Google App Engine SSL error "DNS records could not be found" even though custom domain is working

I pointed a new custom domain to a Google App Engine Standard Environment project and edited the DNS records per Google's instructions, and it seems to be redirected properly. Now I'm under the impression that SSL certificates for App Engine projects can now be provided automatically by Let's Encrypt and do not necessarily need to be supplied by the user separately:

However, I'm having problem getting the SSL security service from Google. The error message in the App Engine console is: DNS records could not be found. Certificate activation will retry automatically.

This error message looks like this:

enter image description here

If I type gcloud beta app domain-mappings list, I get something that looks like this:

ID                    SSL_CERTIFICATE_ID  SSL_MANAGEMENT_TYPE  PENDING_AUTO_CERT                              AUTOMATIC            1256789      1234567             AUTOMATIC

I also tried "Disable managed security" and turn it back on by "Enable managed security", and get the same result after some minutes: "Managed certificate for activated." shows up, but not for

If I go to with its supposedly activated certificate, I still get "connection is not secure" in the browser. If I go to "" it gets redirected to with the same result.

Any ideas?