Thanks for writing this up. I’ve been using the process you described for about a year. I just recently discovered two things that make updating these certificates considerably simpler.
https://github.com/certbot/certbot/tree/master/certbot-dns-google will automate DNS-based verification if you are using Google’s Cloud DNS. You’ll probably need to install the plugin via pip (pip install certbot-dns-google). After you create a service account for your Google Cloud project and download the JSON key, you can pass --dns-google to certonly and it will handle the rest.
As for updating the certificate used by GAE, the gcloud CLI tool recently added beta commands for managing the SSL certs. Look at the ‘gcloud beta app ssl-certificates’ subtree.
Using both of those, renewing a cert is just two CLI commands: certbot then gcloud.