Google managed SSL certificate stuck on FAILED_NOT_VISIBLE

ssl google-cloud-platform google-kubernetes-engine gke-networking
martins picture martins · Dec 21, 2018 · Viewed 9.4k times · Source

I'm trying to configure an https load balancer on GKE. I'm following: https://cloud.google.com/load-balancing/docs/ssl-certificates and https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

My config has worked for some time using a certificate from Let's Encrypt. But it's too much hassle to renew the certificates all the time so I wanted to test Google's managed service.

This is how I've set it up so far, but stucks on FAILED_NOT_VISIBLE. Any idea on how I can fix or debug this further?

k8s/staging/staging-ssl.yml

  7 apiVersion: extensions/v1beta1
  8 kind: Ingress
  9 metadata:
 10   name: my-staging-lb-ingress
 11   annotations:
 12     kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
 13     ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
 14     kubernetes.io/ingress.allow-http: "false"
 15 spec:
 16   rules:
 17   - host: staging.my-app.no
 18     http:
 19       paths:
 20       - path: /*
 21         backend:
 22           serviceName: my-svc
 23           servicePort: 3001

Reserved IP

$ gcloud compute addresses list
NAME                   REGION  ADDRESS         STATUS
my-staging-global              35.244.160.NNN  RESERVED


$ host staging.my-app.no 
35.244.160.NNN

$ gcloud beta compute ssl-certificates describe staging-google-managed-ssl

creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
  domainStatus:
    staging.my-app.no: FAILED_NOT_VISIBLE
  domains:
  - staging.my-app.no
  status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGED

I found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:

Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.

gcloud compute target-https-proxies create [NAME] \
    --url-map=[URL_MAP] \
    --ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2],[SSL_CERTIFICATE3],...]

Is that necessary when I have this line in my Ingress config?

13 ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"

Answer

Nicolò Gasparini picture Nicolò Gasparini · Aug 9, 2019

I'm leaving this for anyone who might end up in the same situation as me. I needed to migrate from a self-managed certificate to a google-managed one.

I did create the google-managed certificate following the guide and was expecting to see it being activated before applying the certificate to my Kubernetes ingress (to avoid the possibility of a downtime)

Turns out, as stated by the docs,

the target proxy must reference the Google-managed certificate resource

So applying the configuration with kubectl apply -f ingress-conf.yaml made the load balancer use the newly created certificate, which became active shortly after (15 min or so)

Related questions

ssl connection error: unknown error number

Using MySQL Workbench Ver. 6.3.6 As of an update just pushed to my Google SQL db instance I can no longer connect to the db with Workbench.. I receive the following error when I do. ssl connection error: unknown error number …

Read More
How to create a self-signed certificate with OpenSSL

I'm adding HTTPS support to an embedded Linux device. I have tried to generate a self-signed certificate with these steps: openssl req -new > cert.csr openssl rsa -in privkey.pem -out key.pem openssl x509 -in cert.csr -out …

Read More
Getting Chrome to accept self-signed localhost certificate

I have created a self-signed SSL certificate for the localhost CN. Firefox accepts this certificate after initially complaining about it, as expected. Chrome and IE, however, refuse to accept it, even after adding the certificate to the system certificate store …

Read More