Recently my staging website went down with a 525 error.
This means that the origin server doesn't trust Cloudflare, but it's been 6 months that I haven't touched anything between Cloud Run and Cloudflare.
To make it work again I had to put Cloudflare in Full (Not strict) Mode.
Do you think this problem has been caused by a Cloudflare certificate renewal? If it's the case, I need to put Cloudflare Origin CA on Cloud Run, but I can't find anything about this.
Hope you can help me, thanks!
We are investigating this. It seems like the issue is the TLS certificate for your domain expires after 88 days and it is not renewed.
This is currently due to how our CA works (and how many other CAs like Letsencrypt work, too) and about the ACME protocol. When Cloudflare is running in "proxy mode", it hijacks the requests to /.well-known instead of proxying them to Cloud Run. This prevents our certificate issuance challenge from working.
In your case, you have changed the DNS records to point to Cloudflare, so the CA cannot validate you’re using Cloud Run anymore, and therefore cannot issue a renewal cert.
I hope to update there if/when we have a solution that can allow this setup.
Please Cc yourself in this public on this issue to get notified of updates: https://issuetracker.google.com/issues/157498377