Create load balancer on GCP (GAE). SSL cert domains stuck in FAILED state
I'm new to this topic. We're using GCP (App Engine, standard) to host one nodejs application. However, for different reasons we decided to create two services - stage and default (think as the same app running in parallel).
Default one is connected with custom domain (GAE provided SSL cert) and working properly. The stage service can be accessed with google generated URL (stage-dot-example.appspot.com) and obviously protected with ssl certificates.
Then, we had to go through security review from our partners and we used stage for this.
The result is we have to disable of TLSv1.0 and TLSv1.1. With GAE - we need to create Load Balancer and switch SSL policies to the TLS specific.
The problem: to create External HTTPS load balancer - you have to create SSL Certificate resource (i.e. you have to own domain). With custom domain I guess it should not be hard but how do I do this for stage? Do I use my stage domain (...appspot.com) in SSL Certificate resource? If so - what do I do with DNS records and external IP (you need to switch IP to external IP in A and AAAA records)?
Or if I'm doing something wrong - could you point me to the right direction?
UPDATE + UPDATE 2
I decided to go to the path proposed by Wojtek_B. So I verified stage.example.com and it worked fine without Load Balancer.
At that point, my DNS Records include 4 A and 4 AAAA records from @ with google provided IPs, and 3 CNAME records (www, stage, www.stage) pointing to "ghs.googlehosted.com."
Next, I created SSL certificate resource with 4 domains: example.com, www.example.com, stage.example.com, www.stage.example.com.
Then I added an External HTTPS Load Balancer (with external IP, for example, 1.2.3.4 and SSL cert mentioned above).
I added new A records for @, www, stage, and www.stage to point to 1.2.3.4. I've dropped CNAME records because they are excessive.
After waiting for 2-3 hours (TTL is 1/2 hour) all subdomains were activated except for example.com (stuck in FAILED_NOT_VISIBLE).
ANSWER
I've been fighting managed SSL certificate getting stuck in provisioning state for a while. I followed this tutorial where you're supposed to create external IP (v4) only. But I also had 4 AAAA records (got those during domain verification) with (obviously) ipv6. So I tried to reserve external IP (v6) and it took less than minute to push all 4 (sub)domains to the active state.
In just a few minutes both services through LB were up and running with required TLS configs.
You can use SSL certificates in GCP only with the domains pointing to a load balancer. If you try to provision a certificate for the app engine application it won't be generated.
There are few reasons why it may happen:
- The domain's DNS record doesn't resolve to the IP address of the Google Cloud load balancer. To resolve this issue, update the DNS records to point to your load balancer's IP address.
- The SSL certificate isn't attached to the load balancer's target proxy. To resolve this issue, update your load balancer configuration.
- The frontend ports for the global forwarding rule do not include port 443 for an SSL proxy load balancer. This can be resolved by adding a new forwarding rule with port 443.
However all app engine addresses that are you can use (with *.appspot.com subdomains) have a valid SSL certificate. But then you can't use load balancer.
If you can run all your staging test without the load balancer then the GCP's SSL cetificates will do the job.
If you need to have your staging environment running in the same kind of setup as production then you need to create a new LB with backedn pointing to your GAE service.
Additionally you will need another domain (or at least subdomain). You need to use domain other than *.appspot.com
since for creating GCP's self managed SSL certificate you need to provide the domain pointing to the LB itself (and not GAE).
In your case I'd recommend creating a new subdomain. Then create new LB and generate new SSL cert for that subdomain. It will take up to 60 minutes for the certificate to be provisioned. You also have to change A
records in you'r subdomain to point to your newly created LB - only then the SSL certificate can be successfully provisioned (since domain has to point to an LB).
Alternatively you can add your subdomain to the list of domains to your existing certificate. Keep all the records created for the domain and after you create a subdomain create a new set of A
(and AAAA
records of necessary).
If you're using GCP's Cloud DNS then it will look like this:
Also I'd recommend for you to go through the linked documentation to have better undestanding of the entire process.