4

I'm planning the migration of our managed HAProxy instance to a GCP Global external Application Load Balancer. As we need to switch production traffic, we must have everything set up before switching DNSes. To accomplish this, we're preparing the SSL certificates.

According to Cert Docs:

Google-managed certificates are supported with the following load balancers:

  • Global external Application Load Balancer
  • Classic Application Load Balancer
  • External proxy Network Load Balancer (with a target SSL proxy)

We created a DNS authorization and activated it, then we created two certificates, a wildcard (*.somedomain.com) and a third level one (someapp.somedomain.com), and they're both marked as Active.

enter image description here

Sadly, when I create a new Global external Application Load Balancer, I'm unable to select any of those certs. I'm instead only allowed to pick Classic certs.

Unfortunately, Classic certs can be activated when the hostname matches the external DNS, and this requires a downtime we cannot afford.

Is there any limitation to my account, or did I misinterpret something on the docs? Why can't I select a DNS-authorized certificate for my load balancer?

A collateral question: SSL certificate documentation about types says:

Google-managed SSL certificates are certificates that Google Cloud obtains, manages, and renews automatically. Google-managed certificates are always Domain Validation (DV) certificates. They don't demonstrate the identity of an organization or individual associated with the certificate, and they don't support wildcard common names.

But, in reality, it's possible to create wildcard certs (see above).

Kiran Kotturi
  • 211
  • 1
  • 5
Maxxer
  • 350

1 Answers1

0

The linked docs page is about "classic" certificates managed by the load-balancer. Load-balancer issues the certificate only after the specified DNS name resolves to it's front end IP(s). So it can never be achieved without downtime for existing sites.

But the load balancer does also support Certificate Manager certificates, just not via the UI yet.

Here's an example of how to do it via gcloud CLI (assuming the service is running in Cloud Run, adjust the network-endpoint-groups command as needed):

gcloud certificate-manager dns-authorizations create example-dns-auth --domain=example.com
gcloud certificate-manager dns-authorizations describe example-dns-auth
  (manual action: add the shown DNS record to the example.com DNS)
gcloud certificate-manager certificates create example-com-cert --domains=example.com --dns-authorizations=example-dns-auth
gcloud certificate-manager maps create example-com-cert-map
gcloud certificate-manager maps entries create example-com --map=example-com-cert-map --hostname=example.com --certificates=example-com-cert
gcloud compute network-endpoint-groups create example-com --region=<my-region> --cloud-run-service=<my-service> --network-endpoint-type=serverless
gcloud compute backend-services create example-com --load-balancing-scheme=EXTERNAL_MANAGED --global
gcloud compute backend-services add-backend example-com --network-endpoint-group=example-com
gcloud compute url-maps create example-com-urlmap --default-service=example-com
gcloud compute target-https-proxies create example-com --url-map=example-com-urlmap --certificate-map=example-com-cert-map --global
gcloud compute addresses create example-com --global
gcloud compute addresses create example-com-ipv6 --ip-version=IPV6 --global
gcloud compute addresses list
gcloud compute forwarding-rules create example-com --global --target-https-proxy=example-com --ports=443 --address=<my-ipv4-address>
gcloud compute forwarding-rules create example-com-ipv6 --global --target-https-proxy=example-com --ports=443 --address=<my-ipv6-address>
rustyx
  • 1,979