Google Apps has the ability to define a custom hostname for it’s calendar, drive, mail, sites, groups services

How it works is you create a CNAME record in DNS that points from your custom domain to Google which then intelligently redirects you to the correct service

So for mail your could create a CNAME DNS record of mail.example.com pointing to ghs.googlehosted.com

Then you create links to http://mail.example.com and when you click on them you end up being redirect to https://mail.google.com/a/example.com

The problem is Chrome is immediately taking the http domain http://mail.example.com automatically making that into https://mail.example.com and then breaking the whole redirect chain because there is no mail.example.com SSL cert over at ghs.googlehosted.com

Safari works fine

Unfortunately this is something that the Chrome browser takes apon itself and you can’t necessarily just clear your cache and it will stop doing it

So a fix of sorts

Make a list of redirections you have configured for your Google App Services

With the initial configuration as per Google just use curl to figure this out

curl -I http://cal.example.com

cal https://www.google.com/calendar/hosted/example.com
calendar https://www.google.com/calendar/hosted/example.com
drive https://drive.google.com/a/example.com
groups https://groups.google.com/a/example.com
mail https://mail.google.com/a/example.com
sites http://sites.google.com/a/example.com/sites/system/app/pages/meta/dashboard

Change your CNAME records pointed to ghs.googlehosted.com to your web server

e.g. mail.example.com CNAME points to www.example.com

Create redirects on your webserver. This is an example for nginx. Create this block with just port 80 and certbot will add the 443 config. When certbot ask if you want to redirect say no.

server {
    # redirect www to host
    listen 80;
    listen [::]:80;
    server_name groups.example.com;

    root /var/www/tgn-redirect;
    location /.well-known {
        allow all;
        default_type "text/plain";
        autoindex on;
    }
    location / {
        return 301 https://groups.google.com/a/example.com;
    }
    
    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/cal.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/cal.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

After you have changed your DNS and configured your webserver. Use lets encrypt and get certs for your custom domains

certbot -d cal.example.com,calendar.example.com,drive.example.com,groups.example.com,mail.example.com,sites.example.com

As mentioned above change your CNAMES from pointing to ghs.googlehosted.com to point to your webserver

Once you have done that Google chrome will do as it does change http://example.com to https://example.com but then it will hit the valid SSL cert on your webserver and get redirected to the correct Google endpoint with out erroring out