Google Cloud Run - Domain Mapping stuck at Certificate Provisioning

Question

Is anyone getting this issue with Google Cloud Run Domain Mapping? When I add a custom domain to my domain mappings, I get this:

Waiting for certificate provisioning. You must configure your DNS records for certificate issuance to begin.

I know it says it's only added 1 day ago and I should give it time, but I actually let it go for 5 days, deleted it, and this is my second try.

You can see in the below screenshot that it is added via Cloudflare. I even tried toggling the Proxy service on and off with no luck.

1) At this point I would delete the Cloud Run custom domain settings. 2) Your problem is your DNS server settings. Use an Internet tool such as MxToolbox to review your DNS server settings. Make sure each required record is configured exactly as Cloud Run requires. 3) Once the records resolve correctly recreate the domain mapping. — John Hanley, Sep 04 '19 at 19:01
@JohnHanley I wish it was, but there doesn't seem to be a problem with the DNS. I'm doing nothing different then any of my other `ghs.googlehosted.com` listed domains. Plus, I've done a review of my DNS settings including MxToolbox and [Google Apps Dig tools](https://toolbox.googleapps.com) and its showing up. In addition, my subdomain points to Google. I've updated a picture of what I get when I navigate to the domain at the bottom of my question — bryan, Sep 05 '19 at 12:09
A 404 does NOT mean that your DNS settings are correct. Until custom domain settings are complete, The Google Frontend (GFE) will not know where to send the request based upon the HTTP Host header. — John Hanley, Sep 05 '19 at 22:08
@JohnHanley This isn't rocket science. 1) Add CNAME 2) Wait for it to propagate. - Ever think this might be a bug in Google? — bryan, Sep 06 '19 at 13:26
1) Yes, of course, a bug is always possible with a beta product. However, re-read your question from my side. What details have you provided so that I can reproduce your problem? — John Hanley, Sep 06 '19 at 17:24
2) It looks like you opened an Issue Tracker. Is this correct? If that is the case your problem is rate-limiting and someone internal to Google is looking into this. If not, open one here: https://issuetracker.google.com/issues/new?component=608076&template=1312563 — John Hanley, Sep 06 '19 at 17:24
@JohnHanley I just opened an [issue](https://issuetracker.google.com/issues/140611842) — bryan, Sep 06 '19 at 18:15
Behind the scenes this is a `DomainMapping` kubernetes object, and it has an exponential timeout on retries (up to 5 minutes). Take that in conjunction with DNS caching, I have found that it'll take sometimes up to 40 minutes in that state for it to complete (assuming you have the 4 A and 4 AAAA records configured). I have setup 3 domains so far, and none of them went smoothly. — Matthew, May 27 '20 at 14:15
@bryan is your mapped domain a first level subdomain like sub1.domain.com or a deeper level like sub2.sub1.domain.com? — thammada.ts, Jun 14 '20 at 06:14
I am trying to map a google domain, so I get "ghs.googlehosted.com." instead of an ip address, do I have to do something with this data? — Chriso Lopez, Dec 18 '22 at 16:32

score 10 · Answer 1 · answered Feb 04 '20 at 18:28

10

Turning proxying off in CloudFlare resolved the issue in my case (keeping it as DNS only).

Most likely the Google balancer needs to get the request first-hand in order to make the certificate safe.

answered Feb 04 '20 at 18:28

Sebastian Sastre

2,034
20
21

JesusIniesta · Answer 2 · 2022-11-07T09:29:44.523

7

At the moment, seems like Domain Mapping is just a buggy service.

Seems like the solution at the moment is to be patient and to try several times until it works. I'd suggest to give it some time between attempts.

The reasons why I feel it's a buggy service:

gcloud beta run domain-mappings create stucks at Creating......⠼.
gcloud beta run domain-mappings describe shows messages such as:

"Domain mapping '[...domain_name...]' already exists for this application. You can modify this domain mapping with DomainMappings.PATCH".
"Waiting for certificate provisioning. You must configure your DNS records for certificate issuance to begin." - Even though the DNS records are fine.

