I get the connection error in the browser (ERR_CONNECTION_CLOSED).
Since all DNS records looks OK (I have TXT record for the GWC/ownersip verification, 4 A records and 4 AAAA records for Google cloud) I did a tracert where I can see that it gets to the google server (hop 5), but then it gets lost:
The last hop should be the subdomain, but it's a "random" Google server).
It's more than 24 hours from the DNS records change so I don't believe it's a DNS propagation issue (although it still might be of course but the chances are very small). So if anyone has any idea, what could be wrong, I'd be very glad :D
I managed to repeat exactly the same setup with another subdomain (on totally different domain). I had issues with geeting Google-managed certificate - it took the App Engine a really long time to install it. But at the end it worked.
So it looks like the issue is indeed with Google and the certificate. I'll wait and let you know if this was the issue.
Edit (additional explanation): it turns out that the issue is with the client's domain which doesn't allow another CAA (in this case Google or Let's encrypt) to issue a certificate.
You haven't mentioned a CNAME record for the subdomain. You need a DNS record like this for the subdomain to work:
www CNAME ghs.googlehosted.com
I've assumed that www is you subdomain but you would use your subdomain if different.
Related
I did pore through other similar questions and found answers. I am still having a situation that is not answered and I am not able to comment on those posts to seek clarifications. Thus this new question.
Let me explain my situation...
I have a GCP Project and enabled AppEngine on the same.
I have setup 3 services: 'default', 'api' and 'ui'.
I have deployed apps on all the 3 services and they are all being served through their appspot urls without any issues.
Now I want to setup routing using own domain, purchased from GoDaddy. The schema looks like the following:
www.my-domain.com -> 'default'
rest.app.my-domain.com -> 'api'
ui.app.my-domain.com -> 'ui'
I have the dispatch.yaml to setup the routing rules and I can see the same properly defined in the 'Services' screen. No problems there... The problem is in defining the custom domain mappings for these services.
For the 'default' service, it was easy. GAE identified GoDaddy and requested A & AAAA records for managed security. And then CNAME 'www' pointing to 'ghs.googlehosted.com'. Done and all went well.
Now, for the other services, GAE is asking for the same set of A, AAAA and CNAME records.
Here is the problem. I cannot setup multiple CNAME records pointing to the same value ('ghs.googlehosted.com'). The GoDaddy cPanel/DNS Manager Tool does not even allow adding such records. I have spoken to their support and they confirm that their tool is restricted ti ICAAN policies. So multiple CNAME records is out of question.
As a workaround, I setup a sub-domain pointing to googledomains. I setup 'app' as a new Zone in 'Cloud DNS' in m GCP Project. All name servers are placed in master DNS zone in my GoDaddy. This could allow me to create CNAME record for 'app' in googledomains, atleast theoretically. But GAE Project Settings does not recognise the domain. Its forcing me to make the CNAME records in GoDaddy under the master zone. Not sure how Google doesnt understand the ICAAN policies!! So this option walked into a wall too.
Then I read about the wildcard subdomains. GoDaddy documentation describes the support for this but limited to a specific IP (so only A record). However, GAE needs the value 'ghs.googlehosted.com' and that means I must create a CNAME record only. There are many discussions on this; some saying this will not work and others claiming this works.
This is quite literally my last option and I would like to know how to make this work. If there is any other way to get this setup working, it would save me a lot of time and trouble. I am a developer and all this infra work is just such a hog on my productive bandwidth.
Thanking you in advance.
Finally, the way I have resolved this is to define a single wildcard CNAME in GoDaddy pointing to 'ghs.googlehosted.com' and registered all subdomains as new domain names (actually with different names) in googledomains now. The latter is an alternate fail-safety to ensure my clients can connect. I am now waiting for the current subscription to run out and move away from GoDaddy after. Right now, the pricing I pay GoDaddy is too much compared to Google Domains and for the level of support quality from GoDaddy it is really not justified.
So, I've worked on this for some time and I believe that there is something odd here.
I tried this with a go daddy domain and 2 app engine services. So the steps that I followed are explained next:
1) Go to App engine and on settings/custom domains add the custom domains you'd like to have (with the subdomains in this case)
2) On go daddy you need to go to your domain and admin your DNS records on your domain.
