Certificate renewal requests from ACME

Google Cloud Serverless Applications
1

Our applications are running on Google App engine and we have configured custom domains and enabled google managed certificates. The subdomains such as www.domain and it’s CName records are pointing to ghs.googlehosted.com.

We are getting frequent requests for certificate renewal and our application returns 404 because these paths are not enabled in our express routes. Could you please help me how to avoid such requests hitting the application directly instead of google handles it.

DEFAULT 2024-11-26T10:42:11.872918Z [protoPayload.method: GET] [protoPayload.status: 404] [protoPayload.responseSize: 4.3 KiB] [protoPayload.latency: 42 ms] [protoPayload.userAgent: Google-Certificates-Bridge] /.well-known/acme-challenge/GKIskijdKNApMj9L5J3WUoSJj0aKtqLFv8tVZsnGJKPCH8Pk3TNOMAz0t3Kbuw1f
DEFAULT 2024-11-26T10:42:11.878030Z no routes found
DEFAULT 2024-11-26T10:42:56.863751Z [protoPayload.method: GET] [protoPayload.status: 404] [protoPayload.responseSize: 4.3 KiB] [protoPayload.latency: 41 ms] [protoPayload.userAgent: Google-Certificates-Bridge] /.well-known/acme-challenge/GKIskijdKNApMj9L5J3WUoSJj0aKtqLFv8tVZsnGJKPCH8Pk3TNOMAz0t3Kbuw1f
DEFAULT 2024-11-26T10:42:56.868048Z no routes found
DEFAULT 2024-11-26T10:43:41.860110Z [protoPayload.method: GET] [protoPayload.status: 404] [protoPayload.responseSize: 4.3 KiB] [protoPayload.latency: 44 ms] [protoPayload.userAgent: Google-Certificates-Bridge] /.well-known/acme-challenge/GKIskijdKNApMj9L5J3WUoSJj0aKtqLFv8tVZsnGJKPCH8Pk3TNOMAz0t3Kbuw1f

2

Hi @GAS-Admin ,

Welcome to Google Cloud Community!

The most common reasons for this error 404 no routes found are related to misconfigurations in your domain or ACME setup. Here are some troubleshooting that may help to resolve your issue:

  • Verify that you are using the correct custom domain in your certificate request
  • Try to reconfigure your custom domain by deleting and adding it again
  • Ensure that the necessary ports for your certificate renewal are not blocking by your firewall
  • Temporarily disable your firewall

I hope the above information is helpful.

3

Hi ronnelg, Thank you for your response. The custom domain is mapped correctly and it showing status uas Google-managed, auto-renewing. The 404 error is thrown from the express application because this route is not allowed by default /.well-known/acme-challenge/. There are no blocking firewall. I will try to remove and add the custom domain again to see if the issue is gone or keep coming.

1 Like