SSL Error using custom domain with Google App Engine - google-app-engine

I followed the steps detailed here to use a custom domain with google app engine.
I'm the admin of the Google Apps account
I'm the owner of the Google App Engine account
I've added the domain to my Google Apps account through my App Engine account
I see my App Engine app in my Google Apps account
I set the CNAME "test" to point to ghs.googlehosted.com
I added the web address under my Google Apps account and it says "Your users can access my-app-id at: test.mydomain.com
Now when I go to http://test.mydomain.com, it redirects to https://test.mydomain.com and I get an SSL connection error (Unable to make a secure connection to the server.)
I called Google Apps customer support because I have a paid business account, but the customer service guy said that this falls under App Engine support and he was not trained in this issue.
Help!

If you've done everything correctly, you should be able to access your site at http://test.mydomain.com. It sounds from the error you're getting that you're attempting to access it at https://test.mydomain.com (https as opposed to http).
If you want to access your app over SSL at your custom domain, you have more setup to do, as documented here: SSL for a Custom Domain. The steps necessary are many and subject to change; that link is the official source of current information on the matter.
Update: From your updated information, it sounds like you may have secure: always set in your app.yaml, or the Java-configuration equivalent of this setting. It would be helpful if you posted your configuration file.

Also note that it takes several minutes for Google to add a certificate on a domain you recently imported (it may require time for DNS configuration to spread). I personally didn't need to add any secure: configuration, it just worked after some time.

Related

Google App Engine - Static IP Address - Route Domain Name

I am running a flask application on Google App Engine Standard.
I have not found a resource which states that Google App Engine provides a static IP address. I am trying to route my domain name, let's call it 'mydomain.com' to hit the google app engine endpoint, which Goole provides as something similar to https://my-appengine-name.appspot.com/
I have verified the domain with Google and selected it as a custom domain.
If https://my-appengine-name.appspot.com/ was a numerical IP address I could simply route my domain i.e. 'mydomain.com' to the numerical IP address in the A name record. However, as from what I understand app engine has dynamic IP addresses for APP engine and so this is not possible.
What are my options here to route 'mydomain.com' to Google's App Engine domain: 'https://myappenginename.appspot.com/
' then?
In addition of John comment, if you choose the root domain of your service (in the example, my own domain gblaquiere.dev, a list of IPs (and 1 CNAME) is provided and you have to update your registrar with them
If you absolutely want only one IP to register, you can create an HTTPS Load balancer in front of App Engine and create a serverless NEG backend
Although #guillaume posted correctly above I just wanted to reiterate the steps explicitly. Generally someone asking such a question is a newbie to GCloud and it helps to have explicit steps.
At the App engine dashboard click on settings.
From the settings, click on ADD Custom Domain
To add a domain you needed to verify your domain with Google already, either through adding a TXT record or another method offered by Google (if you haven't registered your domain with Google). This verification can happen almost immediately with Registrars like namecheap.com or name.com (as per my experience)
Then go back to this custom domains area in the Google App Engine console and you will be provided with a list of verified domain you can select to route to your App Engine.
Once you have done this Google will provide you with a series of A, AAAA and a CNAMe record which you will need to update at your Registrar, generally in the advanced DNS settings.
This should definitely be sufficient. I think my struggle resulted due to a problem with my deployed app which I misdiagnosed as a problem with the DNS routing. Thanks for the previous responses which assisted me.

How to restrict access to GAE Flexible site only for GSuite account?

How to restrict access to GAE Flexible site only for all account from my domain in GSuite and eventually other Google accounts that I provide explicitely. AFAIR there where something simillar in Standard GAE version in app.yaml handlers section.
So my scenario:
prodution versions restricted until go-live
dev and stage version restricted permanently
I would like to do this on the IAM level, to reject traffic to the site. But I didn't found anything in docs.
Ok, after rethink the problem and dig deeper in a documentation I found a page about dev environment - https://cloud.google.com/appengine/docs/standard/python/creating-separate-dev-environments.
So my current solution is not to have separate versions like dev, stage and prod and work with them within one project, but to create separate projects for each of environment.
It will also simplify management of DBs - previous I thought about different database in one DB server for particular environment. Now I will have a separate DB instance for it.
Anyway I still have a problem with securing access.
I did it in the same way like in Restrict App Engine access to G Suite accounts on custom domain:
changed Google Authentication to my Google Suite domain
added Custom Domain in my app
added my page domain to my GSuite as a second domain
And I still can connect to my page without auth - even in "Incognito mode" and on others computers and mobiles.
EDIT:
As a workaround I used Django-lockdown module. For the timebeing is more than enough - I have a password, I have a session, I can set it in Middleware or as a decorator for urls.
EDIT 2:
I noticed today a new feature in GAE Flexible - Identity-Aware Proxy.
This is the feature, that I was searching. You can restrict accces by:
Google Account email: user#gmail.com
Google Group: admins#googlegroups.com
Service account: server#example.gserviceaccount.com
Google Apps domain: example.com

How do I enable SSL for custom domains on appengine?

