gcloud cli app engine domain mapping error

Question

I am trying to get multiple microservices to run on a single app engine of a single project. I am following this official documentation from GCP

https://cloud.google.com/appengine/docs/standard/python3/mapping-custom-domains

When I try to create a wild card mapping like this

gcloud app domain-mappings create '*.example.com'

So that GCP backend engines can match the request accordingly:

[VERSION_ID].[SERVICE_ID].example.com

I get the following error

ERROR: (gcloud.app.domain-mappings.create) INVALID_ARGUMENT: A managed certificate cannot be created on a wildcard domain mapping. Set `ssl_management_type` to `MANUAL` and retry the domain mapping creation. You can manually create an SSL certificate with `AuthorizedCertificates.CREATE` and map it to this domain mapping with `AuthorizedCertificates.UPDATE`.

Could anyone help with this?

Answer 1

It looks like by default the command attempts to configure managed SSL certificates, which aren't compatible with wildcard domain mappings. From Wildcard mappings:

**Note**: Wildcard mappings are not supported for managed SSL certificates.

As the error message suggests you can disable that with an option. From gcloud beta app domain-mappings create:

--certificate-management=CERTIFICATE_MANAGEMENT

Type of certificate management. 'automatic' will provision an SSL certificate automatically while 'manual' requires the user to provide a certificate id to provision. CERTIFICATE_MANAGEMENT must be one of: automatic, manual.

So just try instead:

gcloud app domain-mappings create '*.example.com' --certificate-management=manual

I see a discrepancy: the error message mentions the ssl_management_type option while the doc page shows certificate-management. Try both if needed - it may be just an error or it may be a renamed option (which may or may not still be supported under the hood).

Of course, if you want SSL, you'd have to manage the SSL certificate(s) yourself (maybe using the --certificate-id option, documented on the same page?). In that case also check out the related Google App Engine custom subdomain mapping for a specific version for potential implications of variable domain nesting.