SSL on appspot.com subdomain of non-default version - google-app-engine

I want to use SSL on the non-default version of my GAE app. For the normal https://my-app.appspot.com I know I don't have to do a thing. However I have another version, which would be under https://v2.my-app.appspot.com and there SSL doesn't work. It gives following error in the browser:
Your connection is not private
Attackers might be trying to steal your
information from dev.replimeapp.appspot.com (for example, passwords,
messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID

Use following address instead: https://v2-dot-my-app.appspot.com/
Google does not issue SSL certificates for double-wildcard domains hosted at appspot.com. Therefore with HTTPS you must use the string "-dot-" instead of "." to separate subdomains, as shown in the examples below. You can use a simple "." with your own custom domain or with HTTP addresses.
From there: https://cloud.google.com/appengine/docs/java/config/webxml#Secure_URLs

Related

gcloud cli app engine domain mapping error

I am trying to get multiple microservices to run on a single app engine of a single project. I am following this official documentation from GCP
https://cloud.google.com/appengine/docs/standard/python3/mapping-custom-domains
When I try to create a wild card mapping like this
gcloud app domain-mappings create '*.example.com'
So that GCP backend engines can match the request accordingly:
[VERSION_ID].[SERVICE_ID].example.com
I get the following error
ERROR: (gcloud.app.domain-mappings.create) INVALID_ARGUMENT: A managed certificate cannot be created on a wildcard domain mapping. Set `ssl_management_type` to `MANUAL` and retry the domain mapping creation. You can manually create an SSL certificate with `AuthorizedCertificates.CREATE` and map it to this domain mapping with `AuthorizedCertificates.UPDATE`.
Could anyone help with this?
It looks like by default the command attempts to configure managed SSL certificates, which aren't compatible with wildcard domain mappings. From Wildcard mappings:
**Note**: Wildcard mappings are not supported for managed SSL certificates.
As the error message suggests you can disable that with an option. From gcloud beta app domain-mappings create:
--certificate-management=CERTIFICATE_MANAGEMENT
Type of certificate management. 'automatic' will provision an SSL
certificate automatically while 'manual' requires the user to provide
a certificate id to provision. CERTIFICATE_MANAGEMENT must be one
of: automatic, manual.
So just try instead:
gcloud app domain-mappings create '*.example.com' --certificate-management=manual
I see a discrepancy: the error message mentions the ssl_management_type option while the doc page shows certificate-management. Try both if needed - it may be just an error or it may be a renamed option (which may or may not still be supported under the hood).
Of course, if you want SSL, you'd have to manage the SSL certificate(s) yourself (maybe using the --certificate-id option, documented on the same page?). In that case also check out the related Google App Engine custom subdomain mapping for a specific version for potential implications of variable domain nesting.

Quickblox is not working with subdomain url

I have multiple URL for same domain , but its contain sub domain like following
admin.projectname.com
doctor.projectname.com
etc..
Here quickblox call not working with this URLs and giving following error:
NavigatorUserMediaError {
name: "PermissionDeniedError",
message: "Only secure origins are allowed.",
constraintName: ""
} app.js:577 4
I have refer quickblox and found some solution like quickblox only work with localhost and https SSL but I want to make it work with this type of URL.
It is already working with localhost but I want to start it with virtual domain of localhost.
Please help me out of this. let me know if any query.
You can't get access to UserMedia unless you're connected to a secure host. Your browser recognizes as secure host the ones with HTTPS or, for development, localhost.
If you need to develop with full domain names you either generate an SSL certificate (a free self-signed) for your environment or use an obscure flag like --unsafely-treat-insecure-origin-as-secure="admin.projectname.com".
See https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins section Testing a Powerful Feature.

