I have a custom domain setup for an AppEngine application. I have created the two required certificates using letsencrypt. I am aware that GAE requires a private key RSA file so I have done:
openssl rsa -in privkey.pem > privkey-rsa.pem
to create the privkey-rsa.pem. I am uploading that and the fullchain.pemfile. These are accepted and I can see the correct domain under "SSL Certificates" in App Engine Settings.
I have set secure: optional for every route in my app.yaml
However, looking at the "Custom Domains" tab in "Settings", there is a column titled "SSL Support" which says None. I have removed and readded the custom domain with both the certificates present, and with them deleted.
But the "SSL Support" column remains at "None". And when trying to access my index.html page with https, Chrome produces 'Site cannot be reached'.
I seem to have no further options to try to get this working...
App Engine console > Settings > SSL Certificates > you'll see a list of certificates, click yours > mark the subdomain you want to serve this certificate through > Save
Related
I am trying to update a SSL certificate for a Google App Engine project via CLI:
gcloud app ssl-certificates update NNNN --project XXX --configuration XXX --display-name=xxx.co.za --certificate=./fullchain.pem --private-key=./privkey_gae.pem
This command used to work previously but I am now getting the following error:
ERROR: (gcloud.app.ssl-certificates.update) PERMISSION_DENIED: Caller is not authorized to administer this certificate. You must be a verified owner of the certificate's domain(s) [xxx.co.za, *.xxx.co.za] to create, modify, or delete this resource. Your authorized domain(s) are []. If you own the certificate domain(s), you can obtain authorization by verifying ownership via the Webmaster Central portal: https://www.google.com/webmasters/verification/verification.
This error does not make sense as the domains are verified according to the URL (as they are also the custom domain used by the app itself). Also this was working just last month, so it seems that something changed?
I found the issue. Domains are verified by an IAM user, but I use a different IAM/Service-account for the CI/CD server.
It seems that the security around accessing verified domains has changed, in that the Service-account will not automatically have access to the verified domains, even though the App does.
I was able to fix this issue by adding the service-account (jenkins#XXX-ci.iam.gserviceaccount.com) as verified owner here: https://www.google.com/webmasters/verification/verification
On configured AKS there is docker container with application that is using AAD authentication.
Based on this article there is also configured ingress. API is working well.
When I add to Azure Active Directory application registration reply URL with https prefix I receive error "The reply url specified in the request does not match the reply urls configured for the application". And I see that in browser address line redirect_uri is starting with http.
When I add reply URL that is starting with http, then I receive "Exception: Correlation failed".
What I have tried: Add to ingress.yaml setting ingress.kubernetes.io/force-ssl-redirect: "true"
May be there is some way to force ingress run https instead of http, or there might be some AAD redirect configuration? Any ideas?
UPDATE 2: Probably http redirect is because of ADAL.
PS: Was able to find similar topic without an answer
UPDATE3:
I have decided not to use nginx as ingress. Instead I am using now Load balancer. Soon it would be possible to use Azure Application Gateway Ingress Controller
Have you tried this?
By default the controller redirects HTTP clients to the HTTPS port 443 using a 308 Permanent Redirect response if TLS is enabled for that Ingress.
This can be disabled globally using ssl-redirect: "false" in the NGINX config map, or per-Ingress with the nginx.ingress.kubernetes.io/ssl-redirect: "false" annotation in the particular resource.
More information on this on the Ingress documentation link.
You have to make a decision whether to use HTTPS or not. If this is just the start of a development cycle, start without it and get auth to work - but implement HTTPS as soon as possible.
AAD supports both http and https, but of course, the reply urls must be added to the application registration respectively.
As #mihail-stancescu says, ssl-redirect must be set to false, if you choose not to use HTTPS. In addition to this, you also have to ensure that your app does not make the redirect from HTTP to HTTPS.
Using curl with -L -k and -v options will give you a lot of information on what is actually happening with your requests.
When the http/https thing is solved, you have to remove any rewrite annotations you have in your ingress. (e.g. ingress.kubernetes.io/rewrite-target: / should be removed).
Now, if your ingress path to the service in question is e.g. /myservice, then the reply-url should also have that part of the path added ([host]/myservice/signin-oidc) - both in the AAD application registration and in the configuration of your app. (The path in the config should not contain the host)
If you are using https, then you must also have a proper certificate. You can use the free LetsEncrypt (https://letsencrypt.org/) in conjunction with KubeLego (https://github.com/jetstack/kube-lego), where you can find some nice examples on how to implement it.
I am trying to enable HTTPS on my Go App deployed to GAE flex environment. I have my custom domain successfully mapped, and am using Google-managed SSL certificates. I have app.yaml configured to redirect HTTP to HTTPS as follows:
handlers:
- url: /.*
script: _go_app
secure: always
Now there are two problems that I haven't been able to resolve so far.
First, the above configuration is supposed to redirect HTTP traffic to HTTPS, but apparently it is not happening.
Second, when I add https:// in the url box, I see three different behavior on Firefox, Chrome, and Edge. Edge identifies the website as secure, Firefox marks the website as secure connection, but says that it "has blocked parts of this page that are not secure", and surprisingly Chrome marks the website as Not secure (though it says certificate is valid!).
With these symptoms I was wondering if I should take additional steps to make redirecting and SSL work for my website? Specifically, I would like to know with App Engine, and managed SSL enabled:
Should I continue serving pages on HTTP using http.ListenAndServe(..), or need to switch to http.ListenAndServeTLS(..)?
In my Go app should I redirect HTTP to HTTPS? or the above setting is expected to work just fine?
Thanks in advance for your help and advice.
PS:
Trying out with different suggestions, I added Strict-Transport-Security: max-age=31536000; includeSubDomains to handlers' response. Does not seem if this helped with redirection either.
EDIT/PARTIAL ANSWER:
According to this documentation, under Authentication changes, the secure and login handlers are deprecated. The documentation suggests using Strict-Transport-Security or X-Forwarded-Proto instead.
I am using Strict-Transport-Security on the server side to enrich my response header:
func (h *STLHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
h.nextHandler.ServeHTTP(w, req)
}
I was wondering if I am using this header in the right place?
For the second set of my problems I realized I have mixed content on my page. My mixed content was a http link to a set of fonts. When I fixed the mixed content, i.e. changed http to https, both Chrome and Firefox security warnings disappeared. You may also find this page Avoiding the Not Secure Warning in Chrome useful on this matter.
You need to check your app using:
http://[YOUR_PROJECT_ID].appspot.com
Or if you nedd HTTPS:
https://[YOUR_PROJECT_ID].appspot.com
If you want your own certificate you will need to upload it and then be available to use: https://your-domain.tld
From the docs:
For APIs that will be hosted on App Engine flexible environment, you must use the appspot.com domain, and the service name must be in the following format:
YOUR_PROJECT_ID.appspot.com
When you deploy your API to App Engine, a DNS entry with a name in the format YOUR_PROJECT_ID.appspot.com is created automatically.
For APIs that will be hosted on Compute Engine, Kubernetes Engine, or Kubernetes, you must use the cloud.goog domain, and the service name must be in the following format:
YOUR_API_NAME.endpoints.YOUR_PROJECT_ID.cloud.goog
Or you could just put a CDN in front like Cloudflare which will do all the SSL termination for you and if required redirect all HTTP to HTTPS
We are trying to add naked domain redirect to our custom domain. I followed the instructions on https:/ /support.google.com/a/answer/2518373?hl=en
but when I change the domain to redirect from:
http:/ /app-id=,domain=.example.io (which was auto filled)
to http://www.example.io, I get an error saying:
"""
Server error
We are unable to process your request at this time, please try again later.
"""
I'm not able to dig any deeper into the error or what is happening. My A records on the DNS provider point to the IP address specified by the App Engine. I also have SSL on this app, and https://www.example.io works fine. Its only https://example.io that gives me "Error code: ERR_CONNECTION_CLOSED" error.
It seems SSL on naked domains is not currently supported by App Engine. We have a similar issue, so our naked domain redirects to http://www.~ which then redirects to https://www.~
You might like to take a look at (and star) this issue.
