Managed SSL for Google App Engine (opens in new tab)

(cloudplatform.googleblog.com)

162 pointslklig8y ago51 comments

51 comments

This is welcome news. This means I no longer have to track and manually renew my Let's Encrypt certificates for my websites.

I also see it as a way to incentivize folks to use GAE (not only are you getting free quotas to run your app, you also don't have to spend money to buy certificates and don't have to worry about installing or renewing them).

Finally, I also see it as another way of pushing for the uptake of SSL. With GAE doing this, other hosting services might also start offering something similar or close to it which would then beg the question - why is your site not using SSL.

daave8y ago

Agreed this is super-exciting.

Hope they add the same functionality for Google Cloud HTTPS Load Balancers soon as well.

mchristen8y ago

AWS has been offering free SSL certs for a year now, happy to see Google following their lead.

1 more reply

hw8y ago

> Finally, I also see it as another way of pushing for the uptake of SSL. With GAE doing this, other hosting services might also start offering something similar or close to it which would then beg the question - why is your site not using SSL.

Good question. Everybody should be on SSL. It isn't just hosting services that should offer something similar, but SaaSes too that provide SSL on custom domains for their customers. They usually don't get around to securing those custom domains due to the pain and inconvenience and maintenance.

There are platforms out there like Clearalias and Cloudfront that help with making that a breeze though, so I don't see why it would be an issue going forward.

Hopefully with Google and browsers punishing non-SSL sites more, there'll be more sites behind an SSL cert.

joshribakoff8y ago

The whole premise behind letsencrypt is the ACME protocol, so you don't have to manually renew certs [although you can]. The problem is in handling SSL renewals on a cluster, you have to do renewals via DNS & rsync certs around, and there's not many tools to do this. But for a single server, its very easy to automate. Another problem with letsencrypt is the rate limits & such.

bckygldstn8y ago

Google App Engine only a few weeks ago released an API for managing certificates. Before that, the only way to add or update a certificate was to manually paste the key into a web form.

andy_ppp8y ago

If using docker you can mount a volume to your let’s encrypt certs on all your frontend servers.

paulddraper8y ago

Been using AWS's certificate management.

It is _so_ nice not to (1) manage the certs with your own infrastructure (2) automatically deploy these things to HAProxy, Apache, MySQL, random server X.

Automated load balancing + cert management is heaven.

kuschku8y ago

I'm using kubernetes with kube-lego, and my experience is exactly the same.

Automating all routing, API gateways, TLS termination and certificate management makes life so much easier.

_asummers8y ago

My hope is that this makes kube-lego unnecessary for kubernetes! Being able to get a cluster spun up with TLS by default would be amazing.

jfoster8y ago

I've tried it and get "Failed to activate certificates" errors.

StevePerkins8y ago

I was in the preview/alpha/whatever group. Never could get cert creation to work through the console UI, but it worked fine when using the gcloud SDK from the command-line.

thedevil8y ago

Me too. If anyone figures this out, I'd love to hear more.

lkligOP8y ago

Hello from the App Engine team. Could you double check that your DNS records are accurate? Everything is looking good on our end. Thanks for the feedback!

5 more replies

ohstopitu8y ago

This is great news.

I love app engine but one of the biggest issues I've had with it is the fact that memcached and search are not available for anything but app engine standard - python (2.7).

Providing access to both via app engine flexible would be god sent!

benguild8y ago

We use memcache but it’s really unreliable. I recommend rolling your own anyway.

Also I think there is an alpha for flex?

OzzyB8y ago

This is a welcomed addition that many have been patiently waiting for.

If you want to see the progress here's the relevant ticket[0] -- nice to see it finally closed!

Not privy to the final implementation details but my guess it's a based on Let's Encrypt as suggested by the originator of the ticket and others.

Edit: Yeah, probably not Let's Encrypt as others have stated.