Gcloud app module (subdomain) with ssl: certificate error [duplicate]

I want to use SSL on the non-default version of my GAE app. For the normal https://my-app.appspot.com I know I don't have to do a thing. However I have another version, which would be under https://v2.my-app.appspot.com and there SSL doesn't work. It gives following error in the browser:
Your connection is not private
Attackers might be trying to steal your
information from dev.replimeapp.appspot.com (for example, passwords,
messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
Use following address instead: https://v2-dot-my-app.appspot.com/
Google does not issue SSL certificates for double-wildcard domains hosted at appspot.com. Therefore with HTTPS you must use the string "-dot-" instead of "." to separate subdomains, as shown in the examples below. You can use a simple "." with your own custom domain or with HTTP addresses.
From there: https://cloud.google.com/appengine/docs/java/config/webxml#Secure_URLs

Naked Domain Redirect Failing when using HTTPS SSL on Google App Engine

We've got a website:
www.feeltracker.com
This is running on Google App Engine
On Google App Engine, we have Naked Domain forwarding setup, so that:
http://feeltracker.com
redirects to
http://www.feeltracker.com
However, when we try to open the following address in Chrome:
https://feeltracker.com (notice the HTTPS)
We get a Google error page with the following message:
Google
404. That’s an error.
The requested URL / was not found on this server. That’s all we know.
Does anyone know how we can ensure https://feeltracker.com redirects to www.feeltracker.com?
Note that in Firefox we get the following additional information when trying to open https://feeltracker.com:
feeltracker.com uses an invalid security certificate.
The certificate is only valid for the following names:
*.google.com , *.android.com , *.appengine.google.com , *.cloud.google.com , *.google-analytics.com , *.google.ca , *.google.cl , *.google.co.in , *.google.co.jp , *.google.co.uk , *.google.com.ar , *.google.com.au , *.google.com.br , *.google.com.co , *.google.com.mx , *.google.com.tr , *.google.com.vn , *.google.de , *.google.es , *.google.fr , *.google.hu , *.google.it , *.google.nl , *.google.pl , *.google.pt , *.googleapis.cn , *.googlecommerce.com , *.gstatic.com , *.urchin.com , *.url.google.com , *.youtube-nocookie.com , *.youtube.com , *.youtubeeducation.com , *.ytimg.com , android.com , g.co , goo.gl , google-analytics.com , google.com , googlecommerce.com , urchin.com , youtu.be , youtube.com , youtubeeducation.com
(Error code: ssl_error_bad_cert_domain)
Note that we are using the SNI SSL certificate capability on Google App Engine with our uploaded certificate.
When we run SSL diagnostics via http://www.digicert.com/help/ we get the following:
Certificate does not match name feeltracker.com
Subject *.google.com
Valid from 02/Jul/2013 to 31/Oct/2013
Issuer Google Internet Authority
Subject Google Internet Authority
Valid from 12/Dec/2012 to 31/Dec/2013
Issuer Equifax
Any ideas why https://feeltracker.com fails to use the correct certificate, whereas www.feeltracker.com and http://www.feeltracker.com work as expected with our SSL certificate?
Update 16 Sept 2015
It appears this may now work as per Forum post and Issue 10802
Previously applicable info below...
Currently it's not supported. The naked domain redirect is a workaround only for http and you'll probably notice that specific IP addresses you need to be put in your DNS for that differ from the approach and IP addresses for ghs.googlehosted.com.
This seems to indicate that it's different parts of Google's infrastructure and they haven't yet managed to make them consistent or work together. I haven't seen any details on when they will resolve this so it might be a long wait. e.g. Related post from 2009
There is an "acknowledged" issue for Naked domain support so when that's fixed then likely this issue also resolved.
As Google is not going to correctly serve your certificate on their naked domain redirector then for now there are these options that I see:
Make/provide your own reverse proxy (Apache httpd, varnish etc) or use a reverse proxy service (eg. CloudFlare) and point your naked domain there. You'd install your SSL on the reverse proxy, clients would connect there for your naked domain (no certificate errors) and you'd proxy all traffic to your real site. It might create a single point of failure and costs depending what you use.
Rent a cheap VPS where you install a web server, your cert and a redirect script to https://www.feeltracker.com. In DNS map your naked domain to that server. It can be a really cheap linux server as requirements just to redirect are very low.
Find a domain redirect service that supports https and allows you to upload your certificate. Sadly I'm not aware of any.
Use VIP (Virtual IP) SSL and configure it in DNS for your naked domain. I haven't tested myself but it seems it should work, although I did find a old comment here that it may not. Has someone tested? NOTE however as far as I could see the DNS entry has a TTL of just 300 (5mins) and Google doesn't advise it, so even if it did work you might need some scripts to update your DNS entries as there's a strong chance it changes from time to time. If it does work then DNS providers like DNSSimple have an API so it would be possible.
Probably the second option is most applicable in your case as you don't seem to mind about the naked domain (which for many is an issue).
I recently found a good example: https://khanacademy.org/ They appear to use an Amazon EC2 host as per the second option above.
https://khanacademy.org/ Resolving khanacademy.org... 107.20.223.238
Connecting to khanacademy.org|107.20.223.238|:443... connected.
WARNING: cannot verify khanacademy.org’s certificate, issued by “/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287”: Unable to locally verify the issuer’s authority. WARNING: certificate common name “*.khanacademy.org” doesn’t match requested host name “khanacademy.org”.
HTTP request sent, awaiting response... 301 Moved
Permanently Location: https://www.khanacademy.org/ [following]
https://www.khanacademy.org/ Resolving www.khanacademy.org...
72.14.249.132 Connecting to www.khanacademy.org|72.14.249.132|:443... connected.
whois 107.20.223.238
OrgName: Amazon.com, Inc.
OrgId: AMAZO-4
Address: Amazon Web Services, Elastic Compute Cloud, EC2
As of 12 April 2014 it looks like Google makes some progress and now allows mapping of non Google Apps domains (seeissue 8517), although SSL appears not to work for that method yet (see issue 10794 for tracking that).
Best free SSL redirect service I found was CloudFlare. To get it working:
Add your domain and switch your name servers to CloudFlare (signup process walks you through it)
Once added goto CloudFlare Settings and down to SSL. Change the setting to 'Full SSL (Strict)' this requires you to have a valid cert on the subdomain your redirecting to (SNI works fine).
Go back to your websites list, select the domain again and on the options goto page rules. Add a 'Forwarding' rule that redirects https://yourdomain.com/* to https://www.yourdomain.com/$1 (replace www with any subdomain), make sure the redirect is set to 301.
Save your settings and sit back and wait for everything to propagate.
Done. Free and secure SSL redirection for your naked domain.
I had to switch my domain management and nameservers from GoDaddy(G-Suite) to Cloudflare to solve this naked domain redirect issue. I followed Parkers instructions and used the free Cloudflare account and it worked after I turned the redirect rule off and then back on. I switch back from Full(strict) to Full because you now need to pay to upload your own SSL certificate. I am ok with the shared universal SSL certificate from Cloudflare for the time being.
GAE doesn't officially support naked domains. What you're seeing is a limitation of GAE, you're not doing anything wrong. https://developers.google.com/appengine/kb/general#naked_domain
Apparently naked domain redirect on HTTPS is not supported. There is no mentioning of this in official docs. If you look at support docs you see in screenshots that naked redirect specifically states http://.
Judging from Google Groups threads, SSL naked domain redirect is not possible: here, here.

