I am trying to add a custom domain with SSL in my google app engine project, according to the steps defined here using-custom-domains-and-ssl, i successfully added my domain but when i am trying to add the cert by going to SSL Certificates tap i am seeing a certificate which is already added, now can anyon eplease tell me, can i use this SSL certificate or will i have to add the cert manually by myself.
That would depend on several factors. You should verify the information in the existing certificate is correct before attempting to use it.
If this was a certificate you added previously AND it matches your domain name AND it is not expired, then yes you can continue to use it.
If any of the above is false, you should import your new certificate instead.
Related
I have been trying to use my own SSL certificate on subdomains for my app in GAE. I have successfully created the certificate and was able to enable it for all but one subdomain.
Let's say my domain is domain.com. I was able to enable the SSL certificate for domain.com, www.domain.com, subdomain.domain.com but for some reason, www.subdomain.domain.com does not show in the list of potential custom domains for my certificate. In this situation, I can not access my website through https://www.subdomain.domain.com but can through https://subdomain.domain.com.
Also, I can activate a google managed certificate for this subdomain, making https://www.subdomain.domain.com accessible, but of course, this is not what I want. Any clue on how to make www.subdomain.domain.com visible in the domains list of my certificate in order to then be able to turn it on?
This post is reporting a similar issue than this one. Sadly, no one has provided an answer and I do not have enough reputation to comment on it...
Multi-level domains may be tricky. Starting with the type of the certificate obtained. From RFC 2818 (emphasis mine):
Names may contain the wildcard character * which is considered to
match any single domain name component or component fragment. E.g.,
*.a.com matches foo.a.com but not bar.foo.a.com. f*.com
matches foo.com but not bar.com.
I suspect this is what's causing your trouble. Google also mentions in App Engine support for SSL certificates:
Wildcard certificates only support one level of subdomain.
When trying the google-managed certificate the certificate is likely generated exactly for the respective domain, not a wildcard one, thus not having the problem mentioned in the above quote.
The only way I can think of to get this working is to obtain a separate wildcard certificate for the each domain level. But that could be a problem if you direct users to sites at different domain levels, as the certificate would change.
Personally I'd just arrange my domain names to be contained into just one domain level and avoid all these issues. Maybe with something like www-subdomain.domain.com instead of www.subdomain.domain.com?
According to Google Cloud docs, with ensuring your right permission in the GCP console and verified ownership on all parent domain, you can access subdomains with your custom certificate.
Example:
If the certificate is for www.example.com you can verify ownership of either www.example.com or example.com.
If the certificate is for www.example.com and sub.example.com you can either verify ownership of both www.example.com and sub.example.com, or of example.com.
If the certificate is for *.example.com you must verify ownership of example.com.
You can check this link, mostly the section mentioned
Using your own SSL certificates
I used to have permissions to remove a custom domain on Google App Engine or upload a new SSL certificate.
However, one day the SSL certificate was expired and I could not upload a new SSL certificate and got the following warning message.
"You do not have sufficient permissions to view this page".
When I remove this custom domain and also got the following warning message.
"All domains mapped to this application are shown below. Only owners of a domain may remove one of its mappings."
I am the owner of managing the domain name group in Google Cloud DNS and project.
Any ideas to solve this issue.
I solved this problem.
I don’t know why this suddenly happened.
The solution was to remove the app engine and create it again and setup the custom domain.
App engine only allows someone who created this app engine and domain name can manage domain names or update ssl certificates.
Moreover, Google now has a new feature to provide auto-renewed ssl certificates for app engine.
I have a GAE app set up to use a custom domain, let's call it mycustomdomain. This naked domain is working fine over HTTP and HTTPS. I also have a service called api, it can be accessed successfully by going to http://api.mycustomdomain.com (custom domain convention).
However, I can't access the api service over HTTPS. I uploaded a SSL for mycustomdomain.com, but I got an error (site can't be reached) for trying to accessing the api service over HTTPS. My question is do I need to purchase the wildcard.mycustomdomain.com SSL in order to access the api service over HTTPS? I don't have much experience dealing with SSL certs and GAE custom domain, so any help would be greatly appreciated. Thank you!
