SSL on Google App Engine trusted for Certificate - google-app-engine

I have created a self signed certificate and of course my website works with https but not trusted.
What do i have to do to create a certificate for Google App Engine?

You need to buy a certificate from a trusted certificate provider. You might want to have a read of this: http://en.wikipedia.org/wiki/Certificate_authority#Providers
Or search for something like "Certificate Providers" on your favorite search engine.

i made it but how: 1st of all you need a trusted certificate.
You will get the warning in the browser ... and if you organized a
cheap certificate you will end up in buying a more expensive as you
will find out that on e.g. android device it is not trusted. And
Google will help with a bot warning: Googlebot noticed your site,
https://www.abc.com/, uses an SSL certificate which may be considered
invalid by web browsers ... To correct this problem, please get a new
SSL certificate from a Certificate Authority (CA) that is trusted by
web browsers.
I tried one for 19€ and i am ending with the untrusted message on android and the Googlebot message as above. It would be great to implement a certificate procedure that leads to a realy trusted and not too expensive certificate in Google Apps SSL Tab.

SSL on your domain will not work for pre-Honeycomb android if you use SNI:
https://developers.google.com/appengine/docs/ssl

Disclaimer: I own this site
I found setting up SSL for App Engine more difficult than it should be so I made a service specifically designed for App Engine to make it better: https://www.volcanicpixels.com/ssl/

Installing SSL on App Engine was super difficult to figure out.
For me it was difficult because google asked me for two pieces of information and I had no idea how to reconcile that with what my SSL provider had given me.
The key information for me was that:
The PEM encoded X.509 certificate is what your certificate issuer probably sent you in an e-mail (mine just sent the text to me, didn't even have a file extension, I think this is normally the .csr file, but I'm not sure)
The Unencrypted PEM encoded RSA private key is your .key file after you run this command on it: `openssl rsa -in domain.key -out domain.pem

Related

Is there a way to install a root ca on Google Appengine

I have an application with python running on a google appengine SE.
Now, some servers expect a certain root ca installed on this application.
I have found information about list of root ca supported by gcp as below.
https://pki.goog/repository/
The desirable ca was not found in the list and should be used on the application at ssl handshake somehow.
I would like to ask 2 questions.
Is there any way to set root ca or extend the lists on an google appengine SE?
Should I set a path or an environmental value to a certification file, referred by certifi module, in a source code?
To answer your questions,
The list of supported Root CAs you've mentioned pertains to Google-managed SSL certificates. Since your desired CA is not on the list, then you'll need to provision a self-managed SSL certificate. You can refer on this link for additional information/s.
Google App Engine is a managed platform, so configuring SSL certificates are done in the Google Cloud Console, or through Client Libraries and APIs. All you need is to upload the certificate, and App Engine will handle the rest.
Note that you'll be responsible in maintaining self-managed certificates, as well as renewing it once it expires.

SSL Certificate from GoDaddy on Google Compute Engine

I am trying to add an SSL Certificate to my Virtual Machine Instance on Google Compute Engine I created the key file and generated a CSR File, which I copied into GoDaddy to request a SSL Certificate.
I copied what they sent me and pasted it into a file name example.csr
I then ran this line in the instance:
gcloud compute ssl-certificates create certificate1 --certificate example.csr --private-key example.key
When I list my ssl-certificates I get:
NAME CREATION_TIMESTAMP
certificate1 2017-03-08T09:21:04.166-08:00
But I can't figure out why my webapp is not secure yet. When I go into my url it still says not secure.
EDIT
Source: SSL Certificates, Compute Engine Documentation
Although I've never used Google Compute Engine, I believe (after reading the documentation you linked) that you've just added the certificate, but you still need to configure it:
To use HTTPS or SSL load balancing, you must create an SslCertificate resource that can be used by your target proxy.
Note: SslCertificate resources are used only with load balancing
proxies such as a target HTTPS proxy or target SSL proxy. See that
documentation for when and how to use SslCertificate resources.
SslCertificate resources are not used on individual instances. On an
instance, install the normal SSL certificate as described in your
application documentation.
I suggest reading the links provided by the docs (above), depending of what you want to do (use a HTTPS proxy, SSL proxy or individual instance).
Short Answer:
We can't do that yet.
Medium Length Answer:
I had to actually install the SSL certificate directly on my application.

SSL not being served for AppEngine custom (sub)domain

I am migrating a site over to google appengine and am having trouble getting it working with SSL on a custom domain (www.example.com)
Since the site was already having its email hosted via google apps, I did not get the same wizards that one would see when creating a new site. Also, it was created with the free tier of google apps if that makes a difference.
Things I have done:
Authorized the appengine project on google apps
Enabled SSL billing (and tested that changing the daily quota affects VPI ability- they are synced)
Added SNI slot and created a self-signed certificate (for testing and ultimately CloudFlare) for www.example.com
Set to serve SNI
In apps - added www.example.com for custom domain for appengine project
In appengine- added www.example.com for settings/custom domain (note- under the "SSL Support" header here- it says "none" and there is no way to change it. which makes sense since, I think this is never actually used and apps will bypass appengine for ssl requests?)
With these settings- http://www.example.com works, however https://www.example.com does not connect at all (i.e. not an issue of invalid cert)
Note that in the appengine settings on the apps page, it says that I can access the project via https://www.example.com and https://project-name.appspot.com
In case it's relevant, I am now hosting the DNS on Cloudflare and I turn it off/on or flexible/full for testing (to minimize downtime, since clients expect to only connect to https://). Assume for the above it was simply turned off.
OK- it seems that for a self-signed certificate it is necessary to use a key in a format that wasn't working with default "how to self sign" searches :) here's what I ended up doing that worked:
openssl genrsa -out rsa_private_key.key 2048
openssl req -new -key rsa_private_key.key -out request.csr
openssl x509 -req -days 365 -in request.csr -signkey rsa_private_key.key -out yourdomain.com.crt
openssl rsa -in rsa_private_key.key -text > myserver.key.pem
Then upload the yourdomain.com.csr and myserver.key.pem

Wrong SSL certificate being served for App Engine custom domain

We have an App Engine app that hosts an internal HR/intranet system. Some, but not all, of our users are reporting that they get a security warning (see he image below). It looks like the wrong SSL certificate is being served. I install a wildcard cert for our domain in the Google Apps cpanel, but it looks like Google's certificate is being served instead. How do I go about troubleshooting this?
If some but not all users get this warning you might check what is so special about the users which get the warning. Do they use a specific (old?) browser, are they behind some kind of firewall or similar things? It might be that SNI (server name indication) is an issue, but it is really hard to say from the existing information. It is not even clear what the existing certificate should be so that one cannot compare if the host serves both, one with SNI and one without.
Apart from that it I would consider it a bad idea to host an internal HR/intranet system on the public internet.

Anyone using Full SSL for CloudFlare => GAE?

I know CloudFlare's web site says you have to use "Flexible SSL" (i.e., half SSL) with GAE, but one of their support techs I spoke to is not sure whether that statement still applies. Before I sign up, can anyone state whether they are using Full encrypted SSL with CloudFlare to a GAE app using their *.appspot.com host name?
Unless the actual server has SSL for your site, then Flexible is the correct option. Full SSL only applies when you have an actual SSL cert on your server directly.

Resources