Create a Custom Domain CDN with Google (beta)

The Google Cloud Platform introduced Google-managed Certificates for Load-Balancers. That means that my previous post about setting up a Https-Only CDN with letsencrypt is useless. There is a new, better way, to set up a Custom Domain HTTPS-only CDN based on a Google cloud storage bucket.

Disclaimer: Google Managed SSL certificates are a beta feature and will be until late 2019. So use with caution.

Objectives

  • I want to serve images on my website (comparison for contact lenses) from a cloud bucket.
  • I want to serve it from my domain, cdn.kontaktlinsen-preisvergleich.de
  • I need HTTPS for that domain, because my website uses HTTPS everywhere and I don’t want to mix that.

Old Approach

You can find the details here

  1. create a Google Cloud Storage Bucket
  2. install Certbot
  3. Create a letencypt DNS Challenge to prove that it is your domain
  4. Update your DNS with the TXT Record
  5. Wait until the DNS has updated
  6. create the HTTPS Loadbalancer with Google Cloud Storage Bucket as Backend
  7. Add a Nameserver entry for the cdn

New Approach

  1. create a Google Cloud Storage Bucket
  2. create the HTTPS Loadbalancer with Google Cloud Storage Bucket as Backend
  3. Add a Nameserver entry for the cdn

Yes — it is that easy, but lets get into the details…

Step 1: Create a Google Cloud Storage Bucket

You need a Google Cloud Bucket that is accessible via HTTP, like mine under http://storage.googleapis.com/kontaktlinse-staging/air-optix-aqua-6-400x400.jpg

It is important that the bucket or the elements that should be served have public access! In my case I simply gave “allUsers” the role Storage Object Viewer.

Step 2: Create the HTTPS Loadbalancer with Google Cloud Storage Bucket as Backend

In the Cloud Console, go to Network Services / Load Balancer and on the right click “Create Load Balancer”, then click “Start Configuration” in the HTTP(S) Load Balancing part.

In the Backend Section, select “Create a backend bucket”

Select the bucket and enable the cloud CDN!

The Host and Path rules can be ignored. In the Frontend section reserve a new static IP…

… and select “Create a new certificate” in the certificate section.

And there is the magic point… select “Create Google-managed certificate” instead of uploading a your own certificate! You only need to entry your domain name.

This should end up as expected: A running Loadbalancer!

Step 3: Add a Nameserver entry for the cdn

At last we need to add an A Record to the nameserver to direct staging-cdn.kontaktlinsen-preisvergleich.de to our loadbalancer (35.201.64.95 in my case). Then wait again until the DNS has updated everywhere and we are ready to serve!

Attention: It takes some time for the Loadbalancer to provision the new certificate. After the certificate is ACTIVE, you’ll have SSL issues for a few minutes with the error message ERR_SSL_VERSION_OR_CIPHER_MISMATCH. It took 15 minutes for mine to have everything up and running.

You can check your certificate here: https://www.ssllabs.com/ssltest/

Summary

Google-managed Certificates are a big improvement. Less setup needed, no renew hassle.

If you have questions or problems, please write me here or on twitter.