Google Cloud Load Balancer + Instance Group + SSL Certificates
Solution 1:
As @JohnHanley pointed out:
Manage the certificates on the LB-setup and remove certbot from the Webserver. There will be some overhead with Google domain-verification, but it is definitely worth a try.
Regarding LB-configuration and certificates:
- you can't change a configured certificate on a LB
- but you can add a new certificate (e.g. with an additional hostname) and add it to a existing LB and later remove the older certificate setup
There are some Terraform modules around that could support you, but of course this would create some learning and management effort as well.