I have an application with python running on a google appengine SE.
Now, some servers expect a certain root ca installed on this application.
I have found information about list of root ca supported by gcp as below.
https://pki.goog/repository/
The desirable ca was not found in the list and should be used on the application at ssl handshake somehow.
I would like to ask 2 questions.
Is there any way to set root ca or extend the lists on an google appengine SE?
Should I set a path or an environmental value to a certification file, referred by certifi module, in a source code?
To answer your questions,
The list of supported Root CAs you've mentioned pertains to Google-managed SSL certificates. Since your desired CA is not on the list, then you'll need to provision a self-managed SSL certificate. You can refer on this link for additional information/s.
Google App Engine is a managed platform, so configuring SSL certificates are done in the Google Cloud Console, or through Client Libraries and APIs. All you need is to upload the certificate, and App Engine will handle the rest.
Note that you'll be responsible in maintaining self-managed certificates, as well as renewing it once it expires.
Related
we received a message from Apple notifying about CA certficates, old GeoTrust Global CA root certificate will be replaced by AAACertificateServices 5/12/2020. I was checking my App Engine settings and I didn't found any way to configure root certificates, so I suppose that Google manages these certificates. Am I right?
"On March 29, 2021, token and certificate-based HTTP/2 connections to
the Apple Push Notification service must incorporate the new root
certificate (AAACertificateServices 5/12/2020) which replaces the old
GeoTrust Global CA root certificate. To ensure a seamless transition
and to avoid push notification delivery failures, verify that both the
old and new root certificates for the HTTP/2 interface are included in
the Trust Store of each of your notification servers before March 29.
If your provider server runs macOS, the GeoTrust Global CA root
certificate is in the keychain by default. If your provider server
runs macOS 10.14 or later, the AAA Certificate Services root
certificate is in the keychain by default. On other systems, you might
need to install this certificate yourself. You can download the
GeoTrust Global CA root certificate from the GeoTrust Root
Certificates website. You can download the “AAACertificateServices
5/12/2020” certificate from the Sectigo KnowledgeBase website."
Kindest regards
My understanding is that Google manages the root certificate unless your app engine app is making use of a custom domain (ie is not served on *.appspot.com) and that you are not using a Google-managed certificate for this custom domain.
Still I would like to be able to formally check that things will work fine in the transition, but I did not find how to do so. Looking at the root certificate of *.appspot.com shows a Global Sign root certificate, not the legacy GeoTrust certificate Apple's APN servers are relying on currently. But as *.appspot.com is currently connecting properly to Apple's APN servers, I guess there is a matter of cross-signing or mutual recognition across certificate authorities which plays a role here.
I would also have expected Apple's sandbox APN server to transition earlier than Production for developers to see failure in their tests environment first, but I haven't seen Apple communicate any specifics on this.
Overall I'm not worried as I understand this is Apple finally migrating to a widely recognized root certificate, whereas the current one was already considered unsafe by many organizations. Also meaning we're quite lucky that connecting to APNs has been working fine out-of-the-box with App Engine until today (and hoping that will last until end of March!)
I purchased a custom domain mydomain.com w/Google Domains last year. Until earlier this week, I was hosting a small single-page React app on that domain (in a Cloud Storage bucket) that connected to a GAE Flask app backend. Wasn't using SSL anywhere. All was well.
I now wish to use SSL. Since I'm new to all of this stuff, I followed the documentation to map my custom domain and secure it with SSL using Google-managed SSL certs. During this process, I created my first load balancer in GCP, then updated my domain's DNS entries for # A and www A to the LB's IP. The guides didn't say anything about changing the # AAAA entries, so I left them in place. Cloud CDN is disabled. Google Domains DNS Settings:
When creating the Google-managed SSL cert, I entered both mydomain.com and www.mydomain.com since I want both addresses to be secured w/SSL. After a few hours, the domain status for www.mydomain.com became active, but the status is FAILED_NOT_VISIBLE for mydomain.com. Guessing this is the source of my problems? Google SSL Cert Statuses:
Troubleshooting tips for this error:
The SSL Certificate isn't attached to the load balancer's target proxy. To resolve this issue, update the load balancer configuration. Done, and confirmed via both the GCP UI and the gcloud cli.
The domain's DNS record doesn't resolve to the IP address of the Google Cloud load balancer. To resolve this issue, update the DNS records to point to the load balancer's IP address. Thought I did this too, see my GAE custom domain settings below:
Attempting to load to mydomain.com or www.mydomain.com in the browser yields:
This site can’t provide a secure connection
www.mydomain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
It's been ~40hrs since I created the LB and updated the DNS settings for my domain, so I suspect the issue is my config and not DNS propagation. Where am I going wrong?
EDIT
Editing to clarify a few critical things:
I'm hosting my UI as a static website in a Google Cloud Storage bucket. Cloud Storage doesn't support HTTPS on its own, and therefore requires an HTTPS load balancer to work with custom domains.
If I wanted to go down this path, I'd need to ensure the load balancer pointed to my Cloud Storage bucket, which wasn't mentioned in my original post.
