Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.

NOTE: This article is 3 years or older so its information may no longer be relevant. Read on at your own discretion! Comments for this article have automatically been locked, refer to the FAQ for more details.
While trying to enable managed security in the App Engine Settings > Custom domains for my new project, AtariGamer.com I ran into an issue with DNS. App Engine kept on displaying the yellow exclamation symbol with the error - "DNS records could not be found. Certificate activation will retry automatically".

This is what it looked like in the App Engine console...


I tried to reach out to Google and they were entirely not helpful in resolving this issue so I started digging around myself. After much searching I worked out that the issue was due to CNAME Flattening that CloudFlare implemented!

Back story: In my usual fashion I put the website on CloudFlare as soon as I could, as I've written previously here - How to securely host your web site for free with Google Cloud and CloudFlare. That article doesn't really apply now that Google is providing free SSL certificates to all App Engine projects, but it's still nice to have for load balancing and availability.

The free plan on CloudFlare doesn't give an option to disable CNAME flattening...

The key to enabling managed security in App Engine is that CNAME record of course. I tried setting it to bypass the CF network, but that had no effect.


So what was my solution?

I had to temporarily take my site off CloudFlare. This meant changing the name server records at my domain's registra. After changing name servers to my registra's standard name servers I added all of the required A, AAAA and CNAME entries that Google expects, waited the required TTL and then enabled managed security again.

It worked like a charm straight away (ok it took maybe 5 minutes to activate)! For some reason the certificate IDs did not show up in the UI however but there was a way to get them, more on that later.

After that I changed the name servers back to CloudFlare and enabled Full security in the Crypto tab. It kept on working and I confirmed that the site was being served from CloudFlare. I expect this should stick, unless Google decides to revalidate DNS records during SSL renew.

As I mentioned above there was a way to get certificate IDs, that's done using the gcloud tool. It's used like this...
gcloud --project=<your_project> beta app ssl-certificates list

When I tried that while the DNS error was being shown, it returned this to me (I replaced actual IDs with 9999999 but it did show real IDs) ...
 gcloud output
9999999 managed_certificate atarigamer.com FAILED_RETRYING_NOT_VISIBLE
9999999 managed_certificate www.atarigamer.com

After getting everything working the output changed to...
 gcloud output
9999999 managed_certificate atarigamer.com OK
9999999 managed_certificate www.atarigamer.com OK

Good luck!


Skip down to comments...
A quick disclaimer...

Although I put in a great effort into researching all the topics I cover, mistakes can happen. If you spot something out of place, please do let me know.

All content and opinions expressed on this Blog are my own and do not represent the opinions of my employer (Oracle). Use of any information contained in this blog post/article is subject to this disclaimer.
comments powered by Disqus
Other posts you may like...