Wildcard subdomains on appengine over https on firefox

Question

When I go to https://wild.rileylark.appspot.com with chrome, I get the nice "this is going great" icon. When I use firefox 4, I get the "omg, you're effed" message:

wild.rileylark.appspot.com uses an invalid security certificate.

The certificate is only valid for the following names: *.appspot.com , *.*.appspot.com , appspot.com

1. Is this normal?
2. Anything I can do to fix this?

Answer 1

The workaround to this limitation is now described in docs: use -dot- in place of dots between your subdomain names, e.g. https://wild-dot-rileylark.appspot.com

Answer 2

So the specific condition here is that the name on the certificate is *.appspot.com, and *.*.appspot.com appears within the cert's Subject Alternate Names field.

A rejected Chrome bug covers this exact scenario. In it, the respondent indicates that this is deliberately unsupported in Chrome, points to Firefox source code suggesting the same, and asserts that both are following the IETF's recommended implementation of RFC 2818.

Answer 3

Please note that in April of 2013, Google stopped issuing SSL certificates for double-wildcard domains hosted at appspot.com (i.e. ..appspot.com). If you rely on such URLs for HTTPS access to your application, please change any application logic to use "-dot-" instead of ".". For example, to access version "1" of application "myapp" use "https://1-dot-myapp.appspot.com" instead of "https://1.myapp.appspot.com." If you continue to use "https://1.myapp.appspot.com" the certificate will not match, which will result in an error for any User-Agent that expects the URL and certificate to match exactly.

Ref: https://cloud.google.com/appengine/docs/python/modules/