Igor Kromin |   Consultant. Coder. Blogger. Tinkerer. Gamer.

While trying to enable managed security in the App Engine Settings > Custom domains for my new project, AtariGamer.com I ran into an issue with DNS. App Engine kept on displaying the yellow exclamation symbol with the error - "DNS records could not be found. Certificate activation will retry automatically".

This is what it looked like in the App Engine console...


I tried to reach out to Google and they were entirely not helpful in resolving this issue so I started digging around myself. After much searching I worked out that the issue was due to CNAME Flattening that CloudFlare implemented!

Back story: In my usual fashion I put the website on CloudFlare as soon as I could, as I've written previously here - How to securely host your web site for free with Google Cloud and CloudFlare. That article doesn't really apply now that Google is providing free SSL certificates to all App Engine projects, but it's still nice to have for load balancing and availability.

The free plan on CloudFlare doesn't give an option to disable CNAME flattening...

The key to enabling managed security in App Engine is that CNAME record of course. I tried setting it to bypass the CF network, but that had no effect.


So what was my solution?

I had to temporarily take my site off CloudFlare. This meant changing the name server records at my domain's registra. After changing name servers to my registra's standard name servers I added all of the required A, AAAA and CNAME entries that Google expects, waited the required TTL and then enabled managed security again.

It worked like a charm straight away (ok it took maybe 5 minutes to activate)! For some reason the certificate IDs did not show up in the UI however but there was a way to get them, more on that later.

After that I changed the name servers back to CloudFlare and enabled Full security in the Crypto tab. It kept on working and I confirmed that the site was being served from CloudFlare. I expect this should stick, unless Google decides to revalidate DNS records during SSL renew.

As I mentioned above there was a way to get certificate IDs, that's done using the gcloud tool. It's used like this...
gcloud --project=<your_project> beta app ssl-certificates list

When I tried that while the DNS error was being shown, it returned this to me (I replaced actual IDs with 9999999 but it did show real IDs) ...
 gcloud output
9999999 managed_certificate atarigamer.com FAILED_RETRYING_NOT_VISIBLE
9999999 managed_certificate www.atarigamer.com

After getting everything working the output changed to...
 gcloud output
9999999 managed_certificate atarigamer.com OK
9999999 managed_certificate www.atarigamer.com OK

Good luck!


A quick disclaimer...

Although I put in a great effort into researching all the topics I cover, mistakes can happen. Use of any information from my blog posts should be at own risk and I do not hold any liability towards any information misuse or damages caused by following any of my posts.

All content and opinions expressed on this Blog are my own and do not represent the opinions of my employer (Oracle). Use of any information contained in this blog post/article is subject to this disclaimer.
Hi! You can search my blog here ⤵
NOTE: (2022) This Blog is no longer maintained and I will not be answering any emails or comments.

I am now focusing on Atari Gamer.