GCP Cloud Run domain mapping no longer working with Google Search Console switch
We've been regularly using Cloud Run with custom domain mappings, mapping to a proxied URL from Cloudflare. The mappings and DNS records are managed in Terraform.
As of the last week or so, the domain mapping handshake from Cloudflare to GCP no longer completes. It used to take 1-2 hours, now it never finishes.
We've made no changes to our flow, and nothing has changed on the Cloudflare side. However one thing that has happened is the deprecation of Google Webmaster Tools UI (which we used to use to verify domains) for Google Search Console. We had to re-add our domains to that UI and re-add the SAs as owners.
The switch to Search Console leads me to believe something has not carried forward correctly under the hood of Cloud Run's domain mapping, since that is the only thing that has changed.
We have this same issue. It doesn't seem to be down to the webmaster UI tool changes though. If we disable Cloudflare proxying on the hostname then the mappings are created successfully. It seems that Cloudflare is interfering with the ACME HTTP-01 challenge from Google.
Update: We've tracked down the issue on Cloudflare. Cloudflare was blocking the /.well-known/acme-challenge/ requests with a Captcha. You can see this under Security > Events
We resolved the problem by adding a page rule which prevents Cloudflare from doing a browser identity check on the /.well-known/acme-challenge/* urls
- oauth 2 parameters can only have a single value: scope
- Correct use of gcloud --sort-by combined with --limit
- App attestation failed with Firebase App check in release on Android
- Why doesn't the offline cloud firestore documentation have code for offline query indexes for flutter?
- _CHANGE_TYPE not working when streaming Google Big Query rows from Pub/Sub
- Migrating from legacy Google FCM to HTTP v1 for push notifications
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Can we update a field due to its value without reading it in firebase?
- Use process.env variables inside next.config.js
- What is the best practice for decoding Firestore documents in a listener for Swift 5?
- How to install Google Cloud SDK app-engine-python on Debian 12?
- Bigquery service account restricted to a dataset
- Gcloud Pub/Sub: Total timeout of API google.pubsub.v1.Publisher exceeded 60000 milliseconds before any response was received
- Keep getting the error Google Sign-In Error: PlatformException(sign_in_failed, com.google.android.gms.common.api.ApiException: 10: , null, null)
- Error 400 invalid JSON Payload Unknown name generationConfig on an AI API Curl command
- How to access cloud run environment variables in Dockerfile
- Error 400: Invalid JSON payload received when calling Google Generative Language API
- GCP Bucket Permissions by Prefix
- database connection URI string for GCP cloudsql postgres database?
- Who control Google Cloud platform filtering?
- gcloud cli command create eventarc errors
- Is there a way to block HTTP on GCP AppEngine
- How to generate GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET without a domain?
- How to change the source GitHub repository for a deployed project on Google Cloud Run?
- Not able to access Nexus console on my Ubuntu VM instance in GCP
- VertexAI Tabular AutoML rejecting rows containing nulls
- How to access Google Cloud Speech-to-text v2 API through HTTP/REST
- Importing a Model with Scikit Learn on Vertex
- Is there a simple way to host a JSON document you can read and update in Google Cloud Platform?
- how can I get my gcloud user creds into a container securely and use them to impersonate a service account when testing locally?