Google Cloud Run - Domain Mapping stuck at Certificate Provisioning

Question

Is anyone getting this issue with Google Cloud Run Domain Mapping? When I add a custom domain to my domain mappings, I get this:

Waiting for certificate provisioning. You must configure your DNS records for certificate issuance to begin.

I know it says it's only added 1 day ago and I should give it time, but I actually let it go for 5 days, deleted it, and this is my second try.

You can see in the below screenshot that it is added via Cloudflare. I even tried toggling the Proxy service on and off with no luck.

Answer 1

I managed to get the domain mapping to work with Proxy status set to Proxied by creating a custom WAF rule to allow Google to validate the domain.

• Security -> WAF -> Custom Rules -> Create rule
• User Agent contains Google-Trust-Services and URI Path starts with /.well-known/acme-challenge
• Then take action -> Skip
• WAF components to skip -> Select everything also under More components to skip

I also needed to change encryption mode to get the website to load properly

• SSL/TLS -> Configure Encryption Mode -> FULL

Answer 2

• Remove current mapping in Google Cloud Run
• In CloudFlare, change proxy status of the DNS record from Proxied to DNS only
• Add mapping again in Google Cloud Run
• Drink a cup of coffe and check it after 10-15 minutes

And you'll see this in Cloud Run

Answer 3

At the moment, seems like Domain Mapping is just a buggy service.

Seems like the solution at the moment is to be patient and to try several times until it works. I'd suggest to give it some time between attempts.

The reasons why I feel it's a buggy service:

1. gcloud beta run domain-mappings create stucks at Creating......⠼.
2. gcloud beta run domain-mappings describe shows messages such as:

• "Domain mapping '[...domain_name...]' already exists for this application. You can modify this domain mapping with DomainMappings.PATCH".
• "Waiting for certificate provisioning. You must configure your DNS records for certificate issuance to begin." - Even though the DNS records are fine.

3. User Interface isn't any better. It also can stuck while creating... And in the console, it says that it may fail silently, suggesting to use gcloud CLI as a workaround

Update 2022

It's been a while since I last used this feature but it is still taking ~2 hours for the domain to become available.

Answer 4

I had the same situation. Additionally incurred me error message on cloud domains.

Your domain is suspended because the registrant email address has not yet been verified. Check your email and follow the instructions to remove the suspension.

Answer 5

I had a similar error on a domain I bought with Goddady, the issue was a result of a parking domain whose source I can't tell unless it was set by the vendor. It mapped my domain to this page and its IP 34.102.136.180 was preventing my service from mapping correctly. After chatting with a gae assistant I was able to resolve the issue by deleting the IP, but of course, sought clarification from the vendor themselves. It was my first time using Godaddy and for the life of me I couldn't figure out the problem.

Answer 6

I faced the same issue with exact error:

Waiting for certificate provisioning. You must configure your DNS records for certificate issuance to begin.

After digging a bit more the error actually made sense. Before generating the cert Google is trying to check if our DNS records are properly configured and well propagated through all regions which is not the case for me due to some glitch at the nameserver level. I raised a ticket with my nameserver vendor with the DNS propagation report from the below tools/websites which clearly showed that the DNS records are not available in some regions. Once they fixed the propagation issue, all my reports started to show positive results after which I recreated my domain mapping and it worked within few minutes.

Tools used to check DNS propagation status:

• https://dnspropagation.net/
• https://www.whatsmydns.net/
• https://dnschecker.org/

Answer 7

Adding the domain mapping via the console does not show the correct DNS records to be added as is it missing the name field. If you run gcloud beta run domain-mappings create it shows the DNS records as having a name field with the value of the cloud run service.

Answer 8

I had the same issue in past few days, the loading icon was spinning for hours/day and my DNS records were correct (checked in google toolbox). I "resolved" this issue just by repetitive add/remove of the domain, after like four attempts it suddenly started to working. I always waited for hour+ before each attempt. I used the GCR interface, not the console solution. I guess, as was mentioned before, it's because it's still BETA, but maybe this comment might help someone till they resolve this issue.

Answer 9

Turning proxying off in CloudFlare resolved the issue in my case (keeping it as DNS only).

Most likely the Google balancer needs to get the request first-hand in order to make the certificate safe.

Answer 10

I just tried Toggling the proxy off again it seemed to work. They must have fixed something internally.