silverlight accept invalid certificate

I'm doing https web requests in silverlight using "WebRequest"/"WebResponse" framework classes.
Problem is: I do a request to an url like: https://12.34.56.78
I receive back a versign signed certificate which has as subject a domain name like: www.mydomain.com.
Hence this results in a remote certificate mismatch error.
First question: Can I somehow accept the invalid certificate, and get the WebBresponse content ? (even if it involves using other libraries, I'm open to it)
Additional details: (for those interested on why I need this scenario)
I'm trying to give a client access to a silverlight app deployed on a test server.
Client accesses the silverlight app at: www.mydomain.com/app
Then I do some rest requests to: https://xx.mydomain.com
Problem is I don't want to do requests on https://xx.mydomain.com, since that is on our productive server. For this reason I use https://12.34.56.78 instead of https://xx.mydomain.com.
Client has some firewalls/proxies and if I simply change his hosts file and map https://xx.mydomain.com to 12.34.56.78, web requests don't resolve to the mapped IP.
I say this because on his network webrequests fail if I try that, on my network I can use the hosts changing without problems.
UPDATE: Fixed the problem by deploying test releases to an alternative: https://yy.domain.com and allowing the user to configure for test purposes, the base url to which I do requests to be: https://yy.domain.com.
Using an certificate that contained the IP in the subject or an alternative subject would've probably worked too, but would have cost some money to be issued by a certified provider and would not be so good because IP's might change.
After doing more research looks like Microsoft won't add this feature too soon, unless there's a scenario for non-testing/debugging uses.
See: http://connect.microsoft.com/VisualStudio/feedback/details/368047/add-system-net-servicepointmanager-servercertificatevalidationcallback-property

Resources