Edit: updated information for GCP Console configurations.
My app setup in the Console contains the following:
Services: default, api
Custom domain setup: mycustomdomain.com
SSL uploaded: ultrahdlivewallpaper.com (NOT the wildcard version), api.ultrahdlivewallpaper.com (unable to be enabled for custom domain, none matching)
More detail: The problem is when I map both ultrahdlivewallpapers.com and api.ultrahdlivewallpapers.com, they are both mapped to the default service. I want api. to point to the API service. If I only map ultrahdlivewallpapers.com, that allows me to access api service at the api subdomain, but then the api SSL can't be applied to api. subdomain because it's not listed as a subdomain.
07/24/17 Update: I believe this is a limitation with the App Engine Settings after trying out several scenarios via GAE Console. We have a custom domain set up for ultrahdlivewallpapers.com and enabled the SSL cert for this domain. The domain is pointing to the default service. We have a second service set up called API. Google's routing rules for any service set up is via HTTP:// service-id.custom-domain, which in our case is api.ultrahdlivewallpapers.com. However, when I upload the SSL for the api subdomain, Console couldn't find matching domains because the api subdomain is not specified via the Console. Now if I set up api.ultrahdlivewallpapers.com as a custom domain, I'm able to enable the SSL for api subdomain. Problem then becomes api subdomain is now pointing to the default service instead of the api service. If I remove the api mapping, I'm able to browse to the api service again, but no HTTPS! I don't believe there is a way to get this set up correctly without a wildcard SSL enabled for all subdomains. Please let me know if I'm missing anything. I have tried everything I can think of via the Console. Thanks.
You don't necessarily need a "wildcard" cert, per se. But, you do need to get a cert that covers all the subdomains. For example:
mycustomdomain.com
www.mycustomdomain.com
api.mycustomdomain.com
It's a standard solution, and not difficult to do. Certbot (Let's Encrypt) makes it easy.
If you choose to get a wildcard certificate installation is pretty straight forward:
You upload the certificate in the developer console (in App Engine -> Settings -> SSL Certificates -> Upload a new certificate). May require a bit of effort, see also Google App Engine SSL with Let's Encrypt "could not be inserted".
Once it's visible in the certificate table you can click on its name and you'll end up in the certificate edit screen where you can select which custom (sub)domains it applies to (from the list of all custom domains mapped in the app), looks like this:
Note: these are the corresponding custom domain mappings:
If you have another app (under the same admin account) which is also mapped to subdomains of the same domain you can activate the certificate on it as well in a similar manner (the console automatically shows the certificate in the list when you switch apps, no need to upload it again).
I have made an app with Spring Boot on backend and UI in AngularJS. UI is separate from the backend. UI is deployed in Firebase and my backend in deployed in AWS (via boxfuse). I want to add a trusted https certificate to my backend but Certificate Manager does not let me create a trusted certificate for Amazon owned domain. How can I add a certificate to the backend (with Let's Encrypt)? Does my UI also need a trusted certificate?
First of all, If you are using public domain of EC2 instance, I would advice not to use because whenever you start and stop instance, It will change the domain. If you are doing with let's encrypt than you should do it in the server which having apache configured. Let's encrypt provide you the ACME client, most recommended is certbot. Choose your OS and Web server. It will provide you the script, Run that script in your server and it will ask for required detail which needed to get SSL Certification. Rest of the things script will do it for you. Please read the documentation before you perform this things.
You should consider the domain type as well either you are using single domain or wildcard according to your application.
Below link is useful for me, If you want you can get more detail about this.
https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority
I have an app engine app and I enabled SSL for it (without an own certificate) and it works for the appspot-url like https://myApp.appspot.com. Now I want to use my custom domain like myDomain.com with SSL (e.g. https://myDomain.com). Is this possible without an own certificate like with the appspot domain? I followed this guide (https://developers.google.com/appengine/docs/ssl?hl=de) and it talks about uploading a certificate. Is that an optional or a mandatory step?
Because if I try to access my domain, I always get an SSL error
Uploading a certificate is mandatory if you want to use SSL for a custom domain. You can find details on SSL handshake at [1].
[1] - http://www.pierobon.org/ssl/ch2/detail.htm