Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.

While trying to enable managed security in the App Engine Settings > Custom domains for my new project, AtariGamer.com I ran into an issue with DNS. App Engine kept on displaying the yellow exclamation symbol with the error - "DNS records could not be found. Certificate activation will retry automatically".

This is what it looked like in the App Engine console...
gae_dnserr_1.png

gae_dnserr_5.png


I tried to reach out to Google and they were entirely not helpful in resolving this issue so I started digging around myself. After much searching I worked out that the issue was due to CNAME Flattening that CloudFlare implemented!

Back story: In my usual fashion I put the website on CloudFlare as soon as I could, as I've written previously here - How to securely host your web site for free with Google Cloud and CloudFlare. That article doesn't really apply now that Google is providing free SSL certificates to all App Engine projects, but it's still nice to have for load balancing and availability.

The free plan on CloudFlare doesn't give an option to disable CNAME flattening...
gae_dnserr_2.png




The key to enabling managed security in App Engine is that CNAME record of course. I tried setting it to bypass the CF network, but that had no effect.
gae_dnserr_3.png

gae_dnserr_4.png


So what was my solution?

I had to temporarily take my site off CloudFlare. This meant changing the name server records at my domain's registra. After changing name servers to my registra's standard name servers I added all of the required A, AAAA and CNAME entries that Google expects, waited the required TTL and then enabled managed security again.

It worked like a charm straight away (ok it took maybe 5 minutes to activate)! For some reason the certificate IDs did not show up in the UI however but there was a way to get them, more on that later.
gae_dnserr_6.png


After that I changed the name servers back to CloudFlare and enabled Full security in the Crypto tab. It kept on working and I confirmed that the site was being served from CloudFlare. I expect this should stick, unless Google decides to revalidate DNS records during SSL renew.


As I mentioned above there was a way to get certificate IDs, that's done using the gcloud tool. It's used like this...
 gcloud
gcloud --project=<your_project> beta app ssl-certificates list


When I tried that while the DNS error was being shown, it returned this to me (I replaced actual IDs with 9999999 but it did show real IDs) ...
 gcloud output
ID DISPLAY_NAME DOMAIN_NAMES MANAGED_CERTIFICATE_STATUS
9999999 managed_certificate atarigamer.com FAILED_RETRYING_NOT_VISIBLE
9999999 managed_certificate www.atarigamer.com


After getting everything working the output changed to...
 gcloud output
ID DISPLAY_NAME DOMAIN_NAMES MANAGED_CERTIFICATE_STATUS
9999999 managed_certificate atarigamer.com OK
9999999 managed_certificate www.atarigamer.com OK


Good luck!

-i

Hope you found this post useful...

...so please read on! I love writing articles that provide beneficial information, tips and examples to my readers. All information on my blog is provided free of charge and I encourage you to share it as you wish. There is a small favour I ask in return however - engage in comments below, provide feedback, and if you see mistakes let me know.

If you want to show additional support and help me pay for web hosting and domain name registration, donations, no matter how small, are always welcome!

Use of any information contained in this blog post/article is subject to this disclaimer.
comments powered by Disqus
Other posts you may like...