Error 525 with Cloudflare and Google Cloud Run

Question

Recently my staging website went down with a 525 error.

This means that the origin server doesn't trust Cloudflare, but it's been 6 months that I haven't touched anything between Cloud Run and Cloudflare.

To make it work again I had to put Cloudflare in Full (Not strict) Mode.

Do you think this problem has been caused by a Cloudflare certificate renewal? If it's the case, I need to put Cloudflare Origin CA on Cloud Run, but I can't find anything about this.

Hope you can help me, thanks!

Answer 1

You can now authorize an GCP maanged SSL with a proxy enabled using DNS authorization.

https://cloud.google.com/certificate-manager/docs/deploy-google-managed?hl=en#create_a_google-managed_certificate_with_dns_authorization

Answer 2

We are investigating this. It seems like the issue is the TLS certificate for your domain expires after 88 days and it is not renewed.

This is currently due to how our CA works (and how many other CAs like Letsencrypt work, too) and about the ACME protocol. When Cloudflare is running in "proxy mode", it hijacks the requests to /.well-known instead of proxying them to Cloud Run. This prevents our certificate issuance challenge from working.

In your case, you have changed the DNS records to point to Cloudflare, so the CA cannot validate you’re using Cloud Run anymore, and therefore cannot issue a renewal cert.

I hope to update there if/when we have a solution that can allow this setup.

Please Cc yourself in this public on this issue to get notified of updates: https://issuetracker.google.com/issues/157498377

Answer 3

This won't have anything to do with Cloudflare's certificate, but will happen when the origin server's certificate is invalid in some way. Verify that the origin cert is not expired, signed by a trusted root CA. If it is not trusted by a root CA, it is also possible to use a non-root trusted cloudflare issued cert to solve this issue.