Managed security will need to check existence of canonical name (CNAME) record with the value of *ghs.googlehosted.com* for your domain/subdomain. If you're serving *www.example.com* on CloudFlare, you may map *w3.example.com* as custom sub-domain on GAE and enable managed security for it. Please try it and let me know if it works.
On Monday, October 2, 2017 at 11:49:20 AM UTC-4, Leigh McCulloch wrote: > > While that works it's not completely secure, only Full SSL (strict) or > Full SSL (origin ca)* is, not plain Full SSL. In Full SSL mode Cloudflare > doesn't verify the common name on the certificate served by AppEngine which > is why it works as you described. If I enable Full SSL (strict) using the > setup you described it fails because the certificate AppEngine is serving > is for example.appspot.com and not example.com. > > What I had hoped to do was enable managed security on AppEngine so that > AppEngine served a certificate with the correct common name. But it seems > like AppEngine does DNS checks before allowing the certificate to work. > > Is there anyway to make this work? > > Leigh > > * Note: Full SSL (origin ca) is also not supported by AppEngine, because > AppEngine doesn't allow the use of certificates that have been signed by a > CA that isn't a trusted CA. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/5e1348e8-fe9d-4a9c-9202-d64c2e2d7c3f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
