Domain fronting to App Engine stopped working

On or about 2018-04-13 16:00:00 UTC, domain-fronted requests for *.appspot.com stopped working. It appears to affect fronting to all appspot.com domains, not only ours. This has broken Snowflake client registration and Moat (legacy/trac#25807 (moved)).

Requests now fail with status code 502:

$ wget -q -O - --content-on-error -S https://www.google.com/ --header 'Host: snowflake-reg.appspot.com'
  HTTP/1.1 502 Bad Gateway
  Date: Sun, 15 Apr 2018 04:58:49 GMT
  Content-Type: text/html
  Server: HTTP server (unknown)
  Content-Length: 209
  X-XSS-Protection: 1; mode=block
  X-Frame-Options: SAMEORIGIN
  Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431; quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"
<html><body><h1>502 Bad Gateway</h1>\
<p>This HTTP request has a Host header that is not covered \
by the TLS certificate used. Due to an infrastructure change, \
this request cannot be processed.</p></body></html>

This ticket is to document the issue; I'm not sure we can do anything about it directly.

Other related tickets:

• legacy/trac#22782 (moved), use non-Google domain fronts
• legacy/trac#25594 (moved), use non-fronting-based registration