3) Add The Cnames registers with your sub domain pointing to ghs.googlehosted.com
4) deploy your dispatch.yaml
The thing that I don't understand is why you say that is impossible to do the step 3 as it has never caused issues when I tried to do this. Could you specify how are you doing the third step in go daddy?
Additionally, I believe that this same information is better explained on this documentation Is just that I don't get why is it failing on your side.
I've looked at previous questions enter link description here, but they use the GSuite Administrator to make changes, while my app uses GCloud. The domain registrar is separate since Google domains don't work in my country.
I mainly followed this guide to setting up my Zones and updating the name servers. I've configured the
https://cloud.google.com/dns/docs/update-name-servers
The question I linked to earlier recommended setting up a www. subdomain, but it used Authenticator. I'm not sure how to do this in a zone. I set up all the records properly in my domain registrar.
Here are the settings:
When I load the site itself (There's no actual HTTP response code):
And when I try the www. subdomain
I'm sure there's a step I'm missing, but this is my first site with GCloud. So I'm not very familiar with the process.
I think where is your missing step.
When you ask Google to use your domain, Google will expose HTTPS endpoint. HTTPS requires a certificate, and Google will generate it for you. However, before doing this, Google has to be sure that the domain belong to you.
You have to prove to google that you own your domain. For this, go to this page, log in and add a property (your website URL). Follow the instruction and be sure that your property has been validated.
Then, wait some minutes (hours?) the time that the certificates are generated and deployed.
My use case is this: I have a domain that points to a server at IP 1.2.3.4 and I would like a subdomain at the domain to point to my App Engine application i.e.
example.com --> 1.2.3.4
app.example.com --> App Engine application
The naked domain as well as the www subdomain must point to the standalone server.
From what I've found out so far, this doesn't seem possible.
Would anyone be able to confirm if this configuration is indeed not possible?
I might actually have a better solution to this.
You can only verify the subdomain.domain.tld with google.
Then you only will add A and AAAA entries to the DNS, with the alias subdomain.
subdomaid.domain.tld will then be independent from domain.tld
After much testing, I've come to the conclusion that the scenario which I've painted is not feasible. So I settled for www.example.com to point to the web server (1.2.3.4) and app.example.com
When users go to the naked domain example.com, they get redirected to www.example.com
Here's what I did:
Remap the naked domain's A records (4 of them, and 4 AAAA records) back to the IP addresses that App Engine suggested.
Added a redirect of the naked domain to the www subdomain, and
Added an A record for www to point to the web server IP (i.e. 1.2.3.4)
Finally, added a CNAME record for app to point to ghs.googlehosted.com so that app.example.com points to the App Engine application.
There might be another option, but I can't really test it for sure as I can't risk it my app ever fails without me knowing.
So from my empirical testing, I was able to set the domain to external hosting and subdomain to GAE:
point main domain to google.
point subdomain to google
wait for certificates to be issued
remove domain from "custom domains" tab (click on the trash can)
point your domain wherever you want
This worked for me for 4 days, in test env, but I couldn't really risk my app of this kind of failure, so I just used the accepted answer at the end (redirect domain to www)
This is definitely possible, I've done it for the exact same scenario:
In App engine, when you verify your domain, only map the subdomain (mysubdomain.example.com). GCP will prepopulate the naked and www domains. Remove them before proceeding.GCP will then provide the A, AAAA, and CNAME records for you to add to your DNS records.
Go to wherever you manage those (Google Domains, GoDaddy, etc), and add all four A's, all four AAAA's and the CNAME yo your subdomain/host
Eventually, gcp should see it's provided records on the DNS records and should issue certificates for https.
On gcp, adjust the dispatch.yaml file to route things to the service I wanted:
dispatch:
- url: "mysubdomain.example.com/*"
service: myservice
Your service should now be accessible via https://mysubdomain.example.com with a pretty padlock to go with it.
Yes, I can confirm this is possible. In fact, it is the recommended way for handling the microservice architecture on App Engine [0].