Best free SSL redirect service I found was CloudFlare. To get it working:
Add your domain and switch your name servers to CloudFlare (signup process walks you through it)
Once added goto CloudFlare Settings and down to SSL. Change the setting to 'Full SSL (Strict)' this requires you to have a valid cert on the subdomain your redirecting to (SNI works fine).
Go back to your websites list, select the domain again and on the options goto page rules. Add a 'Forwarding' rule that redirects https://yourdomain.com/* to https://www.yourdomain.com/$1 (replace www with any subdomain), make sure the redirect is set to 301.
Save your settings and sit back and wait for everything to propagate.
Done. Free and secure SSL redirection for your naked domain.
As of September 2015, SSL is supported on naked domains by AppEngine.
I have setup Custom Domain "https://developers.google.com/appengine/docs/domain"
I have uploaded "An SSL certificate and private key" (to create those i am using "XCA" on Ubuntu, available in the Ubuntu Software Center" )
Result ..."Assign all matching URLs" or "Add" Button is inactive.
What are the details to follow setting up SSL for AppEgine Custom Domain?
HELP: following the link on "http://support.google.com/a/bin/answer.py?hl=en&answer=2644386" refers to a login see: (moma single sign on) ???->
https://login.corp.google.com/saml_idp?KeyID=w1n&SAMLRequest=fVJNT%2BMwEL0j7X%2BwfM8nYoWsJqgLQluJhYgGDtwcZ1KctT3B47Tw70lTEN3DcvTz8%2FsYz%2BLi1Rq2BU8aXcGzOOUMnMJWu03BH%2Brr6JxflD9OFiStGcRyDM%2FuHl5GoMCml47EfFHw0TuBkjQJJy2QCEqsl39uRB6nYvAYUKHhbHVV8N4hdoPq26a1%2FeYvmB6taXXTY9%2FIRjfN4IbOSsXZ42esfB9rRTTCylGQLkxQmuVR%2BjPKz%2BvsVJzm4ix94qz6cPql3aHBd7GaA4nE77quoupuXc8CW92Cv53YBd8gbgzECu3evpJEejvBnTQEnC2JwIcp4CU6Gi34NfitVvBwf1Pw5xAGEkmy2%2B3iL5lEJscHRbycJyvmcv5opN9Hl5%2FWvPzSWyRHUuXHj%2B2LrK4qNFq9saUxuLv0IMPUIvhxKnGN3srwf7cszmZEt1E3U8XoaAClOw0tZ0l5cP13NaaFeQc%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fgoogle.com%2FServiceLogin%3Fservice%3Dah%26passive%3Dtrue%26continue%3Dhttps%253A%252F%252Fappengine.google.com%252F_ah%252Fconflogin%253Fcontinue%253Dhttps%253A%252F%252Fdevsite.googleplex.com%252Fappengine%252Fdocs%252Fssl%26ltmpl%3Dga%26shdf%3DCioLEgZhaG5hbWUaHkdvb2dsZSBEZXZTaXRlIENvbnRlbnQgU3RhZ2luZwwSAmFoIhRMUzrDPeZIM0WftD9x6Ag2ike0YCgBMhQmSRWl793zR9on0qxjQb8iedMy3Q
This is the correct documentation link:
https://developers.google.com/appengine/docs/ssl
when adding an app engine app to use SSL over your custom domain. Create the PEM encoded X.509 certificate and Unencrypted PEM encoded RSA private key with openssl:
openssl genrsa -out rsaprivkey.pem 1024
openssl req -new -x509 -key rsaprivkey.pem -out dsacert.pem
when open ssl asks you questions for your app's name, make sure to include the entire url as in your answer, www.abc.com to secure https://www.abc.com
-Ben
It's simple the domain i am using should use CN -> www.abc.com and not just abc.com.
"All subject names on the host certificate should match or be subdomains of the domains associated with the account in the Google Apps Control Panel."
Thank's for the documentation link :-)
Under Google App Admin console -> select App Engine apps -> select app -> Add New URL