Add SSL
kisielk opened this issue · 9 comments
Currently the site is only available via HTTP.
This is an offer for me to acquire and pay for the necessary certificate. If this is already arranged or you have a plan for someone else to handle this, feel free to disregard. I do this work for customers in my day job and have done so for nearly 20 years, so I'm comfortable taking the task.
If you can get me a CSR, I would be happy to ship you a certificate to install in App Engine for this purpose.
Adding SSL to your Custom Domain is documentation on how to go about generating a CSR and how to install the certificate. This requires that you generate a private key on a private machine (and you keep it private) and hang onto that private key until the CSR has been turned into a trusted certificate, then install them both at the same time into App Engine.
If you would like me to generate the private key and CSR and install the resulting certificate, I would need sufficient privilege within the App Engine project to do this. I do not know the correct way to grant this permission narrowly, but Permissions the Predefined Roles Do Not Grant specifically states that none of the predefined App Engine roles grant this privilege. They do state "We expect to control some of these features in the future by their own fine-grained roles" for whatever that's worth.
It is possible to use Let's Encrypt for this certificate, but last I checked it was a pain in the butt for App Engine and requires that it is updated/refreshed frequently. That might be worth revisiting for this, or in the future. Google App Engine issue #12535: Support automatic certificate request via Lets Encrypt/ACME is tracking this want. The benefit would be that we would be one more vote for an open/free certificate authority. The downside is that there is additional work necessary to implement initially and probably additional ongoing work on an interval until Google is able to automate it for App Engine customers.
If going with Let's Encrypt is a requirement, I'm willing to do the footwork to figure it out and implement it (requires unknown App Engine privileges). If not, I would (at least for the first year or two) simply acquire a commercially available standard-level non-EV certificate. If EV cert is required, we can discuss.
Ticket 12535 refers to automatic certificate integration. I recommend waiting until something comes out of that, unless it seems to be taking too long.
Also this article is applicable: The foundation of a more secure web on Google's Security Blog.
Sounds good, I'll keep an eye on it.
Revisiting this: we can do this "for free" via managed certificates in App Engine standard. See https://cloud.google.com/appengine/docs/standard/go/securing-custom-domains-with-ssl
Further, I'd gladly help with this & future admin for this project. You can add me as silverlock@google.com to the Gorilla project in GCP.
I don't have owner on the website, only editor, so I cannot add your account. We need to ask @moraes to add you.
I enabled managed certificates yesterday, so the site is now available via SSL. Just need to update links in READMEs now.
Updated all the READMEs I could see used the http URL to https. I think this is done now.
So I added this to app.yaml but I'm having trouble deploying the app. Seem some stuff in google app engine has changed since it was last deployed in 2015 lol.