Bit late, but hopefully this helps whoever comes across this issue. Detailed answer below.
TL;DR, Non-wildcard SAN certificates are not supported by GAE. This is a known issue. You need a wildcard certificate. A workaround is to use a dispatch file. *Adam*: Yes, plain HTTP requests work. Regarding ServerFault, eventually sufficiently mangled my question so that it would past the spam check. Got a response from Nicholas a few months in (late Dec 2016). Did not have time to respond to him then. Now the question is marked as abandoned by ServerFault and I can't respond to it. This is rather terrible. Anyhow. Since my question is no longer visible on ServerFault, Nicholas's response on ServerFault is reproduced for prosperity. *Based on the linked note, this appears to be an SSL issue. Do the naked domain and subdomains/wildcard appear in the certificate when printing it to screen using openssl x509 -text -noout -in my_cert.crt? Do the appropriate domains appear listed in the SSL Certificates section of App Engine Settings? Does the uploaded certificate appear listed under SSL support in the App Engine Custom domains section? If any of the above are false, I'd recommend reviewing Using Custom Domains and SSL. – Nicholas Dec 27 '16 at 18:16* *I would also suggest that this question is better suited for a discussion forum like the App Engine Google Group. I strongly advise you to post your questions there after having read through the previously linked article. – Nicholas Jan 2 at 21:47* In any case, I believe the correct answer is that non-wildcard SAN certificates are not supported by GAE. See issue 11781 (https://code.google.com/p/googleappengine/issues/detail?id=11781). There is a workaround involving the use of a dispatch file, subject to a limit of 20 (previously 10) routing rules. Alternatively, you can use a wildcard certificate. I've personally tested a self-signed wildcard certificate and can confirm that it works as intended. That is, requests are routed to the correct module based on the sub-domain name. This is a bit of a bummer as LetsEncrypt does not issue wildcard certificates and wildcard certificates are rather pricey. On Monday, 5 September 2016 04:32:47 UTC+8, Adam (Cloud Platform Support) wrote: > Before you configured HTTPS, have you verified subdomain routing works > using plain HTTP, as per 'How Requests are Routed > <https://cloud.google.com/appengine/docs/python/how-requests-are-routed>'? > For > visibility, I'd also recommend refactoring your question to be able to post > on ServerFault without the spam block. > > On Thursday, August 25, 2016 at 10:36:36 AM UTC-4, Yue Chuan Lim wrote: >> >> Given that I have: >> >> 1. A custom domain name - example.com >> 2. An App Engine service named "abc" >> 3. A SAN certificate for the domains example.com, abc.example.com and >> www.example.com >> >> How do I setup my custom domain such that accessing >> https://abc.example.com routes to the App Engine service "abc"? >> >> I have no issues with setting up example.com and www.example.com to >> route traffic to the default service. HTTP requests to example.com and >> www.example.com correctly redirect to https://www.example.com (and this >> continues to be the case for all of the below configurations). A/AAAA >> records omitted for brevity. >> >> I understand that the following settings have to be configured: >> >> 1. Google Cloud Console -> App Engine -> Settings -> Custom Domain >> ("Custom Domain Settings") >> 2. Google Cloud Console -> App Engine -> Settings -> SSL Certificates >> ("SSL Certificates Settings") >> 3. My DNS nameserver ("DNS Configuration") >> >> I have tried the following configurations. >> >> *Wildcard Domain* >> >> *Custom Domain Settings* >> >> - *.example.com >> >> *SSL Certificates Settings* >> >> - SSL enabled for example.com and www.example.com >> - No option to enable SSL for *.example.com or abc.example.com >> >> *DNS Configuration* >> >> Tried all of the following configurations: >> >> - CNAME - *.example.com to ghs.googlehosted.com. ONLY >> - CNAME - abc.example.com to ghs.googlehosted.com. ONLY >> - OTH of the above CNAME records >> >> *Results* >> >> Does not work. It appears that App Engine is not presenting the >> certificate for abc.example.com. >> >> Chrome: ERR_CONNECTION_CLOSED >> Firefox: Secure Connection Failed >> >> My guess is that this configuration would work if I had a wildcard >> certificate for example.com. >> >> *Custom Subdomain* >> >> *Custom Domain Settings* >> >> - abc.example.com >> >> *SSL Certificates Settings* >> >> - SSL enabled for example.com, www.example.com and abc.example.com >> >> *DNS Configuration* >> >> - CNAME - abc.example.com to ghs.googlehosted.com. >> >> *Results* >> >> Does not work as expected. App Engine routes traffic to the default >> service. >> >> *Wildcard Domain/Custom Subdomain Mix* >> >> *Configuration #1* >> >> *Custom Domain Settings* >> >> - *.example.com >> - abc.example.com >> >> *SSL Certificates Settings* >> >> - SSL enabled for example.com, www.example.com and abc.example.com >> >> *DNS Configuration* >> >> - CNAME - abc.example.com to ghs.googlehosted.com. >> >> *Results* >> >> App Engine routes traffic to the default service. >> >> *Configuration #2* >> >> *Custom Domain Settings* >> >> - *.example.com >> >> >> *SSL Certificates Settings* >> >> - SSL enabled for example.com and www.example.com >> - No option to enable SSL for abc.example.com >> >> >> *DNS Configuration* >> >> - CNAME - abc.example.com to ghs.googlehosted.com. >> >> *Results* >> >> Does not work. App Engine does not present SSL certificate for >> abc.example.com. >> >> Chrome: ERR_CONNECTION_CLOSED >> Firefox: Secure Connection Failed >> >> *Configuration #3* >> >> *Custom Domain Settings* >> >> - *.example.com >> - * abc.example.com >> >> *SSL Certificates Settings* >> >> - SSL enabled for example.com, www.example.com and abc.example.com >> >> *DNS Configuration* >> >> Tried all of the following configurations: >> >> - CNAME - abc.example.com to ghs.googlehosted.com. ONLY >> - CNAME - *.example.com to ghs.googlehosted.com. ONLY >> - BOTH of the above CNAME records >> >> *Results* >> >> App Engine routes traffic to the default service. >> >> As an aside, tried posting to serverfault.com, post was rejected for >> looking too much like spam. >> > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/9501fe9b-c986-4071-a3ab-7cb0d7758047%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
