How to migrate to Google managed certificates without downtime?

ssl-certificate load-balancing google-compute-engine google-cloud-platform

Solution 1:

You will have downtime.

You can follow these tips to minimize downtime. With proper planning the downtime will be very short and in some cases automatic retries will make this invisible to clients.

However, I do not know the design of your site, the usage of cookies, authentication, session management, etc. There might be disruptions that are unavoidable. If possible, consider sending an email to your customers letting them know in advance of site maintenance.

This is a good time to review your logs. Look for potential issues with access to IP addresses. Those types of issues will start to fail after the migration is complete and you shut down the old system.

  1. Remember that DNS resource records are cached globally. The resource record TTL provides a hint on how long. DNS resolvers are free to use their own interpretation of your TTL.

  2. Write down the TTL of the resource records that you will change. Now change the TTL to a short value such as 1 minute.

  3. Before making the final changes, wait for at least the old TTL to expire.

  4. Setup your services and the load balancer before making any DNS changes. Make sure the services work correctly using only the IP address. If you are redirecting IP to domain, or HTTP to HTTPS, temporarily disable those features and enable them later.

  5. Use certbot in manual mode and create a certificate that you can load into the load balancer. This removes the step of the load balancer creating the SSL certificate and waiting for verification. You can later switch to Google Managed SSL.

  6. Configure both Google Cloud Load Balancer HTTP and HTTPS frontends. Configure the Let's Encrypt SSL certificate in the frontend.

  7. Plan to leave the old site running for about 30 days after migrating. I usually see traffic for several weeks at the old site after migration.

  8. Select the time of day or day of the week with the least amount of traffic. Then switch DNS resource records. Remember that the old TTL value should have expired so that the new TTL is being used for caching.

  9. A few days later once you have verified everything is working, set the TTL values to something normal like 604800 which is the number of seconds in one week or 86400 (one day). Reenable site redirection (IP -> domain, HTTP -> HTTPS), if used.

Solution 2:

In addition to the previous suggestions keep in mind that Google-managed SSL certificates aren't supported for regional external HTTP(S) load balancers and internal HTTP(S) load balancers. For these load balancers you will need to use self-managed SSL certificates. I have not seen what type of load balancer you are using, however before trying to set this migration you will need to consider it. Also, in this same guide you could see how to create and use Google-managed SSL certificates and the considerations for make it work correctly1.

I would suggest you to set a maintenance window for these changes since it could take up to 30 minutes until the certificate is available to all Google Front Ends (GFEs).

Additionally, in here you will see the official guide with the step by step to reach this behavior.

1 https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs

2 https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#migrating-ssl

Related

Can not display Proxmox console due to Connection time out
Adding lines to /etc/profile with puppet?
Why are datacenters built over a wide area instead of using taller buildings?
Easiest way for fast transfer of files between linux servers?
How do I benchmark performance of external DNS lookups?
Why pick a NAS over a "normal" NFS share? [duplicate]
Advice and tips for a junior sysadmin straight out of college? [closed]
Bypass Paypal Upgrade
Poll: What is your favourite terminal program? [closed]
Using Avahi on DreamPlug Ubuntu with iPads
Highly-available, Web-accessible and scalable deployment of statsd and graphite
"Unable to open the Server service performance object."