Duration to provision a new TLS certificate on GCP HTTPS-Load-Balancer?
What's the expected duration to provision/finish serving an updated TLS certificate (called "SSL certificate resource" in GCE) for the target HTTPS proxy (part of the GCP HTTPS-Load-Balancer)? Is it documented somewhere?
My test below reveals:
- GCP HTTPS-Load-Balancer needs ca. 8 minutes after updating to serve only the new TLS certificate
- ... ca. 7 minutes after applying to serve only the old certificate
Test setup
-
18:44 Update the proxy to use the new TLS certificate (keeping the old
certificate_valid-2019-07
as "backup")gcloud compute target-https-proxies update NAME --ssl-certificates certificate_valid-2021-07,certificate_valid-2019-07
-
(running each 5 seconds:
gcloud compute target-https-proxies list --filter="name=NAME")
&curl -v https://LOAD_BALANCER_IP 2>&1 | grep "expire date"
) -
all requests serve certificate with
expire date: 2019-07
-
18:44:41 switch to SSL resources
certificate_valid-2021-07,certificate_valid-2019-07
-
18:50:26 switch back to SSL resource
certificate_valid-2019-07
(automatically done byingress-gce
) -
18:52:04 first
expire date: 2021-07
appeared -
18:52:35 all requests
expire date: 2021-07
-
18:56:34 first
expire date: 2019-07
appeared -
18:57:10 all requests
expire date: 2019-07
Wait for the replacement SSL certificate to complete provisioning. Provisioning might take up to 60 minutes. When provisioning is complete, the certificate status becomes ACTIVE. After the certificate and domain status are active, the maximum time will be 30 minutes for your load balancer to begin with your Google-managed SSL certificate. You can use Google-managed SSL certificates or self-managed SSL certificates to renew SSL certificates without any downtime.