I'm also interested in this post. I'm not sure how creating a sub domain of w3.example.com helps as will it not just create a managed certificate from LetsEncrypt for w3 (not naked or www)? I think LetsEncrypt uses DNS verification, which I assume is something GAE is handling behind the scenes. If cloudflare is turned on and sits between LetsEncrypt verification method and App Engine then I'm not sure GCP is able to create a DNS record that LetsEncrypt can see?
On Tuesday, 3 October 2017 03:05:32 UTC+1, Kamran (Google Cloud Support) wrote: > > > Managed security will need to check existence of canonical name (CNAME) > record with the value of *ghs.googlehosted.com > <http://ghs.googlehosted.com>* for your domain/subdomain. If you're > serving *www.example.com <http://www.example.com>* on CloudFlare, you may > map *w3.example.com <http://w3.example.com>* as custom sub-domain on GAE > and enable managed security for it. Please try it and let me know how it > works. > > > > > On Monday, October 2, 2017 at 11:49:20 AM UTC-4, Leigh McCulloch wrote: >> >> While that works it's not completely secure, only Full SSL (strict) or >> Full SSL (origin ca)* is, not plain Full SSL. In Full SSL mode Cloudflare >> doesn't verify the common name on the certificate served by AppEngine which >> is why it works as you described. If I enable Full SSL (strict) using the >> setup you described it fails because the certificate AppEngine is serving >> is for example.appspot.com and not example.com. >> >> What I had hoped to do was enable managed security on AppEngine so that >> AppEngine served a certificate with the correct common name. But it seems >> like AppEngine does DNS checks before allowing the certificate to work. >> >> Is there anyway to make this work? >> >> Leigh >> >> * Note: Full SSL (origin ca) is also not supported by AppEngine, because >> AppEngine doesn't allow the use of certificates that have been signed by a >> CA that isn't a trusted CA. >> >> -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at https://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/a52e1137-cc12-4148-8aa3-d478f2768fd8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
