Hello!
If you've landed here, your custom domain on Google App Engine (GAE) is throwing a NET::ERR_CERT_DATE_INVALID error and Google's managed certificate stubbornly refuses to renew itself. Here's what's likely happening and how to fix it.
Cloudflare's Proxy
In my case, my domain and subdomains are proxied through Cloudflare — including the ones pointing to GAE-hosted sites.
If your domain's A and AAAA records are proxied through Cloudflare (the orange cloud), Google cannot see its own IPs when attempting to validate your domain for certificate provisioning. It hits Cloudflare's IPs instead, panics, and gives up with a Certificate activation has failed. DNS records could not be found warning in your Custom Domains tab.
So in this scenario, we need to head to Cloudflare dashboard ➡️ back to GAE dashboard ➡️ wait ➡️ finally, Cloudflare dashboard.
-
Head to Cloudflare Dashboard
Head to your Cloudflare DNS dashboard and toggle all A and AAAA records for your root domain (and CNAME records for the affected subdomains) from
ProxiedtoDNS only(grey cloud). This exposes Google's IPs directly to the world, which is precisely what Google needs to see.
-
Head to GAE — Retrigger SSL Certificate Renewal
Rather than waiting indefinitely for Google's automation to notice the change, you can prod it manually.
In your GAE Console, go to Settings ➡️ Custom Domains, select the affected domains, and click
Disable managed securityfollowed immediately byEnable managed security.
-
Wait
You should see a Started certificate activation for domains notification — that's your cue that Google has woken up and is cracking on with it.
The certificate activation spinner should resolve within minutes rather than hours once the above steps are done.
💡 One may verify this at their leisure by refreshing their respective domain within the confines of one's browser. 🎩
-
Re-Enable Cloudflare Proxy
Once the warning clears and your site loads securely again, head back to Cloudflare and flip those records back to
Proxied(orange cloud).
Done. ✅
Note
Google's managed certificate renewals generally happen quietly in the background without requiring DNS re-validation, so this should be a one-time faff rather than a recurring ritual. However, should the certificate ever enter a broken state again, you now have the trick up your sleeve — grey-cloud, disable/enable managed security, done. ✅
Why Bother With GAE at All?
Fair question, given that Google apparently couldn't be bothered to document this. But here's the thing — GAE is an absolute fortress compared to the likes of AWS Elastic Beanstalk. Zero server management, automatic scaling, built-in security patching, and Google's own global infrastructure doing the heavy lifting without you lifting a finger. AWS EB, bless its heart, will cheerfully hand you the keys to a server and let you figure out the rest — security groups, load balancer configurations, instance patching, the whole frightful circus. Then bill every setup you put. Well, it's suitable for corporate-type site with all their glorious quid, not an independent research or a hobby site.
GAE simply gets on with it. Deploy your code, point your domain, and Google handles everything else with quiet dignity — SSL certificates included, theoretically. The fact that it occasionally needs a gentle nudge to renew a certificate is frankly a minor grumble in an otherwise rather splendid arrangement. Do excuse the dialect — translation: otherwise, it's splendid. Thus to me, the tank wins — tank = GAE — for this case specifically.
Comments
Post a Comment