To roll back all changes from this SSL attempt, I'd need to update the # A DNS entry to the GAE IP, then update the www CNAME entry to c.storage.googleapis.com.. Note this CNAME entry is for Cloud Storage, not for GAE.
I ended up aborting the SSL idea and going with #3 (for now). The app in question is for a personal project that doesn't deal with any sensitive info, so SSL really isn't necessary.
You’ve gone through the process and receive the message:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
I’ve found some information for you. The main points are listed below.
Verify SSL Status of Website,
Check for Certificate Name Not Matching
Verify TLS Version
Verify RC4 Cipher Suite
Manually Inspect Security Certificate
There is more detail in this document here
I want to deploy a ReactJS application on the AWS S3 (which I managed to do successfully). Now I need to make it HTTPS with lowest cost possible. How can I do this? A quick google search gave me something called Amazon CloudFront I am confused over there that do I need to have a Dedicated IP SSL Certificate to deploy my react application with HTTPS ?
I have referred to this question on deployment with S3.
Thanks
If you are trying to find things in detail, You can have a quick look here. Its just 2 minute reading and cover following things.
React Js deployment with Https cloud front
Subdomain
Configure AWS CLI and deploy build through command
https://bluebash.co/blog/react-deployment-with-aws-ssl-https-with-subdomain/
Answer to Why We need to use Cloudfront is :
Note: We need to do this because SSL certificates can only be assigned to cloudfront distributions or AWS ELB, so you need to create
one to enable SSL for your static website.
There are few steps involved in this , assuming you have site properly set up with HTTP end working here are some steps :
1) You need to Request SSL Certifcate from AWS (ACM) it is free and you would not be chraged for this you follow this AWS Documentation
Enter one or more domain names, you want to create a SSL certificate
for. You can even use a wildcard.
Verify the email you will get to email address associated witht the
domain.
Note: Choose Region as per your s3 bucket as Cloudfront only accepts certificates hosted in region us-east-1
2) Now you need to create Cloudfront Distribution :
Create a new Web distribution and select your S3 bucket as Origin
Domain Name. Select HTTPS Only for Viewer Protocol Policy.
In the Distribution Settings section enter your domain name you want
to host your static files on.
Beside that keep all the default settings and click “Create
distribution”.
3) Now Assign the SSL certificate to your Cloudfront distribution
Go back to Cloudfront and edit your distribution. Now you should be
able to select your brand new SSL certificate.
Hope This Helps..
I am trying to add an SSL Certificate to my Virtual Machine Instance on Google Compute Engine I created the key file and generated a CSR File, which I copied into GoDaddy to request a SSL Certificate.
I copied what they sent me and pasted it into a file name example.csr
I then ran this line in the instance:
gcloud compute ssl-certificates create certificate1 --certificate example.csr --private-key example.key
When I list my ssl-certificates I get:
NAME CREATION_TIMESTAMP
certificate1 2017-03-08T09:21:04.166-08:00
But I can't figure out why my webapp is not secure yet. When I go into my url it still says not secure.
EDIT
Source: SSL Certificates, Compute Engine Documentation
Although I've never used Google Compute Engine, I believe (after reading the documentation you linked) that you've just added the certificate, but you still need to configure it:
To use HTTPS or SSL load balancing, you must create an SslCertificate resource that can be used by your target proxy.
Note: SslCertificate resources are used only with load balancing
proxies such as a target HTTPS proxy or target SSL proxy. See that
documentation for when and how to use SslCertificate resources.
SslCertificate resources are not used on individual instances. On an
instance, install the normal SSL certificate as described in your
application documentation.
I suggest reading the links provided by the docs (above), depending of what you want to do (use a HTTPS proxy, SSL proxy or individual instance).
Short Answer:
We can't do that yet.
Medium Length Answer:
I had to actually install the SSL certificate directly on my application.
we are looking for an API to programmatically register new domains and upload corresponding SSL certificates for an existing Google App Engine application. Background: we would like to offer a DNS-based reverse proxy for our GAE-based service, where our customers can access our application through a domain they own. Once can easily configure new domain names (SNI) manually and upload a matching SSL certificate. In order to automate the process and also limit our exposure to customer-owned SSL certificates, we would like to automate the process.
I have been browsing Google's Management API for Google App Engine (https://cloud.google.com/appengine/docs/admin-api/reference/rpc/google.appengine.v1), but could not find a way to accomplish the aforementioned functionality through that API. Does such an API exist?
Thanks,
Soeren
Currently there is no support for this.
There is a feature request for this, created on Nov 13, 2015, which is also addresses Let's Encrypt support.
And there is a hint in it – that somewhere in the wild already exists alpha for "App Engine Admin API - Custom Domains & SSL Certificates"
You can star or comment on this feature request here:
https://issuetracker.google.com/issues/35900034
It looks like this isn't supported right now. This might be because of the domain verification process; you can find out more about what serving SSL on a custom domain on App Engine looks like here.