Maybe I’m missing something but here are the steps to reproduce the issue. When the A record is DNS Only, it obtains a certificate within around 10 minutes. When Proxied it gives up within around 30 minutes.
I also saw this topic, so it seems like there’s no way to make the load balancer obtain a certificate.
Origin CA certificates? This sounds like I need to occasionally give GCP a new certificate. This can probably be automated, but it’ll take time to come up with a solution. But then I noticed that the default validity period is 15 years? Is that so? Isn’t it too much? I mean there must be a reason why e.g. Let’s Encrypt issues certificates for only 3 months.
Is there something I’m missing? Ideally I’d like GCP to just obtain a certificate.