In your case specifically, all you have to do is create a CNAME with your DNS registrar pointing to ghs.googlehosted.com.
You then have to first verify your TLD with App Engine and add a specific mapping to your subdomain as described here [1].
Let me know if you have any specific questions with the process.
[0] https://cloud.google.com/appengine/docs/standard/python/microservices-on-app-engine
[1] https://cloud.google.com/appengine/docs/standard/python/console/using-custom-domains-and-ssl
I found out it is possible to verify ownership of the whole url, and use that...
App Engine doesn't need to have the A records on the root domain if
you are only serving from a subdomain. App Engine should work properly
for you with just the one CNAME on subdomain.example.com.
Duplicate of App Engine and Firebase Hosting in One Domain
This is the correct answer and is working as expected.
I have a GAE app and a custom domain registered on enom.com. The app is a static website that's configured by app.yaml.
I'm trying to use LetsEncrypt certs for ssl, so I want to have valid certs for both www.example.com and example.com. I can get the cert for www.example.com working fine.
However the problem is in my naked domain. Whenever a http request goes to http://example.com/, it gets redirected to http://www.example.com/, ok. But, if a http request goes to e.g. http://example.com/a.html, the request is still redirected to http://www.example.com/. So when LE servers come looking for their well-known acme-challenge, it fails because they see index.html.
I guess this isn't a common behavior because no one is mentioning this, not at https://code.google.com/p/googleappengine/issues/detail?id=10802, nor at https://github.com/certbot/certbot/issues/1480.
I've tried to dig into why this is happening, one error I can see is here:
If I select to overwrite, GAE says it "failed to insert mapping"
This whole project was started by another person and he claims he's not aware of example.com being assigned anywhere else. I've looked at his Google Cloud Console and it would seem that he's correct.
Maybe something of interest is that in the Domain page of admin.google.com, naked domain redirect is set up. It redirects example.com to www.example.com. I've not found a way to disable it.
On my dns registrar, I have input the four A records, four AAAA records, and a www for CNAME.
TL;DR: My LetsEncrypt acme-challenge is failing for my naked domain, help!
I started getting the same error in app_engine after I went to Google Apps account and added example.com to redirect to wwww.example.com. After I did this, in app_engine I got "is already mapped" error. And there was no way to undo the redirect in Google Apps, so my guess was that Google Apps had mapped it and so App Engine could not modify it or add it. I had to explain this to Support team, and btw Google Apps support is free to call, so contact them and then get transferred to App Engine support team.
There is no way to fix it yourself, you have to get Google Support on call and explain clearly and they can reset. I was bounced between Google Cloud and Google Suites (Apps) support teams 7 times and after 2 weeks finally resolved, each one blaming the other, until I found a guy who understood this issue and fixed it for me.
I added a custom domain to point to one of my Google App Engine Projects. It has been approximately 18 hours since I made this change.
How long does it take for DNS changes to propagate. After 18 hours when I hit the domain, I still get "Site can't be reached" on Chrome.
ping: cannot resolve: Unknown host, when I do a ping.
UPDATE: I figured out the issue. I bought the domain uisng Google Domains. It seemed like Google App engine settings, where I added, custom domain was going to update A records in Google Domains for my domain. It didn't. Created A records in Google Domains, and now it works fine. My domain, and subdomain are pointing to a project in Google App engine.
At the bottom of the Add a new custom domain screen from the GAE App's Custom Domains page in the developer console you can see:
DNS changes can require up to 24 hours to take effect
A snapshot of that screen is illustrated at step 5 of the Adding a custom domain for your application procedure.
Side note: maybe it's also worth re-checking the updated settings, it actually happened to me once - I was waiting (in vain) for DNS propagation only to notice that the changes I thought I completed weren't there - I must have missed an ok/confirm button or something...
If the settings are there you could also try checking using some network other than your usual internet provider (which often is involved in the DNS propagation). Mobile/office maybe?
You can also try some online DNS lookup tools or even website verification tools - often propagation to such servers is faster than to end-user internet providers. It doesn't matter if the app is not up, all you want to see if they're able to get the IP address for your domain. If any of them can get an address then it's really just a matter of time.