Managed SSL for Google App Engine
No need to deploy a new version just to add a .well-known folder anymore
Many platform-as-a-service offerings such as Google App Engine offer HTTPS support out of the box under a subdomain using a wildcard certificate, for example
*.appspot.com for App Engine,
*.herokuapp.com for Heroku, and
*.github.io for GitHub Pages. However, if you want to use a custom domain, you’re usually on your own.
Fortunately there’s Let’s Encrypt around nowadays. According to their statistics, they’re supporting more than 40 million active certificates today. Let’s Encrypt offers free SSL certificates which you can use to set up HTTPS on your websites.
Some time ago, I deployed an application on App Engine and set up a custom domain for it. Using the Certbot ACME client and Let’s Encrypt, I just needed to run a few commands on my local machine and then deploy a new version of my application with a specific file at a specific path, and received a shiny new Let’s Encrypt certificate for my custom domain. After uploading this certificate through the Cloud Console, I had HTTPS enabled on my custom domain. (I followed the instructions to do this from this very helpful article.)
3 months later, my certificate expired. No big deal, I could just repeat the same process to get a new cert. I could even have automated the process with the App Engine Cron Service. In fact, part of the rationale for the 90-day validity of Let’s Encrypt certificates is to encourage automation (https://letsencrypt.org/2015/11/09/why-90-days.html).
But today, it has become even easier than ever to enable HTTPS on a custom domain on App Engine (sometimes I wonder if we are getting spoiled as developers with each new managed service which comes out).
Managed SSL for Google App Engine is now in beta, and enabling HTTPS on custom domains is now a single click away. The magic button can be found on the App Engine custom domain settings page in the Cloud Console and it is labelled “Enable managed security”.
If you have an App Engine application under a custom domain but haven’t enabled HTTPS on it or find doing so a hassle, now is the time to give it another try.