Cloud Run Domain Mapping return 302 on Google-Certificates-Bridge

Google Cloud Serverless Applications
1

Google-Managed Certificate Stuck: Persistent 302 Redirect for ACME Challenge on Cloud Run

Environment: Google Cloud Run (Node.js/Express)

Certificate Status: Stuck in “Provisioning” / “Pending”

Problem Description:

I am trying to provision a Google-managed SSL certificate for a custom domain ($my_domain) mapped to my Cloud Run service. The certificate provisioning is failing because all incoming ACME challenge requests are being served a 302 Found status, which is preventing validation.

Evidence from Logs and External Testing:

Cloud Run Request Logs: The logs consistently show requests from Google-Certificates-Bridge for the ACME challenge URL receiving a 302 status.

Example Log Snippet:

timestamp: 2025-12-11 16:18:47 EST
severity: INFO
httpRequest.status: 302
httpRequest.requestMethod: GET
httpRequest.requestUrl: http://$my_domain/.well-known/acme-challenge/$toke
httpRequest.userAgent: Google-Certificates-Bridge

External curl Test: A test confirms the 302 is an HTTP-to-HTTPS redirect.

Curl Output (curl -I -L ``http://$my_domain/.well-known/acme-challenge/TEST_TOKEN):

HTTP/1.1 302 Found
Location: https://$my_domain/.well-known/acme-challenge/TEST_TOKEN

Troubleshooting Steps Already Taken (Crucial for diagnosis):

Code Fix Deployed: I deployed an explicit Express route at the very top of my application logic to intercept the ACME challenge path and prevent a redirect. The route was designed to return a non-redirect status (200 or 404).

Express Code Snippet (Deployed):

JavaScript

app.get(‘/.well-known/acme-challenge/:token’, (req, res) => {
console.log(‘— ACME BYPASS ROUTE HIT SUCCESSFULLY —’);
res.status(200).send(‘ACME Challenge Bypass Active’);
});
// … This is placed BEFORE app.use(express.static…)

Code Inactivity Confirmed: After deployment, the ACME challenge logs still show a 302 status, and the custom log message (— ACME BYPASS ROUTE HIT SUCCESSFULLY —) does not appear in the Cloud Run logs.

Conclusion and Request:

Since the ACME request is not reaching my application’s routing table (the custom log does not appear), the 302 must be enforced by a layer before my container.

I am not using an external Load Balancer or CDN.

My service is a standard Cloud Run deployment.

What Cloud Run or custom domain settings could be causing the platform to force an HTTP-to-HTTPS redirect specifically for the /.well-known/acme-challenge/ path, even when the certificate is pending?

I have checked the standard Ingress setting, but any guidance on which specific platform configuration I might be missing would be greatly appreciated. Thank you.

1 Like