GAE Managed SSL does NOT work with Cloudflare (CDN).

[ayanex10]

GAE Managed SSL is NOT working with Cloudflare (CDN).

I have tried Managed SSL and it works out of the box except for the domains that are proxied via cloudflare's CDN.

To be more specific, the DNS provider for my domain (example.com) is Cloudflare and my DNS configuration is as follows:

www.example.com is setup to proxy via Cloudflare's CDN

api.example.com by-passes the Cloudflare's CDN proxy

Both www.example.com and api.example.com is setup as a custom domain under my GAE project.

The difference in this two DNS configuration is that when you ping api.example.com, it returns a Google(GAE) IP address while pinging www.example.com returns a Cloudflare IP address, simply because www.example.com passes through  the cloudflare's CDN first.

So, when I enabled GAE managed SSL on these two domains, api.example.com worked, but www.example.com never worked - it just keeps waiting endlessly for activation.

The reason why one works and the other failed is very clear to me.

As for api.example.com, it worked because google's backend was able to verify its SSL certificate after deployment, since the api.example.com points to GAE's  A/AAAA DNS record. On the other hand, www.example.com failed, simply because it is proxied via Cloudflare's CDN, which means that www.example.com points to Cloudflare's A/AAAA DNS record, which would ofcourse stand in the way of google from verifying the deployed SSL certificate.

I quite understand the cause of this problem, but am writing this as a feedback to google engineers, since GAE Managed SSL is still in BETA. Maybe they can find something to do about it, considering the fact that a lot of websites use Cloudflare DNS and infact, most sites that use Cloudflare DNS, use it majorly because of their CDN proxying.

[Jordan (Cloud Platform Support)]

Thank you for also reporting this in the Public Issue Tracker. Our engineering team is investigating possible solutions to working with Cloudflare's Origin CA in order to perform domain verification. I have made the engineering team aware of your issue report, and all further communications and updates concerning this issue will occur there.