Error 525 with Cloudflare and Google Cloud Run

Question

Recently my staging website going down by a 525 error.

Which mean that origin server do not trust Cloudflare, but it's been 6 months that I have not touch anything between Cloud Run and Cloudflare.

To make it work again I had to put Cloudflare in Full (Not strict) Mode.

Do you think this problem has been caused by a Cloudflare certrificate renew ? If it's the case I need to put Cloudflare Origin CA on Cloud Run, but I can't find anything about this.

Hope you can help me, thanks !

Answer 1

We are investigating this. It seems like the issue is the TLS certificate for your domain expires after 88 days and it is not renewed.

This is currently due to how our CA works (and how many other CAs like Letsencrypt work, too) and about the ACME protocol. When Cloudflare is running in "proxy mode", it hijacks the requests to /.well-known instead of proxying them to Cloud Run. This prevents our certificate issuance challenge from working.

In your case, you have changed the DNS records to point to Cloudflare, so the CA cannot validate you’re using Cloud Run anymore, and therefore cannot issue a renewal cert.

I hope to update there if/when we have a solution that can allow this setup.

Please Cc yourself in this public on this issue to get notified of updates: https://issuetracker.google.com/issues/157498377