Setting up SSL

I am setting up SSL for modelr.io. You need SSL to do HTTPS, which is now an option for Google App Engine projects. I think you have to use appname.appspot.com for HTTPS, but I am hoping that only needs to be for the purchase/checkout process.

Despite Google's reasonable go at documentation, the process is a bit murky if you haven't done it before. These are my notes.

Before starting

 * You need a domain name you control. The Certifying Authority (CA) will verify that you own it, e.g. by email or with a special web page or DNS record, like Google Apps domains for example.
 * The CA will probably try to automatically get an email from your domain's WHOIS info to verify the site. This didn't work for me because the registrar's email was the only one on the WHOIS. So if you don't have a useful email on the WHOIS, you need to set up admin@domain.com or administrator@domain.com to confirm with. If your WHOIS is private, you might think about un-privating it.
 * It helps if your business has a DUNS number, which takes about a day to get, or is verified in Google Places (quick, but the postcard step takes days). Or you may need a letter from a lawyer verifying your address (DigiCert have a standard letter that they will send you) — this is what I did.
 * You need to choose a certificate type. In a nutshell...


 * Domain validated: Given after a short check of the applicant’s reliability, usually via email. OK for some peace of mind for users that the URL is the site it claims to be. Essential for sites asking for personal information.
 * Organization validated:An organization validated SSL certificate requires an identity-check of the organization. Users can see which organization owns it. Good for sites asking for personal info, and essential for ecommerce.
 * Extended validation:Extended Validation (EV) requires an extensive check of the applicant’s identity and reliability. Users visiting a website protected by an extended validation certificate see their browser's certificate field turn green. Best for ecommerce and establishing high levels of trust.

Purchase a trusted certificate
I went for an EV SSL Plus from DigiCert. I chose DigiCert for no other reason than GitHub uses them, and they weren't as pricey as VeriSign. and I liked their web interface better than Trustico (who automatically gave me a 2-year certificate without me asking — annoying). The EV gives the green browser bar. There are cheaper options (e.g. GeoTrust, owned by Symantec), and resellers (e.g. Trustico, as Canadian example). Sometimes there are sales etc.

There are more expensive options too — for wildcards for example.

The most trusted name is probably VeriSign (also owned by Symantec) — used by Twitter and (allegedly) 70% of other websites. The various certificates and vendors vary in how much insurance they offer, how browsers respond to them (e.g. with warnings or green bars, etc), the levels of authentication they offer, and the levels of support for admins. They're all very secure.

Update: Having now completed the process, I must say that DigiCert have amazing customer service. Very helpful, fast, and got me where I needed to be quickly and painlessly. I'll definitely use them again.

Note, you can generate certificates yourself too, but many browsers will give 'untrusted' warnings for these. This is not good. Using a $10 option doesn't send a great message to customers.

Generate a CSR
You will probably need to generate the Certificate Signing Request. Some CAs and vendors do this for you. This site was helpful. You can run this in the terminal of a Mac or Linux box:

openssl req -new -newkey rsa:2048 -nodes -out common_name.csr -keyout common_name.key -subj "/C=ca/ST=province_name/L=town_name/O=legal_name/CN=common.name.com"

where


 *   is the domain you want the certificate for. The filenames have underscores instead of dots.
 *   is the company, with spaces, caps, etc.
 *   is the town you're in, with spaces.
 *   is the province you're in, with spaces.

Google App Engine and Google Apps set up
This process relates to using Google App Engine with a custom domain. It's not very pretty.

First, you will need to get your App Engine project running on a custom domain. This requires the domain to be registered as a Google Apps domain. If you don't need SSL, you can do this with an 'alias' domain. Read the manual on custom domains first.

Now read about setting up for SSL.

You can only use SSL on the primary domain of a Google Apps account.

You can use a custom (secondary) domain as an alias domain, but not for SSL. If your domain is set up that way (like my modelr.io was) then you need to unlink it from its primary domain in Google Apps, then set up a new Google Apps account for it.


 * Your Google Apps user needs to be a Super Admin. If it's the only user, the one you started with, then it is.
 * Make sure that account can receive email — easiest thing to do is set it up with Gmail in the Apps account.
 * Test that you can receive and send email. It might take a minute.
 * Go to Google App Engine. Invite the new Apps account as an Owner (you might get away with a lower admin level, but this works for sure) in the App Engine project.
 * Go to the account's mail and Accept the invitation.
 * Set up billing in App Engine.
 * Set up billing in Google Apps.
 * Sign up for 5 SNI certificate slots ($9/mo at the time of writing)
 * Then go and set SSL in Google Apps: Security > Show more... > SSL for custom domains
 * Upload your certificates (see below)
 * Change the serving more to SNI
 * Assign the URL(s)
 * Wait 5 minutes and check it's working with DigiCert's tools

In theory you can use an App Engine account that's different from the Google Apps account, but this didn't work for me. Besides, you keep having to sign in and out so it's very confusing. This way worked for me and seems simple.

Certificates for uploading to Google Apps
Google requires public and private PEM format, unencrypted certificates. The public certificate is the domain-specific CRT file from the CA. The private one is the one you generated with the CSR.

Here's how to convert them before uploading to Google Apps:

cat www_domain_com.crt DigiCertCA.crt > public.pem openssl rsa -in www_domain_com.key -text > private.pem

Using HTTPS in Google App Engine
As far as I can tell, this is very easy. Just update  along these lines (for Python):

There seems to be no reason not to use HTTPS across the entire site.

Secure Python server
Concatenate all the certificates, to give the full chain. They must go in this order.

This might work, for example on Ubuntu:

Some things I read to get this far:
 * http://www.piware.de/2011/01/creating-an-https-server-in-python/
 * http://dennis.dieploegers.de/doku.php/my2cents/creating_a_ssl_http_server_in_python
 * http://code.activestate.com/recipes/442473-simple-http-server-supporting-ssl-secure-communica/
 * http://code.activestate.com/recipes/577548-https-httplib-client-connection-with-certificate-v/

Note, it might be possible to combine all the keys into the whole trust chain. I feel more comfortable keeping the public and private keys apart.

Troubleshooting
These tools are useful:
 * http://netalyzr.icsi.berkeley.edu/ — analyse your connection
 * http://www.wireshark.org/ — analyze packets to/from a site you are trying to connect to
 * http://www.digicert.com/help/ — DigiCert's checker

Summary

 * Fulfill the Before starting steps above
 * Choose a product
 * Send the CSR to the Certifying Authority, CA
 * Help the CA with the authentication steps — e.g. letter from lawyer
 * Wait for the certificate
 * Install the certificate at Google Apps (nb there is nothing to do in App Engine itself)
 * Check that it works
 * Update code to use HTTPS appropriately