Naked Domain Redirect Failing when using HTTPS SSL on Google App Engine

Gaurav Sharma picture Gaurav Sharma · Jul 12, 2013 · Viewed 11.6k times · Source

We've got a website:

www.feeltracker.com

This is running on Google App Engine

On Google App Engine, we have Naked Domain forwarding setup, so that:

http://feeltracker.com

redirects to

http://www.feeltracker.com

However, when we try to open the following address in Chrome:

https://feeltracker.com (notice the HTTPS)

We get a Google error page with the following message:

Google
404. That’s an error.

The requested URL / was not found on this server. That’s all we know.

Does anyone know how we can ensure https://feeltracker.com redirects to www.feeltracker.com?

Note that in Firefox we get the following additional information when trying to open https://feeltracker.com:

feeltracker.com uses an invalid security certificate.

The certificate is only valid for the following names:
*.google.com , *.android.com , *.appengine.google.com , *.cloud.google.com , *.google-analytics.com , *.google.ca , *.google.cl , *.google.co.in , *.google.co.jp , *.google.co.uk , *.google.com.ar , *.google.com.au , *.google.com.br , *.google.com.co , *.google.com.mx , *.google.com.tr , *.google.com.vn , *.google.de , *.google.es , *.google.fr , *.google.hu , *.google.it , *.google.nl , *.google.pl , *.google.pt , *.googleapis.cn , *.googlecommerce.com , *.gstatic.com , *.urchin.com , *.url.google.com , *.youtube-nocookie.com , *.youtube.com , *.youtubeeducation.com , *.ytimg.com , android.com , g.co , goo.gl , google-analytics.com , google.com , googlecommerce.com , urchin.com , youtu.be , youtube.com , youtubeeducation.com  

(Error code: ssl_error_bad_cert_domain)

Note that we are using the SNI SSL certificate capability on Google App Engine with our uploaded certificate. When we run SSL diagnostics via http://www.digicert.com/help/ we get the following:

Certificate does not match name feeltracker.com


Subject *.google.com
Valid from 02/Jul/2013 to 31/Oct/2013
Issuer  Google Internet Authority


Subject Google Internet Authority
Valid from 12/Dec/2012 to 31/Dec/2013
Issuer  Equifax

Any ideas why https://feeltracker.com fails to use the correct certificate, whereas www.feeltracker.com and http://www.feeltracker.com work as expected with our SSL certificate?

Answer

Mark Doyle picture Mark Doyle · Oct 30, 2013

Update 16 Sept 2015

It appears this may now work as per Forum post and Issue 10802

Previously applicable info below...


Currently it's not supported. The naked domain redirect is a workaround only for http and you'll probably notice that specific IP addresses you need to be put in your DNS for that differ from the approach and IP addresses for ghs.googlehosted.com.

This seems to indicate that it's different parts of Google's infrastructure and they haven't yet managed to make them consistent or work together. I haven't seen any details on when they will resolve this so it might be a long wait. e.g. Related post from 2009

There is an "acknowledged" issue for Naked domain support so when that's fixed then likely this issue also resolved.

As Google is not going to correctly serve your certificate on their naked domain redirector then for now there are these options that I see:

  • Make/provide your own reverse proxy (Apache httpd, varnish etc) or use a reverse proxy service (eg. CloudFlare) and point your naked domain there. You'd install your SSL on the reverse proxy, clients would connect there for your naked domain (no certificate errors) and you'd proxy all traffic to your real site. It might create a single point of failure and costs depending what you use.

  • Rent a cheap VPS where you install a web server, your cert and a redirect script to https://www.feeltracker.com. In DNS map your naked domain to that server. It can be a really cheap linux server as requirements just to redirect are very low.

  • Find a domain redirect service that supports https and allows you to upload your certificate. Sadly I'm not aware of any.

  • Use VIP (Virtual IP) SSL and configure it in DNS for your naked domain. I haven't tested myself but it seems it should work, although I did find a old comment here that it may not. Has someone tested? NOTE however as far as I could see the DNS entry has a TTL of just 300 (5mins) and Google doesn't advise it, so even if it did work you might need some scripts to update your DNS entries as there's a strong chance it changes from time to time. If it does work then DNS providers like DNSSimple have an API so it would be possible.

Probably the second option is most applicable in your case as you don't seem to mind about the naked domain (which for many is an issue).

I recently found a good example: https://khanacademy.org/ They appear to use an Amazon EC2 host as per the second option above.

https://khanacademy.org/ Resolving khanacademy.org... 107.20.223.238 
Connecting to khanacademy.org|107.20.223.238|:443... connected. 
WARNING: cannot verify khanacademy.org’s certificate, issued by “/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287”:   Unable to locally verify the issuer’s authority. WARNING: certificate common name “*.khanacademy.org” doesn’t match requested host name “khanacademy.org”. 
HTTP request sent, awaiting response... 301 Moved
Permanently Location: https://www.khanacademy.org/ [following]
https://www.khanacademy.org/ Resolving www.khanacademy.org... 
72.14.249.132 Connecting to www.khanacademy.org|72.14.249.132|:443... connected. 

whois 107.20.223.238
OrgName:        Amazon.com, Inc.
OrgId:          AMAZO-4
Address:        Amazon Web Services, Elastic Compute Cloud, EC2

As of 12 April 2014 it looks like Google makes some progress and now allows mapping of non Google Apps domains (seeissue 8517), although SSL appears not to work for that method yet (see issue 10794 for tracking that).