I have been trying to use my own SSL certificate on subdomains for my app in GAE. I have successfully created the certificate and was able to enable it for all but one subdomain.
Let's say my domain is domain.com. I was able to enable the SSL certificate for domain.com, www.domain.com, subdomain.domain.com but for some reason, www.subdomain.domain.com does not show in the list of potential custom domains for my certificate. In this situation, I can not access my website through https://www.subdomain.domain.com but can through https://subdomain.domain.com.
Also, I can activate a google managed certificate for this subdomain, making https://www.subdomain.domain.com accessible, but of course, this is not what I want. Any clue on how to make www.subdomain.domain.com visible in the domains list of my certificate in order to then be able to turn it on?
This post is reporting a similar issue than this one. Sadly, no one has provided an answer and I do not have enough reputation to comment on it...
According to Google Cloud docs, with ensuring your right permission in the GCP console and verified ownership on all parent domain, you can access subdomains with your custom certificate.
Example:
- If the certificate is for
www.example.com you can verify ownership of either www.example.com or example.com.
- If the certificate is for
www.example.com and sub.example.com you can either verify ownership of both www.example.com and sub.example.com, or of example.com.
- If the certificate is for
*.example.com you must verify ownership of example.com.
You can check this link, mostly the section mentioned
Using your own SSL certificates
Multi-level domains may be tricky. Starting with the type of the certificate obtained. From RFC 2818 (emphasis mine):
Names may contain the wildcard character * which is considered to
match any single domain name component or component fragment. E.g.,
*.a.com matches foo.a.com but not bar.foo.a.com. f*.com
matches foo.com but not bar.com.
I suspect this is what's causing your trouble. Google also mentions in App Engine support for SSL certificates:
Wildcard certificates only support one level of subdomain.
When trying the google-managed certificate the certificate is likely generated exactly for the respective domain, not a wildcard one, thus not having the problem mentioned in the above quote.
The only way I can think of to get this working is to obtain a separate wildcard certificate for the each domain level. But that could be a problem if you direct users to sites at different domain levels, as the certificate would change.
Personally I'd just arrange my domain names to be contained into just one domain level and avoid all these issues. Maybe with something like www-subdomain.domain.com instead of www.subdomain.domain.com?
