
Managed SSL for Google App Engine - lklig
https://cloudplatform.googleblog.com/2017/09/introducing-managed-SSL-for-Google-App-Engine.html
======
NearAP
This is welcome news. This means I no longer have to track and manually renew
my Let's Encrypt certificates for my websites.

I also see it as a way to incentivize folks to use GAE (not only are you
getting free quotas to run your app, you also don't have to spend money to buy
certificates and don't have to worry about installing or renewing them).

Finally, I also see it as another way of pushing for the uptake of SSL. With
GAE doing this, other hosting services might also start offering something
similar or close to it which would then beg the question - why is your site
not using SSL.

~~~
joshribakoff
The whole premise behind letsencrypt is the ACME protocol, so you don't have
to manually renew certs [although you can]. The problem is in handling SSL
renewals on a cluster, you have to do renewals via DNS & rsync certs around,
and there's not many tools to do this. But for a single server, its very easy
to automate. Another problem with letsencrypt is the rate limits & such.

~~~
bckygldstn
Google App Engine only a few weeks ago released an API for managing
certificates. Before that, the only way to add or update a certificate was to
manually paste the key into a web form.

------
paulddraper
Been using AWS's certificate management.

It is _so_ nice not to (1) manage the certs with your own infrastructure (2)
automatically deploy these things to HAProxy, Apache, MySQL, random server X.

Automated load balancing + cert management is heaven.

~~~
kuschku
I'm using kubernetes with kube-lego, and my experience is exactly the same.

Automating all routing, API gateways, TLS termination and certificate
management makes life so much easier.

~~~
_asummers
My hope is that this makes kube-lego unnecessary for kubernetes! Being able to
get a cluster spun up with TLS by default would be amazing.

------
jfoster
I've tried it and get "Failed to activate certificates" errors.

~~~
thedevil
Me too. If anyone figures this out, I'd love to hear more.

~~~
lklig
Hello from the App Engine team. Could you double check that your DNS records
are accurate? Everything is looking good on our end. Thanks for the feedback!

~~~
AnssiH
I can also reproduce the issue, i.e. "Failed to activate certificates." a few
seconds after clicking "Enable managed security" with 4 domains checked.

I checked the DNS records and the CNAME, A, AAAA records of all the domains
match exactly what is shown on the admin console.

~~~
mbwalas
Can you try using gcloud? There may be a UI problem.

~~~
AnssiH
Thanks, it worked fine with the gcloud command.

~~~
lklig
We've found the glitch in the UI and the issue will be resolved shortly.
Thanks for all the support and quick testing after announcing this beta
release.

~~~
lklig
Happy to report everything is working as expected, go get those managed certs!

------
ohstopitu
This is great news.

I love app engine but one of the biggest issues I've had with it is the fact
that memcached and search are not available for anything but app engine
standard - python (2.7).

Providing access to both via app engine flexible would be god sent!

~~~
benguild
We use memcache but it’s really unreliable. I recommend rolling your own
anyway.

Also I think there is an alpha for flex?

------
OzzyB
This is a welcomed addition that many have been patiently waiting for.

If you want to see the progress here's the relevant ticket[0] -- nice to see
it finally closed!

Not privy to the final implementation details but my guess it's a based on
Let's Encrypt as suggested by the originator of the ticket and others.

Edit: Yeah, probably not Let's Encrypt as others have stated.

[0]
[https://issuetracker.google.com/issues/35900034](https://issuetracker.google.com/issues/35900034)

~~~
ngrilly
I guess it's based on Google's own Certificate Authority, instead of Let's
Encrypt, according to this:

[https://security.googleblog.com/2017/01/the-foundation-of-
mo...](https://security.googleblog.com/2017/01/the-foundation-of-more-secure-
web.html)

~~~
ngrilly
For the record, I guessed wrong. I enabled the feature and checked the
certificate: it's based on Let's Encrypt ;-)

------
zackify
Any plans to add this to storage buckets?

------
syntaxgoonoo
When will Azure do the same?

~~~
partiallypro
They do offer it for webapps using Lets Encrypt, but nothing else afaik. But I
look forward to it being added, it is definitely needed. Even setting up the
Let's Encrypt to auto renew is a very tedious process.

~~~
bmizerany
Hello from Backplane. You can get this on Azure today using
[https://www.backplane.io](https://www.backplane.io) with end-to-end
encryption to your backends plus a huge chest of other routing and security
features. It's free to start. I'm blake at backplane dot io

------
kennethh
Is this both for App Engine standard or flexible environment also?

~~~
lklig
Both environments are supported!

------
le-mark
Is this basically just SNI for GAE? Or did they already have that?

~~~
StevePerkins
It's basically invisible automation for creating and renewing LetEncrypt certs
on App Engine.

The traditional process for installing a custom domain SSL cert on App Engine
was very clunky. Involved running OpenSSL commands, cut-n-pasting PEM data,
etc. If you were using LetsEncrypt, then it was more or less impossible to
automate... you had to go through a tedious manual process every 3 months
(including updating your app, to respond to the LetsEncrypt verification
endpoint!).

~~~
iamgopal
I think they do not use letsencrypt . They use thier own SSL, since they are
now licencing authority.

Edit: I am wrong. They use letsencrypt.

~~~
StevePerkins
I am hosting this project on App Engine, and have been using their SSL
management for a couple of months now:

[https://resumefodder.com/](https://resumefodder.com/)

A click on the browser padlock icon says that it's a LetEncrypt cert.
Unsurprising, since Google is such a major sponsor. Also unsurprising that
Google chooses to focus on their own branding rather than call attention to
it.

~~~
iamgopal
You are right, I do have many domains and didn't bother to check it.

------
nivertech
Can this be used with load balancers on GCE?

------
joshribakoff
I feel like Google isn't exactly the best place to get your SSL, given their
track record with the NSA.

~~~
iancarroll
If you are using App Engine, Google is terminating the TLS connection
regardless...

~~~
joshribakoff
Right... Which is all the more reason not to let them issue your SSL cert, or
terminate your SSL for that matter.

~~~
iancarroll
Your issue is then with using App Engine, not with them giving you a
certificate. There is no way to use App Engine without them getting the
plaintext in the end.

