Custom Domain Managed Security Issue

FoxyLad · 08-28-2023 05:38 PM

The certificate for one of our apps expired last week, despite being "Google managed". And when I check Settings/CUSTOM DOMAINS, ALL our custom domains across four apps have a little yellow warning which says DNS records could not be found. Certificate activation will retry automatically.

Our DNS (with Cloudflare) is fine, and all sites are working correctly. But we've had to switch off TLS between Cloudflare and Appengine because the certificates might expire.

We've tried disabling and re-enabling managed security, and that still shows the warning icon. Anyone else seeing this?

reptilehaus

disable cloudflare https so that google servers can reach the domain then once it does you can enable again, usually takes a while though

FoxyLad

Thanks for the advice. So this has happened to you too?

webervin

I remember that cloudflare web app firewall does prevent certificate validation. (In DNS settings of cloud flare -proxy toggle). I also have some vague memory about need to explicitly allowlist some certificate validation method to pass validation behind cloudflare proxy.

Simple solution, if you plan only use your site via cloudflare - use user managed certificate at Google side and create origin certificate in cloudflare https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/ such certificate is free, but is trusted only by cloudflare itself, meaning any visitors who hit your google IP/domains without cloudflare proxy in front - will get untrusted ssl certificate error.

FoxyLad

Wow - thanks for taking the time to explain this, makes a lot of sense.

I'd like to keep valid certificates on Appengine in case we ever have to switch Cloudflare proxying off, and having user-managed certificates will mean a lot of work keeping them current (we have around 25 custom domains).

So I think it's worth chasing Cloudflare to see if they can stop blocking Google's DNS requests. If I find a definitive answer, I'll post it here.