7

When I go to https://wild.rileylark.appspot.com with chrome, I get the nice "this is going great" icon. When I use firefox 4, I get the "omg, you're effed" message:

wild.rileylark.appspot.com uses an invalid security certificate.

The certificate is only valid for the following names: *.appspot.com , *.*.appspot.com , appspot.com

  1. Is this normal?
  2. Anything I can do to fix this?
Riley Lark
  • 20,660
  • 15
  • 80
  • 128
  • 1
    check this http://www.hanselman.com/blog/SomeTroubleWithWildcardSSLCertificatesFireFoxAndRFC2818.aspx – systempuntoout Apr 19 '11 at 20:57
  • But it looks like the certificate appengine is using explicitly covers both \*.appspot.com and \*.\*.appspot.com... I'm stumped! – Riley Lark Apr 19 '11 at 21:23
  • At a guess, Firefox doesn't interpret the double-wildcard address properly. :/ – Nick Johnson Apr 21 '11 at 02:29
  • By the way, "SSL access on non-appspot.com domains" is currently on GAE's on deck roadmap: http://code.google.com/appengine/docs/roadmap.html – Justin Morgan Apr 22 '11 at 22:37
  • Yeah, it's been due "EOY 2010" since MOY 2010, so I'm moving forward without any assumptions about that. The second that's available, we'll switch. Hopefully it will support wildcard SSL certs! – Riley Lark Apr 23 '11 at 00:46

3 Answers3

12

The workaround to this limitation is now described in docs: use -dot- in place of dots between your subdomain names, e.g. https://wild-dot-rileylark.appspot.com

Peter Knego
  • 79,991
  • 11
  • 123
  • 154
  • This is the simplest workaround and solves the problem instantly without any reconfiguration. At first I thought that it needs some tweaking in the yaml to activate. Thanks for the hint. – cat Apr 07 '14 at 08:09
6

So the specific condition here is that the name on the certificate is *.appspot.com, and *.*.appspot.com appears within the cert's Subject Alternate Names field.

A rejected Chrome bug covers this exact scenario. In it, the respondent indicates that this is deliberately unsupported in Chrome, points to Firefox source code suggesting the same, and asserts that both are following the IETF's recommended implementation of RFC 2818.

Drew Sears
  • 12,812
  • 1
  • 32
  • 41
1

Please note that in April of 2013, Google stopped issuing SSL certificates for double-wildcard domains hosted at appspot.com (i.e. ..appspot.com). If you rely on such URLs for HTTPS access to your application, please change any application logic to use "-dot-" instead of ".". For example, to access version "1" of application "myapp" use "https://1-dot-myapp.appspot.com" instead of "https://1.myapp.appspot.com." If you continue to use "https://1.myapp.appspot.com" the certificate will not match, which will result in an error for any User-Agent that expects the URL and certificate to match exactly.

Ref: https://cloud.google.com/appengine/docs/python/modules/

Khalid
  • 664
  • 7
  • 16