Google Cloud Run - Domain Mapping stuck at Certificate Provisioning

Asked 4/9, 2019 at 13:33 Answered 25/7, 2023 at 0:21

Solved google-cloud-platform google-cloud-run

Is anyone getting this issue with Google Cloud Run Domain Mapping? When I add a custom domain to my domain mappings, I get this:

Waiting for certificate provisioning. You must configure your DNS records for certificate issuance to begin.

I know it says it's only added 1 day ago and I should give it time, but I actually let it go for 5 days, deleted it, and this is my second try.

You can see in the below screenshot that it is added via Cloudflare. I even tried toggling the Proxy service on and off with no luck.

Nadene answered 4/9, 2019 at 13:33 Comment(11)

1) At this point I would delete the Cloud Run custom domain settings. 2) Your problem is your DNS server settings. Use an Internet tool such as MxToolbox to review your DNS server settings. Make sure each required record is configured exactly as Cloud Run requires. 3) Once the records resolve correctly recreate the domain mapping. – Downer 4/9, 2019 at 19:1

@JohnHanley I wish it was, but there doesn't seem to be a problem with the DNS. I'm doing nothing different then any of my other ghs.googlehosted.com listed domains. Plus, I've done a review of my DNS settings including MxToolbox and Google Apps Dig tools and its showing up. In addition, my subdomain points to Google. I've updated a picture of what I get when I navigate to the domain at the bottom of my question – Nadene 5/9, 2019 at 12:9

A 404 does NOT mean that your DNS settings are correct. Until custom domain settings are complete, The Google Frontend (GFE) will not know where to send the request based upon the HTTP Host header. – Downer 5/9, 2019 at 22:8

@JohnHanley This isn't rocket science. 1) Add CNAME 2) Wait for it to propagate. - Ever think this might be a bug in Google? – Nadene 6/9, 2019 at 13:26

1) Yes, of course, a bug is always possible with a beta product. However, re-read your question from my side. What details have you provided so that I can reproduce your problem? – Downer 6/9, 2019 at 17:24

2) It looks like you opened an Issue Tracker. Is this correct? If that is the case your problem is rate-limiting and someone internal to Google is looking into this. If not, open one here: issuetracker.google.com/issues/… – Downer 6/9, 2019 at 17:24

@JohnHanley I just opened an issue – Nadene 6/9, 2019 at 18:15

Behind the scenes this is a DomainMapping kubernetes object, and it has an exponential timeout on retries (up to 5 minutes). Take that in conjunction with DNS caching, I have found that it'll take sometimes up to 40 minutes in that state for it to complete (assuming you have the 4 A and 4 AAAA records configured). I have setup 3 domains so far, and none of them went smoothly. – Cyd 27/5, 2020 at 14:15

@Nadene is your mapped domain a first level subdomain like sub1.domain.com or a deeper level like sub2.sub1.domain.com? – Bebeeru 14/6, 2020 at 6:14

@thammada it's a first level subdomain. – Nadene 14/6, 2020 at 14:42

I am trying to map a google domain, so I get "ghs.googlehosted.com." instead of an ip address, do I have to do something with this data? – Prudenceprudent 18/12, 2022 at 16:32

I just tried Toggling the proxy off again it seemed to work. They must have fixed something internally.

Nadene answered 23/10, 2019 at 16:5 Comment(3)

Hi. Did you find a solution with the proxy on? Thanks – Coe 9/12, 2019 at 18:8

No there is no such solution. @Coe – Nadene 9/12, 2019 at 18:10

Im hiring professionals service to resolve this issue. Ill let you know if ill find any – Coe 9/12, 2019 at 18:12

Turning proxying off in CloudFlare resolved the issue in my case (keeping it as DNS only).

Most likely the Google balancer needs to get the request first-hand in order to make the certificate safe.

Whimwham answered 4/2, 2020 at 18:28 Comment(0)

At the moment, seems like Domain Mapping is just a buggy service.

Seems like the solution at the moment is to be patient and to try several times until it works. I'd suggest to give it some time between attempts.

The reasons why I feel it's a buggy service:

gcloud beta run domain-mappings create stucks at Creating......⠼.
gcloud beta run domain-mappings describe shows messages such as:

"Domain mapping '[...domain_name...]' already exists for this application. You can modify this domain mapping with DomainMappings.PATCH".
"Waiting for certificate provisioning. You must configure your DNS records for certificate issuance to begin." - Even though the DNS records are fine.

User Interface isn't any better. It also can stuck while creating... And in the console, it says that it may fail silently, suggesting to use gcloud CLI as a workaround

Update 2022

It's been a while since I last used this feature but it is still taking ~2 hours for the domain to become available.

