Google App Engine SSL error "DNS records could not be found" even though custom domain is working

Question

I pointed a new custom domain to a Google App Engine Standard Environment project and edited the DNS records per Google's instructions, and it seems to be redirected properly. Now I'm under the impression that SSL certificates for App Engine projects can now be provided automatically by Let's Encrypt and do not necessarily need to be supplied by the user separately: https://cloud.google.com/appengine/docs/standard/go/securing-custom-domains-with-ssl

However, I'm having problem getting the SSL security service from Google. The error message in the App Engine console is: DNS records could not be found. Certificate activation will retry automatically.

This error message looks like this:

If I type gcloud beta app domain-mappings list, I get something that looks like this:

ID                    SSL_CERTIFICATE_ID  SSL_MANAGEMENT_TYPE  PENDING_AUTO_CERT
mydomain.com                              AUTOMATIC            1256789
www.mydomain.com      1234567             AUTOMATIC

I also tried "Disable managed security" and turn it back on by "Enable managed security", and get the same result after some minutes: "Managed certificate for www.mydomain.com activated." shows up, but not for mydomain.com.

If I go to www.mydomain.com with its supposedly activated certificate, I still get "connection is not secure" in the browser. If I go to "mydomain.com" it gets redirected to www.mydomain.com with the same result.

Any ideas?

Update: I just tried getting my own keys using Certbot and uploaded them to GAE. GAE showed a Certificate ID for both mydomain.com and www.mydomain.com. However I had to manually type "https" in the browser to get to the secure page. I found that I had to add "secure: always" in app.yaml before the domain will load the secure version by default. I still don't know why Google's default managed security option didn't work for me though; that would be much more convenient than getting and uploading my own scripts every 3 months.

Answer 1

Ok for anyone still stuck on this:

1. Go to https://console.cloud.google.com/appengine/

2. Select Settings

3. Add custom domain. select your domain name. (if you have not verified your account before this then do that first)

4. Select the domain you want to add

5. you will get a list of things that you need to create in your hosting acount something like this:

6. if you bought your domain name in GoDaddy then you will have to go into your Godaddy account -> YourDomain.com -> DNS -> Manage Zones. Then enter it there thus:

7. go back to app engine and click verify.

8. Enjoy!

Answer 2

• Go To "App Engine" -> "Settings" -> "Custom Domains"
• Click on "Add Custom Domain"
• Choose the Domain You Want

• You'll end up with something similar that originally brought you to this solution:

  App Engine Settings With Domain Name SSL Certificate Not Working

---

• Go to your Domain Registrar (assuming you bought your domain through Google) https://domains.google.com/m/registrar/
• Click on the domain name you'd like to resolve.
• Go to "DNS" -> "Custom resource records" at the bottom

• Fill in the info with the appropriately matching IPv4/IPv6 addresses:

  Custom Resource Records Where You'll Copy Over Info From App Engine

** Precaution: This is for domain names bought through Google's registrar. If you bought yours elsewhere then the steps may differ.

Answer 3

Igor Kromin's article outlined the exact same issue that I was having.

I too was / am using CloudFLare's free solution. For some reason Google App Engine didn't immediately recognize the TXT record, so I went ahead and did the alternative CNAME based mapping. Apparently, when you do this, the Cloudflare CNAME flattening kicks in, and will do something to the records. When we try to verify domain ownership, it works though. But later, when the APP Engine's Google managed auto-renewing agent looks at the records, somehow they don't match up!

Solution is to simply keep trying to verify the TXT record which Cloudflare doesn't modify, and then it works out.

Tip: If you're trying to verify a subdomain to app engine like api.yourdomain.com, your TXT record needs to be with the api domain name, not at @ like normal.

Answer 4

I also faced this same issue recently with GoDaddy, but for me in addition to dangalg's answer, I have to delete the Parked DNS record in GoDaddy to get it resolved.

Answer 5

Came across the same issue. Steps I took including the steps by @Rajasegar:

1. Removed Parked DNS record from GoDaddy DNS console.
2. Make sure you are logged in to the correct project by running the command below.

gcloud config list

• Check the output:

    [core] 
    account = [[email protected]]
    disable_usage_reporting = True  
    project = [your-project]
  

3. Run domain-mappings update command from terminal to update the cert on mydomain with the cert-management set to AUTO

gcloud app domain-mappings update 'mydomain.com' --certificate-management=AUTOMATIC

Took few seconds for me to see the updated cert for the naked domain in the Custom Domains properties.

Answer 6

In my case I accidentally created a C record for the naked domain (@) in addition to the www. subdomain which should exclusively have it. As there can't be a TXT record on the same level as a C record, the verification failed. Totally my bad but maybe anyone else is also having such issues.