Is it possible to use Extended Validation SSL-Certificate with Google App Engine for a custom domain?
Edit 1:
I didn't find EV-cert in the list of supported certs:
https://developers.google.com/appengine/docs/ssl#certificate_requirements
Afaik, EV certs are technically no different then normal certs, so servers should have no problems using them. OTOH, here are certificate requirements for use on GAE.
Related
By default, specific versions of an App Engine app are routed by URLs like https://[VERSION_ID]-dot-[SERVICE_ID]-dot-[MY_PROJECT_ID].appspot.com.
Is there any way to have something similar with a custom domain?
I currently have a subdomain mapping for my app configured with a CNAME DNS record pointing to ghs.googlehosted.com (my "naked" domain is not served by App Engine). This allows serving the default version of my app from that subdomain, but I also want to be able to test new versions of the app using my domain (for various reasons such as sharing cookies, etc.)
For example, let's say my domain is typeracer.com and my custom domain mapping in App Engine is data.typeracer.com: I want to be able to access a specific version of my app at a URL like https://[VERSION_ID].data.typeracer.com. Is there any way to do this?
I've looked at the App Engine docs for adding wildcard subdomain mappings and using a dispatch.yaml. However, it looks like that would work only for routing specific services, but not specific versions of the app.
No, what you ask for exactly is not possible as the mapping is a (sub)domain per GAE service one, you cannot select a certain version of a service in the custom domain settings screen.
Sounds like may be attempting to implement different environments (say staging) based on service versions, which has some disadvantage, see Continuous integration/deployment/delivery on Google App Engine, too risky?
If so you can try to implement them using different services instead, which:
would allow you to map one (sub)domain per environment
you'd avoid all drawbacks mentioned in the above-mentioned Q&A
The domain naming scheme you mentioned suggests variable nesting levels, which in itself can be problematic, see Sub domain not listed in Google App Engine while enabling SSL for custom domains. Maybe try something like https://data-[VERSION_ID].typeracer.com instead of https://[VERSION_ID].data.typeracer.com?
we are looking for an API to programmatically register new domains and upload corresponding SSL certificates for an existing Google App Engine application. Background: we would like to offer a DNS-based reverse proxy for our GAE-based service, where our customers can access our application through a domain they own. Once can easily configure new domain names (SNI) manually and upload a matching SSL certificate. In order to automate the process and also limit our exposure to customer-owned SSL certificates, we would like to automate the process.
I have been browsing Google's Management API for Google App Engine (https://cloud.google.com/appengine/docs/admin-api/reference/rpc/google.appengine.v1), but could not find a way to accomplish the aforementioned functionality through that API. Does such an API exist?
Thanks,
Soeren
Currently there is no support for this.
There is a feature request for this, created on Nov 13, 2015, which is also addresses Let's Encrypt support.
And there is a hint in it – that somewhere in the wild already exists alpha for "App Engine Admin API - Custom Domains & SSL Certificates"
You can star or comment on this feature request here:
https://issuetracker.google.com/issues/35900034
It looks like this isn't supported right now. This might be because of the domain verification process; you can find out more about what serving SSL on a custom domain on App Engine looks like here.
When will SSL support for custom domain be available within the developer console, instead of having to go over to Google Apps? I read somewhere it says Q3 of 2015. But seems like people have some ways of getting that to work already. Is it a private beta feature?
Building some apps for a client and they can't get their Google Apps account to work and we already have the custom sub-domain mapped to the GAE, and just need the last piece. Help!
This is the tracking issue, indeed Q3 seems to be more likely: https://code.google.com/p/googleappengine/issues/detail?id=10794
FWIW, I detailed a bit my solution to get things working via Google Apps in this Q&A: AppEngine subdomains to modules without wildcard mapping, maybe it can help with your customer's problems in the meantime.
Google App Engine offers SSL for Custom Domains, but I'm not sure how to properly set it up with my app. Say I'm running myapp.appspot.com and I own myapp.com, can someone explain to me the exact steps I need to take in order to make my App Engine app serve on my .com domain?
Well, the basic process of setting up a custom domain is described here:
https://developers.google.com/appengine/docs/domain
Is there something in that article that isn't clear?
The article does delegate an important part of the process, which is setting up a Google Apps account for your domain (see "Otherwise, click Sign up for Google Apps and continue with this step." in step 3). A key part of setting that up is verifying you own the domain you're trying to set up. This requires that you make a small modification to your site, or serve a DNS TXT record. Read more about it here:
http://support.google.com/a/bin/answer.py?hl=en&answer=60216
Since App Engine is so locked down I assume there is no way to setup an SSL certificate to allow credit card payments. In the absence of this, how is it possible to secure handle payments in an App Engine app?
http://code.google.com/appengine/docs/java/config/webxml.html#Secure_URLs says that
<ssl-enabled>true</ssl-enabled>
can be set in your appengine-web.xml file with *.appspot.com subdommains. Google had a typo in their opening tag on that page, just FYI.
For Google Apps you can't use HTTPS at all, but for appspot you can.
As far as using your own cert, you can't! For appspot, Google's cert is
not signed for your web-app's specific domain so it will cause a browser pop-up, but if accepted the page will load.
As of today, App Engine supports SSL on your own domain. See:
https://developers.google.com/appengine/docs/ssl
Note that there are two options. The more expensive (VIP - $99 per month) will work with all browsers, whereas the cheaper (SNI - $9 per month) doesn't work on some variations. See here:
http://en.wikipedia.org/wiki/Server_Name_Indication#Support
You can also use e.g. Cloudflare.com to front your app and provide SSL. Currently this is HTTPS to Cloudflare and then normal HTTP to App Engine. This will protect from any drive-by hacks but would be possible to intercept should an attacker somehow get between CF and GAE. This technique is described here:
http://blorn.com/post/20185054195/ssl-for-your-domain-on-google-app-engine