[0] https://issuetracker.google.com/issues/35900034

ngrilly8y ago

I guess it's based on Google's own Certificate Authority, instead of Let's Encrypt, according to this:

https://security.googleblog.com/2017/01/the-foundation-of-mo...

ngrilly8y ago

For the record, I guessed wrong. I enabled the feature and checked the certificate: it's based on Let's Encrypt ;-)

nyrikki8y ago

It is Let's Encrypt, I just converted my test project so that I could kill the Jenkins job to update the Cert.

  Issued By
    Common Name (CN)	Let's Encrypt Authority X3

darshan8y ago

I turned this on today via gcloud, and the certificate I was issued is from Let's Encrypt.

iancarroll8y ago

Google purchased its own root CA from GlobalSign, so I’d assume it’s coming from there instead.

zackify8y ago

Any plans to add this to storage buckets?

syntaxgoonoo8y ago

When will Azure do the same?

partiallypro8y ago

They do offer it for webapps using Lets Encrypt, but nothing else afaik. But I look forward to it being added, it is definitely needed. Even setting up the Let's Encrypt to auto renew is a very tedious process.

bmizerany8y ago

Hello from Backplane. You can get this on Azure today using https://www.backplane.io with end-to-end encryption to your backends plus a huge chest of other routing and security features. It's free to start. I'm blake at backplane dot io

kennethh8y ago

Is this both for App Engine standard or flexible environment also?

lkligOP8y ago

Both environments are supported!

le-mark8y ago

Is this basically just SNI for GAE? Or did they already have that?

StevePerkins8y ago

It's basically invisible automation for creating and renewing LetEncrypt certs on App Engine.

The traditional process for installing a custom domain SSL cert on App Engine was very clunky. Involved running OpenSSL commands, cut-n-pasting PEM data, etc. If you were using LetsEncrypt, then it was more or less impossible to automate... you had to go through a tedious manual process every 3 months (including updating your app, to respond to the LetsEncrypt verification endpoint!).

iamgopal8y ago

I think they do not use letsencrypt . They use thier own SSL, since they are now licencing authority.

Edit: I am wrong. They use letsencrypt.

1 more reply

AnssiH8y ago

They did already have that.

This is fully automatic SSL management for your own domains that point to Google App Engine, with certs managed by Google.

Previously you had to use your own certs and manually upload them through the UI (or via the beta API, which is also now in general availability).

edit: managed, not provided, the certs are actually Let's Encrypt

nivertech8y ago

Can this be used with load balancers on GCE?

joshribakoff8y ago

I feel like Google isn't exactly the best place to get your SSL, given their track record with the NSA.

iancarroll8y ago

If you are using App Engine, Google is terminating the TLS connection regardless...

joshribakoff8y ago

Right... Which is all the more reason not to let them issue your SSL cert, or terminate your SSL for that matter.

1 more reply

sofaofthedamned8y ago

Really?

j / k navigate · click thread line to collapse

51 comments

NearAP8y ago

This is welcome news. This means I no longer have to track and manually renew my Let's Encrypt certificates for my websites.

daave8y ago

Agreed this is super-exciting.

Hope they add the same functionality for Google Cloud HTTPS Load Balancers soon as well.

mchristen8y ago

AWS has been offering free SSL certs for a year now, happy to see Google following their lead.

1 more reply

hw8y ago

There are platforms out there like Clearalias and Cloudfront that help with making that a breeze though, so I don't see why it would be an issue going forward.

Hopefully with Google and browsers punishing non-SSL sites more, there'll be more sites behind an SSL cert.

joshribakoff8y ago

bckygldstn8y ago

Google App Engine only a few weeks ago released an API for managing certificates. Before that, the only way to add or update a certificate was to manually paste the key into a web form.

andy_ppp8y ago

If using docker you can mount a volume to your let’s encrypt certs on all your frontend servers.

paulddraper8y ago

Been using AWS's certificate management.