How do I activate SSL for custom domains on Google Appengine?
The instructions I have read, at https://developers.google.com/appengine/docs/ssl or https://support.google.com/a/answer/2644334?hl=en , seem to refer to an old version of the admin console for Google Apps.
I looked at https://support.google.com/a/answer/2644334?hl=en , but on the current console, if I do Security > Advanced Settings > Set up SSO, there is no place where it asks for the AppEngine Application ID.
I looked at https://developers.google.com/appengine/docs/ssl . It directs me to go to the Admin Console of my App domain, and to find a Domain Settings tab and then go to the SSL subtab. There is no Domain Settings tab, however, and the "Domains" tab only allows me to add domains (without http / https mention).
So, how do I setup SSL for my appengine app that uses a custom domain?
Note: this question has been asked already on StackOverflow, some years ago, but the google dashboards have changed since then, and the information I could find is no longer relevant.
Ok, so that other people can avoid wasting as much time as I did.
When you go to the admin console for your domain, you need to click on Security, but NOT on Advanced settings. Rather, pay attention to the small "Show more" below the other options. If you click that, "SSL for Custom Domains" will magically appear.
No thanks to Google for this horrible user interface.
Hallelujah to Luca. I've wasted a day on this. I had already added the custom domain in the GAE app engine console and was getting the cryptic "We are unable to process your request at this time. Please try again later. (Error #1000)" message.
I wasn't able to assign the certificate to my custom domain. The custom domain wouldn't show in the list in the GAE Security Settings (custom domain) until after removing the custom domain from the GAE console.
AppEngine Introducing managed SSL for Google App Engine for customs domains and it will be got activated automatically, for already added domains please remove it and add once again
More Information-
https://cloudplatform.googleblog.com/2017/09/introducing-managed-SSL-for-Google-App-Engine.html
https://cloud.google.com/appengine/docs/standard/python/securing-custom-domains-with-ssl

Why does adding a second domain for my appengine application result in an Invalid Domain error?

I have an appengine app hosted on mylongdomain.net
I have added a second domain to my google apps account, it's a short Palestine domain: short.ps
When I try to use the admin console to add this domain to the list of URLs for my appengine app (in admin console->more controls->App engine apps->my app name under "Add new URL") I am able to select short.ps from the dropdown list of domains. However, when I try to add it as http://www.short.ps, I am unable to do so. I get the error "Invalid Domain".
My domain is verified and the CNAME record is correctly pointed to GHS.GOOGLEHOSTED.COM.
Does anyone know why I am getting Invalid Domain error and what I can do to fix it?
Thanks in advance!
This appears to be a bug in the Admin console. Apps support was completely unhelpful: "we don't support the app engine apps part of the admin console".
However, setting up a second google apps account for domain short.ps and also adding the appengine app to that account seems to have done the trick.
Google Apps Secondary domain currently has lot of restrictions , one of those is secondary domain are not supported in Google AppEngine, and one cannot switch primary domains too(as of now)
link to limitations for secondary domain : https://support.google.com/a/answer/182081?hl=en
the simple solution would be to add your domain as Alias to primary domain, then point it to your AppEngine app by setting appropriate CNAME, it will work (i have personally tried it)

Google App Engine - how to set up an SSL for Custom Domain

Google App Engine offers SSL for Custom Domains, but I'm not sure how to properly set it up with my app. Say I'm running myapp.appspot.com and I own myapp.com, can someone explain to me the exact steps I need to take in order to make my App Engine app serve on my .com domain?
Well, the basic process of setting up a custom domain is described here:
https://developers.google.com/appengine/docs/domain
Is there something in that article that isn't clear?
The article does delegate an important part of the process, which is setting up a Google Apps account for your domain (see "Otherwise, click Sign up for Google Apps and continue with this step." in step 3). A key part of setting that up is verifying you own the domain you're trying to set up. This requires that you make a small modification to your site, or serve a DNS TXT record. Read more about it here:
http://support.google.com/a/bin/answer.py?hl=en&answer=60216

Resources