Wildcard SSL certificate on Google App Engine + Cloudflare

1
votes

I have a domain, example.com and want to support wildcard subdomains such as *.example.com on SSL.

My app is running on Google App Engine and hoping to use Cloudflare to proxy all the requests to my domain on SSL. Please note I'm on the Free plan of Cloudflare.

My question is whether I need to purchase a separate wildcard subdomain certificate apart from using Cloudflare's.

I want to enable Full (strict) SSL method on Cloudflare. My understanding was that I could install the Origin certificate issued by Cloudflare on GAE (so that GAE <-> Cloudflare is secure), and then use the universal SSL certificate issued by Cloudflare so that Cloudflare <-> browser is secure. Is there a need to ever purchase a separate wildcard subdomain cert, or can I make use of (universal + origin certificates) Cloudflare's SSL entirely?

If my understanding above isn't correct and I need to purchase a separate SSL wildcard subdomain cert - once I upload this to GAE, is my connection from GAE to the browser secure from end-to-end ? Will the SSL on GAE be validated by Cloudflare and then it is able to proxy the wildcard subdomain requests on SSL ?

If anyone versed and knowledgeable in this area could help understand the flow, that would be really appreciated.

1
google-app-enginessldnscloudflarewildcard-subdomain

1 Answers

2
votes

I'm familiar with Cloudflare but not GAE. For Full (Strict) you will have to have a cert that is valid for both example.com and *.example.com in both Cloudflare and your origin servers. Cloudflare will take care of the edge certificate that the browser/client will interact with.

As you assumed, the origin cert Cloudflare issues will work and will be free. When you ask Cloudflare to generate this, you can specify the domains, which should include example.com and *.example.com. Cloudflare will issue you a self signed cert for example.com with a SAN for *.example.com. The up side of this are that it's free and will have a long expiration time (if you want). The down side is that if you ever have to drop cloudflare or interact with the origin servers without cloudflare, the cert will not be signed by a root CA. These requests will generally fail in clients and browsers unless you specifically make client configuration changes to trust this cert, and certainly a random browser accessing this server will get a certificate error.

A root CA signed cert for example.com with a SAN for *.example.com will also work. The down sides of this is it will generally cost money unless you use a free service like letsencrypt. You will probably also have to renew this cert more often than a self signed cert and an expired cert will result in downtime in Full Strict mode. The up side of this is that generally any request you send directly to the origin servers will work, even in a random browser.

For me, I would go with root CA signed cert (even a free one if need be) so that if I absolutely had to drop cloudflare in an emergency, I could just switch DNS to the origin servers and still be okay. Only if I had some complete dependency on Cloudflare, like workers or DDoS protection would I go with the Cloudflare self signed cert.