It is _so_ nice not to (1) manage the certs with your own infrastructure (2) automatically deploy these things to HAProxy, Apache, MySQL, random server X.

Automated load balancing + cert management is heaven.

kuschku8y ago

I'm using kubernetes with kube-lego, and my experience is exactly the same.

Automating all routing, API gateways, TLS termination and certificate management makes life so much easier.

_asummers8y ago

My hope is that this makes kube-lego unnecessary for kubernetes! Being able to get a cluster spun up with TLS by default would be amazing.

jfoster8y ago

I've tried it and get "Failed to activate certificates" errors.

StevePerkins8y ago

I was in the preview/alpha/whatever group. Never could get cert creation to work through the console UI, but it worked fine when using the gcloud SDK from the command-line.

thedevil8y ago

Me too. If anyone figures this out, I'd love to hear more.

lkligOP8y ago

Hello from the App Engine team. Could you double check that your DNS records are accurate? Everything is looking good on our end. Thanks for the feedback!

5 more replies

ohstopitu8y ago

This is great news.

I love app engine but one of the biggest issues I've had with it is the fact that memcached and search are not available for anything but app engine standard - python (2.7).

Providing access to both via app engine flexible would be god sent!

benguild8y ago

We use memcache but it’s really unreliable. I recommend rolling your own anyway.

Also I think there is an alpha for flex?

OzzyB8y ago

This is a welcomed addition that many have been patiently waiting for.

If you want to see the progress here's the relevant ticket[0] -- nice to see it finally closed!

Not privy to the final implementation details but my guess it's a based on Let's Encrypt as suggested by the originator of the ticket and others.

Edit: Yeah, probably not Let's Encrypt as others have stated.

[0] https://issuetracker.google.com/issues/35900034

ngrilly8y ago

I guess it's based on Google's own Certificate Authority, instead of Let's Encrypt, according to this:

https://security.googleblog.com/2017/01/the-foundation-of-mo...

ngrilly8y ago

For the record, I guessed wrong. I enabled the feature and checked the certificate: it's based on Let's Encrypt ;-)

nyrikki8y ago

It is Let's Encrypt, I just converted my test project so that I could kill the Jenkins job to update the Cert.

  Issued By
    Common Name (CN)	Let's Encrypt Authority X3

darshan8y ago

I turned this on today via gcloud, and the certificate I was issued is from Let's Encrypt.

iancarroll8y ago

Google purchased its own root CA from GlobalSign, so I’d assume it’s coming from there instead.

zackify8y ago

Any plans to add this to storage buckets?

syntaxgoonoo8y ago

When will Azure do the same?

partiallypro8y ago

bmizerany8y ago

kennethh8y ago

Is this both for App Engine standard or flexible environment also?

lkligOP8y ago

Both environments are supported!

le-mark8y ago

Is this basically just SNI for GAE? Or did they already have that?

StevePerkins8y ago

It's basically invisible automation for creating and renewing LetEncrypt certs on App Engine.

iamgopal8y ago

I think they do not use letsencrypt . They use thier own SSL, since they are now licencing authority.

Edit: I am wrong. They use letsencrypt.

1 more reply

AnssiH8y ago

They did already have that.

This is fully automatic SSL management for your own domains that point to Google App Engine, with certs managed by Google.

Previously you had to use your own certs and manually upload them through the UI (or via the beta API, which is also now in general availability).

edit: managed, not provided, the certs are actually Let's Encrypt

nivertech8y ago

Can this be used with load balancers on GCE?

joshribakoff8y ago

I feel like Google isn't exactly the best place to get your SSL, given their track record with the NSA.

iancarroll8y ago

If you are using App Engine, Google is terminating the TLS connection regardless...

joshribakoff8y ago

Right... Which is all the more reason not to let them issue your SSL cert, or terminate your SSL for that matter.

1 more reply

sofaofthedamned8y ago

Really?

j / k navigate · click thread line to collapse