Google App Engine SSL error "DNS records could not be found" even though custom domain is working

18
votes

I pointed a new custom domain to a Google App Engine Standard Environment project and edited the DNS records per Google's instructions, and it seems to be redirected properly. Now I'm under the impression that SSL certificates for App Engine projects can now be provided automatically by Let's Encrypt and do not necessarily need to be supplied by the user separately: https://cloud.google.com/appengine/docs/standard/go/securing-custom-domains-with-ssl

However, I'm having problem getting the SSL security service from Google. The error message in the App Engine console is: DNS records could not be found. Certificate activation will retry automatically.

This error message looks like this:

enter image description here

If I type gcloud beta app domain-mappings list, I get something that looks like this:

ID                    SSL_CERTIFICATE_ID  SSL_MANAGEMENT_TYPE  PENDING_AUTO_CERT
mydomain.com                              AUTOMATIC            1256789
www.mydomain.com      1234567             AUTOMATIC

I also tried "Disable managed security" and turn it back on by "Enable managed security", and get the same result after some minutes: "Managed certificate for www.mydomain.com activated." shows up, but not for mydomain.com.

If I go to www.mydomain.com with its supposedly activated certificate, I still get "connection is not secure" in the browser. If I go to "mydomain.com" it gets redirected to www.mydomain.com with the same result.

Any ideas?

Update: I just tried getting my own keys using Certbot and uploaded them to GAE. GAE showed a Certificate ID for both mydomain.com and www.mydomain.com. However I had to manually type "https" in the browser to get to the secure page. I found that I had to add "secure: always" in app.yaml before the domain will load the secure version by default. I still don't know why Google's default managed security option didn't work for me though; that would be much more convenient than getting and uploading my own scripts every 3 months.

5
google-app-enginesslhttpsdns
wild guess - maybe try the solution from stackoverflow.com/q/48189584/4495081?Dan Cornilescu
does mydomain.com actually have those DNS records that it's saying you need to add? I would check for you but you blacked out the domain (it might be in Cloud DNS or at your web hosting provider). Another possibility is that there was a high TTL on the DNS records before you changed them, only way may be to wait for the old records to expire in that case.gravitation
I tried to do that solution before but the console wouldn't let me re-verify the custom domain (it says the custom domain is already verified and won't let me remove it). I did add the A and AAAA DNS records at my webhost, like "@ 300 IN A 216.239.32.21" and "@ 300 IN AAAA 2001:4860:4802:32::15". The webhost's original TTL was set to expire in 3 hours, but it's been longer than that. How should I check whether the DNS records are actually in place?user
I tried in the App Engine console to remove the problematic mydomain.com but left just www.mydomain.com, and disabling then re-enabling managed security. It says "managed certificate for www.mydomain.com activated" and I get a SSL_CERTIFICATE_ID in the command prompt though not in the web console (same as before). But if I go to www.mydomain.com now I still get "connection is not secure".user
Documentation says: If the certificate is for www.example.com you can verify ownership of either www.example.com or example.com Have you tried leaving only one entry?A.Queue

5 Answers

10
votes

Ok for anyone still stuck on this:

  1. Go to https://console.cloud.google.com/appengine/

  2. Select Settings

  3. Add custom domain. select your domain name. (if you have not verified your account before this then do that first)

  4. Select the domain you want to add

  5. you will get a list of things that you need to create in your hosting acount something like this: The addresses from app engine

  6. if you bought your domain name in GoDaddy then you will have to go into your Godaddy account -> YourDomain.com -> DNS -> Manage Zones. Then enter it there thus: enter image description here

  7. go back to app engine and click verify.

  8. Enjoy!

5
votes

** Precaution: This is for domain names bought through Google's registrar. If you bought yours elsewhere then the steps may differ.

3
votes

Igor Kromin's article outlined the exact same issue that I was having.

I too was / am using CloudFLare's free solution. For some reason Google App Engine didn't immediately recognize the TXT record, so I went ahead and did the alternative CNAME based mapping. Apparently, when you do this, the Cloudflare CNAME flattening kicks in, and will do something to the records. When we try to verify domain ownership, it works though. But later, when the APP Engine's Google managed auto-renewing agent looks at the records, somehow they don't match up!

Solution is to simply keep trying to verify the TXT record which Cloudflare doesn't modify, and then it works out.

Tip: If you're trying to verify a subdomain to app engine like api.yourdomain.com, your TXT record needs to be with the api domain name, not at @ like normal.

0
votes

In my case I accidentally created a C record for the naked domain (@) in addition to the www. subdomain which should exclusively have it. As there can't be a TXT record on the same level as a C record, the verification failed. Totally my bad but maybe anyone else is also having such issues.

0
votes

I also faced this same issue recently with GoDaddy, but for me in addition to dangalg's answer, I have to delete the Parked DNS record in GoDaddy to get it resolved.