Hi, I had a similar issue (not Firebase), so some points I remember:
I assume you want to re-use the same SSL certificate you already use for your Firebase app (which should cover the naked domain "mydomain.com" and "service.mydomain.com"). And I assume you have no wildcard certificate "*.mydomain.com", only for "mydomain.com" and "service.mydomain.com". 1. First you should prepare your GAE app for the custom domain and SSL (detailed docs here <https://cloud.google.com/appengine/docs/standard/python/using-custom-domains-and-ssl> ) 1. By default your app will be hosted under something like "myproject.appspot.com". 2. If not already done, verify domain ownership for "service.mydomain.com" and "mydomain.com" in Webmaster Central. 3. In Cloud Console of your GAE app project, you can add a custom sub-domain, that is not in use currently, e.g. "service.mydomain.com" (if it's a wildcard certificate, you can choose an arbitrary subdomain instead). *IMPORTANT: Do not use "mydomain.com" in this stage. If completed, traffic to the naked domain would be immediately directed to your app, away from your Firebase app.* 4. When you updated the DNS settings for "service.mydomain.com", upload your SSL certificate and map it to your sub-domain "service.mydomain.com" 5. Visit "https://service.mydomain.com"; to test if you are directed to your GAE app and if traffic is secured by your SSL certificate as expected 6. Now you have confirmed that your SSL certificate is supported on GAE, and you are familiar with the work-flow 7. Recommended: in Stackdriver Monitoring add uptime-checks (to "mydomain.com") and incident policies (at least 4xx errors?) for your GAE app 2. Optional: Change DNS records of "mydomain.com" and "service.mydomain.com" to shorter TTL AFAIR, default Time-to-live (TTL) for DNS is typically 24 hours. If your users would notice the switch between Firebase and GAE hosting, or if they cannot use both apps interchangeably, I recommend to set TTL to much shorter values early enough, e.g. to 15 minutes. Example: If TTL now is 24 hours, you should reduce it at least 24 hours before your migration, else clients may get stale resolution and still get connected to the Firebase app. You can reduce the TTL step by step, until close to the point where you migrate, e.g. from 24 hours, to 6 hours, to 1 hour, to 15 minutes. 3. Migrate your app 1. remove "service.mydomain.com" from your GAE app (no harm done, since you only used it for testing your GAE setup so far) 2. add "service.mydomain.com" to your Firebase app 3. If Firebase app is accessible under "service.mydomain.com", you are ready to actually migrate 4. *Real migration starts here! >* add "mydomain.com" to your GAE app, update your DNS records if needed, and map the certificate to the naked domain; thanks to the shorter TTL, your DNS change should propagate quickly to new clients 5. Verify if "mydomain.com" traffic is directed correctly to GAE 6. Keep an eye on your GAE monitoring; 7. if something goes terribly wrong: stop migration & roll-back by removing "mydomain.com" from GAE app 8. if everything is fine: after your current TTL (e.g. 15 minutes) has passed, not earlier than that, remove "mydomain.com" from Firebase app 4. Optional: Revert the TTL values of your DNS records (if needed) 5. Celebrate! Better safe than sorry: aside from the domain and certificate mapping, there is a lot more to consider (data migration, replacement of service accounts and keys, etc.) but I guess you already covered that. Hope that gave you some ideas for your migration. Good luck. Ani On Friday, 21 July 2017 18:45:33 UTC+2, [email protected] wrote: > > Hi everyone, > > I have web app hosted on Firebase hosting under the domain `mydomain.com`. > I want to move `mydomain.com` to GAE and rename original to ` > service.mydomain.com`. > > I wonder if there would be any problem with SSL certificates? How should > the transfer be handled? > > > > > -- HATZIS Edelstahlbearbeitung GmbH Hojen 2 87490 Haldenwang (Allgäu) Germany Handelsregister Kempten (Allgäu): HRB 4204 Geschäftsführer: Paulos Hatzis, Charalampos Hatzis Umsatzsteuer-Identifikationsnummer: DE 128791802 http://www.hatzis.de/ -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/1882681f-ec40-4f1a-b012-6b8a61d07a01%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