User Interface isn't any better. It also can stuck while creating... And in the console, it says that it may fail silently, suggesting to use gcloud CLI as a workaround

Update 2022

It's been a while since I last used this feature but it is still taking ~2 hours for the domain to become available.

edited Nov 07 '22 at 09:29

answered Apr 19 '20 at 18:34

JesusIniesta

10,412
1
35
28

1

As @bryan suggested, I found that toggling the proxy off for the subdomain (making it `DNS only`, helps accelerating certificate issuance, although is really a lottery). – JesusIniesta May 06 '20 at 16:30
Can you explain how you disable the proxy ? I'm mapping root level domain (that is, no subdomain, with A and AAAA records correctly setup). I have the similar issue: message: Waiting for certificate provisioning. You must configure your DNS records for certificate issuance to begin. reason: CertificatePending status: Unknown type: Ready – Binajmen May 01 '21 at 10:06
1

I've got to agree this is "buggy" - `gcloud beta run domain-mappings describe --domain` returns essentially the same information for a fully provisioned map as an in-progress one. The web console is all but useless for getting useful information. This now 2+ years since your comment - when they say "help is on the way", I'm not sure it's wise to wait for it :-( – Ralph Bolton Aug 10 '22 at 04:26

score 7 · Answer 3 · edited Jul 21 '21 at 19:38

I faced the same issue with exact error:

Waiting for certificate provisioning. You must configure your DNS records for certificate issuance to begin.

After digging a bit more the error actually made sense. Before generating the cert Google is trying to check if our DNS records are properly configured and well propagated through all regions which is not the case for me due to some glitch at the nameserver level. I raised a ticket with my nameserver vendor with the DNS propagation report from the below tools/websites which clearly showed that the DNS records are not available in some regions. Once they fixed the propagation issue, all my reports started to show positive results after which I recreated my domain mapping and it worked within few minutes.

Tools used to check DNS propagation status:

It took like an hour for me.. but it worked automatically. – vishwarajanand Jan 24 '22 at 21:01 — vishwarajanand, Jan 24 '22 at 21:01

score 4 · Accepted Answer · answered Oct 23 '19 at 16:05

4

I just tried Toggling the proxy off again it seemed to work. They must have fixed something internally.

answered Oct 23 '19 at 16:05

bryan

8,879
18
83
166

Hi. Did you find a solution with the proxy on? Thanks – SexyMF Dec 09 '19 at 18:08
2

No there is no such solution. @SexyMF – bryan Dec 09 '19 at 18:10
2

Im hiring professionals service to resolve this issue. Ill let you know if ill find any – SexyMF Dec 09 '19 at 18:12

score 3 · Answer 5 · answered May 07 '20 at 07:41

I had the same issue in past few days, the loading icon was spinning for hours/day and my DNS records were correct (checked in google toolbox). I "resolved" this issue just by repetitive add/remove of the domain, after like four attempts it suddenly started to working. I always waited for hour+ before each attempt. I used the GCR interface, not the console solution. I guess, as was mentioned before, it's because it's still BETA, but maybe this comment might help someone till they resolve this issue.

I had the same. Third time it worked for me. Possibly an A propagation issue, possibly buggy. — Mr J, May 18 '20 at 16:30

score 2 · Answer 6 · answered Jul 25 '23 at 00:21

2

Remove current mapping in Google Cloud Run
In CloudFlare, change proxy status of the DNS record from Proxied to DNS only
Add mapping again in Google Cloud Run
Drink a cup of coffe and check it after 10-15 minutes

And you'll see this in Cloud Run

answered Jul 25 '23 at 00:21

Anar Salimkhanov

729
10
12

2

Thank you, that did the trick for me! I will add in case others encounter a different SSL error after this: I needed to switch my 'DNS only' back to 'Proxied I believe since in Cloudflare under SSL/TLS I'm using "Full". Cheers – Wesley LeMahieu Jul 31 '23 at 03:18
Works like a charm! – Mert Canatan Aug 14 '23 at 00:53

score 0 · Answer 7 · answered Jun 14 '20 at 21:57

Adding the domain mapping via the console does not show the correct DNS records to be added as is it missing the name field. If you run gcloud beta run domain-mappings create it shows the DNS records as having a name field with the value of the cloud run service.

score 0 · Answer 8 · answered Feb 04 '22 at 14:50

I had a similar error on a domain I bought with Goddady, the issue was a result of a parking domain whose source I can't tell unless it was set by the vendor. It mapped my domain to this page and its IP 34.102.136.180 was preventing my service from mapping correctly. After chatting with a gae assistant I was able to resolve the issue by deleting the IP, but of course, sought clarification from the vendor themselves. It was my first time using Godaddy and for the life of me I couldn't figure out the problem.

score -1 · Answer 9 · answered Aug 17 '22 at 00:04

-1

I had the same situation. Additionally incurred me error message on cloud domains.

Your domain is suspended because the registrant email address has not yet been verified. Check your email and follow the instructions to remove the suspension.

answered Aug 17 '22 at 00:04

smapira

87
7

Google Cloud Run - Domain Mapping stuck at Certificate Provisioning

9 Answers9

Update 2022

Linked