search

ahmetb / cloud-run-faq

Unofficial FAQ and everything you've been wondering about Google Cloud Run.
https://cloud.run
Creative Commons Attribution 4.0 International
2.32k stars 124 forks source link

Remove Cloudflare as a CDN solution. #82

Closed bradleyg closed 4 years ago

bradleyg commented 4 years ago

Cloud Run managed certs can't renew if Cloudflare's proxy/CDN is enabled. Perhaps due to failing DNS challenge?

ahmetb commented 4 years ago

@steren Have you encountered a TLS cert renew issue with custom domains behind Cloudflare?

I think Cloud Run now uses Google’s own CA. I'm not sure what sort of challenge if Google’s own CA uses for issuing certificates.

I don't think it’s a DNS challenge as you mention here, as we only require users to set CNAME or A/AAAA records; not ones that can solve ACME challenges.

steren commented 4 years ago

I have not encountered this issue but it might be real and we should fix it. bradleyg@, instead of removing content in this FAQ, can you open an issue in the GCP issue tracker with more details? https://cloud.google.com/support/docs/issue-trackers

ernestoalejo commented 4 years ago

Just yesterday I was activating a new custom domain. With Cloudflare enabled I waited for ~3h and the certificate was still pending. As soon as I disabled the CDN the certificate was generated and the app started serving in the custom domain.

Been able to upload custom SSL certificates (https://issuetracker.google.com/issues/140435025) might also solve this issue, we could upload the Cloudflare Origin certificate which is semi-permanent as it lasts for 15 years.

bradleyg commented 4 years ago

Sure, I'll file a bug. Looks like there is another report here too.

steren commented 4 years ago

ernestoalejo@ can you open an issue in the issue tracker with the exact steps that lead to the issue? It seems that your issue is not about renewal but about setting up the domain mapping.

ernestoalejo commented 4 years ago

I've filled this other bug: https://issuetracker.google.com/issues/157498450

I think this message from the API, with the typo included, could be helpful to find the issue:

Certificate issuance pending. The challenege data was not visible through the public internet. This may indicate that DNS is not properly configured or has not fully propagated. The system will retry.

But no retry will fix this error, as it will never see the CNAME. It always sees two A records pointing to the Cloudflare CDN service which intercepts the requests.

steren commented 4 years ago

I agree that due to the reported issue about certificate renewal, we should not recommend Cloudflare at the moment. I would even explicitly call out not to use it and provide a link to the public issue.

ahmetb commented 4 years ago

making a note like this. image

kaminskypavel commented 4 years ago

I suggest we link to a SO issue (google's issue tracker isn't publicly available) so future readers can track and notify if anything changes, @ahmetb wdy?

ahmetb commented 4 years ago

Google's issue tracker should be public. You can subscribe there.