Knowledge is Power
How to Use Google Managed Certificates on a Google Cloud Load Balancer
Aa stress-free way to manage HTTPS certificates in the cloud
Let Google Cloud manage the HTTPS certificate for your exposed service
Google Cloud offers a relatively new feature called “Google Managed Certificate” and the name promises that Google manages the certificate for you instead of you having to set up tools like cert-manager in your Kubernetes Cluster. Google promises that they will renew the certificates for you before they run out.
At the time of writing this article, the new feature is still in BETA state.
Let’s get started.
What you need:
- Load Balancer that you want to have HTTPS enabled
- Some workload, backend or website that should receive HTTPS traffic
- A domain that you want to secure. The DNS entry for the domain must already be set up to point to the Load Balancer's external IP address.
Steps to a managed certificate:
- Please read through the whole article before you start. Just to make sure that you understand all steps so that you don’t end up with a broken domain, website, or Load Balancer.
The procedure is normally risk-free, but some down-time of your services is to be expected.
- Open the Load Balancer that you want to secure and click the Edit button
3. Open the Frontend configuration of the Load Balancer, click the HTTPS tab in the accordion on the right. In there, open the dropdown for the Certificate. Click on Create a new certificate.
4. In the new mask, enter a name for the new certificate. Select Create Google-managed certificate and add the domain into the appearing text field.
Note that you can add multiple domains to the same certificate. For this to work correctly, all domains must already be set up so that their corresponding DNS “A” entries point to the external IP of the Load Balancer that you are editing right now.
Click Create to finish this step.
5. Make sure that the newly created certificate is selected as Certificate for the HTTPS configuration of your Load Balancer.
To finish this step, click on Done.
6. To finish the Load Balancer configuration, click on Update.
Here goes nothing!
7. The Load Balancer will now add your newly created certificate. This can take a few seconds. Just reload the page of the Load Balancer a few times until you see the certificate for your HTTPS rule on the Load Balancer.
The new certificate will show up as PROVISIONING after creation. It can take up to 10 minutes for the certificate to become ACTIVE.
Once the certificate is in state ACTIVE, it can take another 10 minutes (it took once even 35 minutes for me) for the new cert to really “kick in” on the Load Balancer.
That’s it; your Load Balancer is now HTTPS secured.
My certificate never reaches state ACTIVE
Possible issues from my personal experience:
- The DNS entries for the domain that should be secured are not correct. Did you enter the correct external IP of your Load Balancer?
- The DNS entries for the domain that should be secured are not propagated through the internet yet. Check the DNS entries for your domain by using an online DNS checker tool like this one.
I get ERR_SSL_VERSION_CIPHER_MISMATCH when I access the secured domain via browser
Be careful here. Many solutions on the internet for this problem propose to change the SSL policy for the Load Balancer from TLS 1.0 to TLS 1.2. Even though this works, this is not the correct solution.
I opened a ticket about this issue a while ago on Github and received the following answer from the developers:
When the ManagedCertificate becomes Active, it unfortunately does not mean it has successfully propagated to all the endpoints yet. The problem described in the article most probably has been caused by exactly this reason, i. e. it would work if you allow more time for certificate propagation. The SSL policies do not have anything in common with this issue.
So the solution to this issue is to just wait for the certificate to finish propagating. From my experience, this can take up to one hour, but in most cases that I have seen, it took 5 to 10 minutes.
Have a look at the official troubleshooting guide.
Thanks for reading!