Just updating this thread. We have added support for up to 5 chained/intermediate certificates. Users of Comodo and other CAs which require more than 2 chained/intermediate certificates can now append the CA provided bundles/intermediate certificates to their uploaded certificate.
Cheers, Cayden Meyer Product Manager, Google App Engine On 3 August 2012 18:27, Nacho Coloma <[email protected]> wrote: > Hi Cayden, > > Thanks for your reply. > > You appear to have the incorrect CNAME for your domain. This is most >> probably what is causing android browsers to fail to connect. The correct >> CNAME can be found in your Google Apps control panel. The uploading and >> configuring certificates section of the SSL for Custom Domains >> documentation <https://developers.google.com/appengine/docs/ssl> may >> prove helpful if you have any issues. >> > > Yep, I saw the change of ghs name but since neither certificate was > working we are just stopping this (with this working configuration) until > our new certificate arrives. > > We just purchased a new one with DigiCert that includes EV validation and > uses (supposedly, as far as we could check) a single intermediate authority. > > >> On the topic of intermediate certificates you should be able to download >> a single intermediate certificate from Comodo >> here<https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1&pcid=0&nav=0>. >> Usually certificate authorities provide a bundle file which contains the >> full chain, all the certificates in the bundle are often not required. >> > > Ours is (was) a Comodo EssentialSSL. It comes with 5 CAs in the bundle, > and AFAIK most browsers require the chain up to the root CA. > > Don't worry about this, the change of certificate should fix it up. > Anyway, I would reconsider the limitation of two CAs in the PEM bundle, if > that's an option. Anyway, it's just my fault for not fully understanding > the limitations before choosing the certificate provider. Thank God for the > 15-days refund policy. > > Thanks for your support. > > >> >> On 2 August 2012 04:03, Nacho Coloma <[email protected]> wrote: >> >>> Hi, I have just configured a certificate for our own custom domain (VIP) >>> and it is working fine, but Android browsers are rejecting to connect. >>> >>> Investigating, it seems that I should include the full chain of >>> intermediate CAs to the uploaded PEM file, but that's not possible since >>> AppEngine only allows at most two certificates in the PEM file. Our Comodo >>> certificate has a chain composed of five CAs. If I try to upload the full >>> PEM file, AppEngine complains that the format is not supported. >>> >>> The working certificate can be seen at https://koliseo.com. You can >>> test it with: >>> >>> openssl s_client -showcerts -connect www.koliseo.com:443 >>> >>> Desktop browsers are OK with it, but Android (Froyo and Honeycomb) will >>> just refuse to connect. Any ideas? >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Google App Engine" group. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msg/google-appengine/-/AvvSXY6BrugJ. >>> To post to this group, send email to [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]. >>> For more options, visit this group at >>> http://groups.google.com/group/google-appengine?hl=en. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/google-appengine?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