Intension answered 19/4, 2020 at 18:34 Comment(3)

As @Nadene suggested, I found that toggling the proxy off for the subdomain (making it DNS only, helps accelerating certificate issuance, although is really a lottery). – Intension 6/5, 2020 at 16:30

Can you explain how you disable the proxy ? I'm mapping root level domain (that is, no subdomain, with A and AAAA records correctly setup). I have the similar issue: message: Waiting for certificate provisioning. You must configure your DNS records for certificate issuance to begin. reason: CertificatePending status: Unknown type: Ready – Ciliata 1/5, 2021 at 10:6

I've got to agree this is "buggy" - gcloud beta run domain-mappings describe --domain returns essentially the same information for a fully provisioned map as an in-progress one. The web console is all but useless for getting useful information. This now 2+ years since your comment - when they say "help is on the way", I'm not sure it's wise to wait for it :-( – Golter 10/8, 2022 at 4:26

I faced the same issue with exact error:

Waiting for certificate provisioning. You must configure your DNS records for certificate issuance to begin.

After digging a bit more the error actually made sense. Before generating the cert Google is trying to check if our DNS records are properly configured and well propagated through all regions which is not the case for me due to some glitch at the nameserver level. I raised a ticket with my nameserver vendor with the DNS propagation report from the below tools/websites which clearly showed that the DNS records are not available in some regions. Once they fixed the propagation issue, all my reports started to show positive results after which I recreated my domain mapping and it worked within few minutes.

Tools used to check DNS propagation status:

Surtout answered 21/7, 2021 at 17:19 Comment(1)

It took like an hour for me.. but it worked automatically. – Haddix 24/1, 2022 at 21:1

I just tried Toggling the proxy off again it seemed to work. They must have fixed something internally.

Nadene answered 23/10, 2019 at 16:5 Comment(3)

Hi. Did you find a solution with the proxy on? Thanks – Coe 9/12, 2019 at 18:8

No there is no such solution. @Coe – Nadene 9/12, 2019 at 18:10

Im hiring professionals service to resolve this issue. Ill let you know if ill find any – Coe 9/12, 2019 at 18:12

Remove current mapping in Google Cloud Run
In CloudFlare, change proxy status of the DNS record from Proxied to DNS only
Add mapping again in Google Cloud Run
Drink a cup of coffe and check it after 10-15 minutes

And you'll see this in Cloud Run

Suzansuzann answered 25/7, 2023 at 0:21 Comment(2)

Thank you, that did the trick for me! I will add in case others encounter a different SSL error after this: I needed to switch my 'DNS only' back to 'Proxied I believe since in Cloudflare under SSL/TLS I'm using "Full". Cheers – Dietitian 31/7, 2023 at 3:18

@WesleyLeMahieu thank you switching back my 'DNS only' back to 'Proxied' got the job done. – Astred 14/5 at 14:29

I had the same issue in past few days, the loading icon was spinning for hours/day and my DNS records were correct (checked in google toolbox). I "resolved" this issue just by repetitive add/remove of the domain, after like four attempts it suddenly started to working. I always waited for hour+ before each attempt. I used the GCR interface, not the console solution. I guess, as was mentioned before, it's because it's still BETA, but maybe this comment might help someone till they resolve this issue.

Puppetry answered 7/5, 2020 at 7:41 Comment(1)

I had the same. Third time it worked for me. Possibly an A propagation issue, possibly buggy. – Terwilliger 18/5, 2020 at 16:30

Adding the domain mapping via the console does not show the correct DNS records to be added as is it missing the name field. If you run gcloud beta run domain-mappings create it shows the DNS records as having a name field with the value of the cloud run service.

Nerves answered 14/6, 2020 at 21:57 Comment(0)

I had a similar error on a domain I bought with Goddady, the issue was a result of a parking domain whose source I can't tell unless it was set by the vendor. It mapped my domain to this page and its IP 34.102.136.180 was preventing my service from mapping correctly. After chatting with a gae assistant I was able to resolve the issue by deleting the IP, but of course, sought clarification from the vendor themselves. It was my first time using Godaddy and for the life of me I couldn't figure out the problem.

Steere answered 4/2, 2022 at 14:50 Comment(0)

-1

I had the same situation. Additionally incurred me error message on cloud domains.

Your domain is suspended because the registrant email address has not yet been verified. Check your email and follow the instructions to remove the suspension.

Beech answered 17/8, 2022 at 0:4 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Update 2022

Recommended topics

Hot tags