0

I have a GAE app set up to use a custom domain, let's call it mycustomdomain. This naked domain is working fine over HTTP and HTTPS. I also have a service called api, it can be accessed successfully by going to http://api.mycustomdomain.com (custom domain convention).

However, I can't access the api service over HTTPS. I uploaded a SSL for mycustomdomain.com, but I got an error (site can't be reached) for trying to accessing the api service over HTTPS. My question is do I need to purchase the wildcard.mycustomdomain.com SSL in order to access the api service over HTTPS? I don't have much experience dealing with SSL certs and GAE custom domain, so any help would be greatly appreciated. Thank you!

Edit: updated information for GCP Console configurations. My app setup in the Console contains the following: Services: default, api Custom domain setup: mycustomdomain.com SSL uploaded: ultrahdlivewallpaper.com (NOT the wildcard version), api.ultrahdlivewallpaper.com (unable to be enabled for custom domain, none matching)

More detail: The problem is when I map both ultrahdlivewallpapers.com and api.ultrahdlivewallpapers.com, they are both mapped to the default service. I want api. to point to the API service. If I only map ultrahdlivewallpapers.com, that allows me to access api service at the api subdomain, but then the api SSL can't be applied to api. subdomain because it's not listed as a subdomain.

See screenshot here

07/24/17 Update: I believe this is a limitation with the App Engine Settings after trying out several scenarios via GAE Console. We have a custom domain set up for ultrahdlivewallpapers.com and enabled the SSL cert for this domain. The domain is pointing to the default service. We have a second service set up called API. Google's routing rules for any service set up is via HTTP:// service-id.custom-domain, which in our case is api.ultrahdlivewallpapers.com. However, when I upload the SSL for the api subdomain, Console couldn't find matching domains because the api subdomain is not specified via the Console. Now if I set up api.ultrahdlivewallpapers.com as a custom domain, I'm able to enable the SSL for api subdomain. Problem then becomes api subdomain is now pointing to the default service instead of the api service. If I remove the api mapping, I'm able to browse to the api service again, but no HTTPS! I don't believe there is a way to get this set up correctly without a wildcard SSL enabled for all subdomains. Please let me know if I'm missing anything. I have tried everything I can think of via the Console. Thanks.

Ben Z.
  • 157
  • 1
  • 1
  • 9
  • I searched through many SO posts regarding the custom domain access over HTTPS. My question in particular is regarding how to set up the app service with a custom domain over HTTPS. Interestingly enough, Google's own documentation doesn't even discuss this scenario. I just want to get some clarification before buying the wildcard SSL for *.mycustomdomain.com – Ben Z. Jul 22 '17 at 03:31
  • hay, did you make it work? i was having same problem. – Kharoud Jan 23 '18 at 16:20

2 Answers2

1

You don't necessarily need a "wildcard" cert, per se. But, you do need to get a cert that covers all the subdomains. For example:

mycustomdomain.com
www.mycustomdomain.com
api.mycustomdomain.com

It's a standard solution, and not difficult to do. Certbot (Let's Encrypt) makes it easy.

GAEfan
  • 11,244
  • 2
  • 17
  • 33
  • Thanks for your help. I actually purchased two separate SSL, one for mycustomdomain.com, the other for api.mycustomdomain.com. Unfortunately, for the api.mycustomdomain.com SSL, GCP Console doesn't allow me to map it to the api subdomain directly, it says "No matching domains". I think I need to get a single SSL for both mycustomdomain.com and api.mycustomdomain.com. Hopefully this will work. Will try it first thing tomorrow. Thank you! – Ben Z. Jul 23 '17 at 15:08
0

If you choose to get a wildcard certificate installation is pretty straight forward:

  1. You upload the certificate in the developer console (in App Engine -> Settings -> SSL Certificates -> Upload a new certificate). May require a bit of effort, see also Google App Engine SSL with Let's Encrypt "could not be inserted".

  2. Once it's visible in the certificate table you can click on its name and you'll end up in the certificate edit screen where you can select which custom (sub)domains it applies to (from the list of all custom domains mapped in the app), looks like this:

enter image description here

Note: these are the corresponding custom domain mappings:

enter image description here

  1. If you have another app (under the same admin account) which is also mapped to subdomains of the same domain you can activate the certificate on it as well in a similar manner (the console automatically shows the certificate in the list when you switch apps, no need to upload it again).
Dan Cornilescu
  • 39,470
  • 12
  • 57
  • 97
  • Thanks for your comment. I have a question about step #2 screenshot. When I upload my SSL for mycustomdomain.com, I only see mycustomdomain.com and www.mycustomdomain.com. Why do I not see api.mycustomdomain.com? Is that because of the SSL? I have a separate SSL for api.mycustomdomain.com. But when I uploaded it, it showed "No matching domain", so I can't enable it for the subdomain api. like shown in your screenshot. Thanks! – Ben Z. Jul 23 '17 at 15:22
  • You need to update your Q with developer console info about your app: services, custom domains and SSL configs. – Dan Cornilescu Jul 23 '17 at 22:30
  • I updated my Q with configuration info. Can you please explain how you are able to "Enable SSL" for the three custom domains? Is that info contained in the SSL cert or something you had set up in the Console? My api.customdomain.com cert doesn't show any matching domains, so I can't enable it for my API service. – Ben Z. Jul 23 '17 at 23:23
  • OK, can you include snapshots of the respective developer console screens? I can't figure out what you have there from your description - how is `api.ultrahdlivewallpaper.com` supposed to work when it's not listed in your custom domains setup? – Dan Cornilescu Jul 24 '17 at 03:04
  • Are your services working with HTTP on the custom domains? Are they working with HTTPS on `appspot.com`? Typically after yout have a yes to both these questions you should be looking at getting HTTPS working on the custom domain. – Dan Cornilescu Jul 24 '17 at 03:06
  • Yes and yes. The problem i'm trying to solve is getting HTTPS working for my custom domain, which is api.ultradhdlivewallpapers.com. I upload a SSL cert for that sub domain, but it shows "No matching domain" to enable the SSL for. My custom domain is ultrahdlivewallpapers.com. I can't set up api.ultrahdlivewallpapers.com as another custom domain because then both URL points to the default service. I want api. to point to the api service, but can't get HTTPS working. – Ben Z. Jul 24 '17 at 12:21
  • Something's not right in your custom domain mapping. I suggest clearing that up first - maybe as one or more separate posts, this one is getting way too complicated. In general tweaking the original question to ask another one is a bad idea. And a piece of advice - try to show the actual info from the console, don't story-tell it. – Dan Cornilescu Jul 24 '17 at 15:20
  • BTW, you may have a typo somethere, `api.ultradhdlivewallpapers.com` is not a valid domain. – Dan Cornilescu Jul 24 '17 at 15:21
  • Maybe `api.ultrahdlivewallpapers.com`? If so you have a suspect `104.198.201.144` address mapping in there... – Dan Cornilescu Jul 24 '17 at 15:21
  • You're right. I will create a new post to ask the new question. Thank you for your help thus far. – Ben Z. Jul 24 '17 at 17:25