I pointed a new custom domain to a Google App Engine Standard Environment project and edited the DNS records per Google's instructions, and it seems to be redirected properly. Now I'm under the impression that SSL certificates for App Engine projects can now be provided automatically by Let's Encrypt and do not necessarily need to be supplied by the user separately: https://cloud.google.com/appengine/docs/standard/go/securing-custom-domains-with-ssl

However, I'm having problem getting the SSL security service from Google. The error message in the App Engine console is: DNS records could not be found. Certificate activation will retry automatically.

This error message looks like this:

If I type gcloud beta app domain-mappings list, I get something that looks like this:

ID                    SSL_CERTIFICATE_ID  SSL_MANAGEMENT_TYPE  PENDING_AUTO_CERT
mydomain.com                              AUTOMATIC            1256789
www.mydomain.com      1234567             AUTOMATIC

I also tried "Disable managed security" and turn it back on by "Enable managed security", and get the same result after some minutes: "Managed certificate for www.mydomain.com activated." shows up, but not for mydomain.com.

If I go to www.mydomain.com with its supposedly activated certificate, I still get "connection is not secure" in the browser. If I go to "mydomain.com" it gets redirected to www.mydomain.com with the same result.

Any ideas?

Update: I just tried getting my own keys using Certbot and uploaded them to GAE. GAE showed a Certificate ID for both mydomain.com and www.mydomain.com. However I had to manually type "https" in the browser to get to the secure page. I found that I had to add "secure: always" in app.yaml before the domain will load the secure version by default. I still don't know why Google's default managed security option didn't work for me though; that would be much more convenient than getting and uploading my own scripts every 3 months.

Igor Kromin's article outlined the exact same issue that I was having.

I too was / am using CloudFLare's free solution. For some reason Google App Engine didn't immediately recognize the TXT record, so I went ahead and did the alternative CNAME based mapping. Apparently, when you do this, the Cloudflare CNAME flattening kicks in, and will do something to the records. When we try to verify domain ownership, it works though. But later, when the APP Engine's Google managed auto-renewing agent looks at the records, somehow they don't match up!

Solution is to simply keep trying to verify the TXT record which Cloudflare doesn't modify, and then it works out.

Tip: If you're trying to verify a subdomain to app engine like api.yourdomain.com, your TXT record needs to be with the api domain name, not at @ like normal.