Thank you for such detailed answer. The issue was that I thought if I change the SSL certificate browsers may warn certificate has changed and not allow users to reach mydomain.com <http://mydomain.com/>.
Since I don’t have access to SSL certificate issued by Firebase I couldn’t find a solution. But later I learned that a site can be issued by multiple SSL certificates. So I created new SSL certificate and server application GAE application with new SSL certificate and no problem. As you said bigger problem was migration. > On 21 Jul 2017, at 20:51, Anastasios Hatzis <[email protected]> wrote: > > Hi, > > I had a similar issue (not Firebase), so some points I remember: > > I assume you want to re-use the same SSL certificate you already use for your > Firebase app (which should cover the naked domain "mydomain.com" and > "service.mydomain.com"). And I assume you have no wildcard certificate > "*.mydomain.com", only for "mydomain.com" and "service.mydomain.com". > > First you should prepare your GAE app for the custom domain and SSL (detailed > docs here > <https://cloud.google.com/appengine/docs/standard/python/using-custom-domains-and-ssl>) > By default your app will be hosted under something like > "myproject.appspot.com". > If not already done, verify domain ownership for "service.mydomain.com" and > "mydomain.com" in Webmaster Central. > In Cloud Console of your GAE app project, you can add a custom sub-domain, > that is not in use currently, e.g. "service.mydomain.com" (if it's a wildcard > certificate, you can choose an arbitrary subdomain instead). IMPORTANT: Do > not use "mydomain.com" in this stage. If completed, traffic to the naked > domain would be immediately directed to your app, away from your Firebase app. > When you updated the DNS settings for "service.mydomain.com", upload your SSL > certificate and map it to your sub-domain "service.mydomain.com" > Visit "https://service.mydomain.com"; to test if you are directed to your GAE > app and if traffic is secured by your SSL certificate as expected > Now you have confirmed that your SSL certificate is supported on GAE, and you > are familiar with the work-flow > Recommended: in Stackdriver Monitoring add uptime-checks (to "mydomain.com") > and incident policies (at least 4xx errors?) for your GAE app > Optional: Change DNS records of "mydomain.com" and "service.mydomain.com" to > shorter TTL > AFAIR, default Time-to-live (TTL) for DNS is typically 24 hours. If your > users would notice the switch between Firebase and GAE hosting, or if they > cannot use both apps interchangeably, I recommend to set TTL to much shorter > values early enough, e.g. to 15 minutes. Example: If TTL now is 24 hours, you > should reduce it at least 24 hours before your migration, else clients may > get stale resolution and still get connected to the Firebase app. You can > reduce the TTL step by step, until close to the point where you migrate, e.g. > from 24 hours, to 6 hours, to 1 hour, to 15 minutes. > Migrate your app > remove "service.mydomain.com" from your GAE app (no harm done, since you only > used it for testing your GAE setup so far) > add "service.mydomain.com" to your Firebase app > If Firebase app is accessible under "service.mydomain.com", you are ready to > actually migrate > Real migration starts here! > add "mydomain.com" to your GAE app, update your > DNS records if needed, and map the certificate to the naked domain; thanks to > the shorter TTL, your DNS change should propagate quickly to new clients > Verify if "mydomain.com" traffic is directed correctly to GAE > Keep an eye on your GAE monitoring; > if something goes terribly wrong: stop migration & roll-back by removing > "mydomain.com" from GAE app > if everything is fine: after your current TTL (e.g. 15 minutes) has passed, > not earlier than that, remove "mydomain.com" from Firebase app > Optional: Revert the TTL values of your DNS records (if needed) > Celebrate! > Better safe than sorry: aside from the domain and certificate mapping, there > is a lot more to consider (data migration, replacement of service accounts > and keys, etc.) but I guess you already covered that. > > Hope that gave you some ideas for your migration. Good luck. > Ani > > On Friday, 21 July 2017 18:45:33 UTC+2, [email protected] wrote: > Hi everyone, > > I have web app hosted on Firebase hosting under the domain `mydomain.com > <http://mydomain.com/>`. I want to move `mydomain.com <http://mydomain.com/>` > to GAE and rename original to `service.mydomain.com > <http://service.mydomain.com/>`. > > I wonder if there would be any problem with SSL certificates? How should the > transfer be handled? > > > > > > HATZIS Edelstahlbearbeitung GmbH > Hojen 2 > 87490 Haldenwang (Allgäu) > Germany > > Handelsregister Kempten (Allgäu): HRB 4204 > Geschäftsführer: Paulos Hatzis, Charalampos Hatzis > Umsatzsteuer-Identifikationsnummer: DE 128791802 > > http://www.hatzis.de/ <http://www.hatzis.de/> > > -- > You received this message because you are subscribed to a topic in the Google > Groups "Google App Engine" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/google-appengine/ncI3CeEueUY/unsubscribe > <https://groups.google.com/d/topic/google-appengine/ncI3CeEueUY/unsubscribe>. > To unsubscribe from this group and all its topics, send an email to > [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > Visit this group at https://groups.google.com/group/google-appengine > <https://groups.google.com/group/google-appengine>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/google-appengine/1882681f-ec40-4f1a-b012-6b8a61d07a01%40googlegroups.com > > <https://groups.google.com/d/msgid/google-appengine/1882681f-ec40-4f1a-b012-6b8a61d07a01%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/4DE38776-488C-4286-BAB9-8F083ADE1F69%40gmail.com. For more options, visit https://groups.google.com/d/optout.
