Google announced at Google I/O 2012 (June 27-29) that GAE will now support SSL for custom domains. Yeah!!! This is something that everyone has been waiting for, and it has been among top 5 requested GAE features for a while. Needless to say, when zLocation team was picking our hosting platform, we made a bet that this was gonna be available some time soon. So, our wish came true and thanks to the GAE team we are very happy. However, we had to jump through a few hoops in order to get SSL working, but in the end it all worked out, so we decided to write this quick technical blog post. Hope it helps you guys, and please don’t hesitate to provide us with feedback.
Google supports two types of SSL now: SNI and VIP. You can read all about them here. We chose to go with SNI. But, we believe this article will work for people trying to configure SSL with VIP, as well.
We picked GoDaddy’s Standard SSL. Once you buy it, the cert credit will be available in GoDaddy’s “My Account” and then you can follow these instructions to request the actual cert. Pay special attention to the part where it says: “NOTE: If you do not see the credit, refresh your list by clicking Click Here in the grey bar just below the faded buttons.”
NOTE: The following has been done and tested on OS X, but we are sure it will work on any Linux distro and Windows command prompts with OpenSSL installed. We will assume you have OpenSSL installed (type “openssl” at command prompt, terminal, or shell… and you will see if you have it installed or not)
Request CSR (Certificate Signing Request) command:
openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
Go through the wizard. Pay attention to the state name, use a full name (e.g. California not CA).
Once done, you will have two files: CSR.csr and privateKey.key.
GoDady will need the contents of the CSR.csr for Certificate Signing Request form texfield.
Once you are done with GoDaddy, they will send you a zip file which will then contain two files: your.domain.com.crt (your website’s SSL cert) and gd_bundle.crt (GoDaddy’s intermediate bundle cert).
Now, Google App Engine currently has no place to upload this intermediary certificate. So, it is really important to combine these two files into one. We put the contents of your.domain.com.crt into a new files and then we pasted the contents of gd_bundle.crt right under it. We named the new file combined.pem. The conents of this new file will have 3 certs, something like this:
The next thing you will need to do is decrypt the contents of the privateKey.key files into a new file. We will call the new file unencryptedkey.pem. Just execute this:
openssl rsa -in privateKey.key -out unencryptedkey.pem
So, when all this is done, there are only two files we really need: combined.pem and unencryptedkey.pem.
Assuming that you have enabled billing and activated the SSL support for your GAE application look at this screen and hit “Upload a new certificate” button and upload combined.pem (PEM encoded X.509 certificate) and unencryptedkey.pem (Unencrypted PEM encoded RSA private key).
You should be done at this point, but to make sure everything is running properly use this site to verify your configuration. Everything should check out, and you should not have any errors. Pay special attention to the Intermediate Certificate Bundle or Chaining as many call it. Again, if there are no errors you are good to go and it should say:
SSL Certificate is correctly installed
Make sure to test your HTTPS site on mobile devices. If the Intermidiate Certificate Bundle is not installed then your iPhone users will get a prompt saying:
Cannot Verify Server Identity / Safari cannot verify the identity of “your.domain.com”. Would you like to continue anyway?
The prompt will look like this: