What's the expected duration to provision/finish serving an updated TLS certificate (called "SSL certificate resource" in GCE) for the target HTTPS proxy (part of the GCP HTTPS-Load-Balancer)? Is it documented somewhere?

My test below reveals:

  • GCP HTTPS-Load-Balancer needs ca. 8 minutes after updating to serve only the new TLS certificate
  • ... ca. 7 minutes after applying to serve only the old certificate

Test setup

  • 18:44 Update the proxy to use the new TLS certificate (keeping the old certificate_valid-2019-07 as "backup")

      gcloud compute target-https-proxies update NAME --ssl-certificates certificate_valid-2021-07,certificate_valid-2019-07
    
  • (running each 5 seconds: gcloud compute target-https-proxies list --filter="name=NAME") & curl -v https://LOAD_BALANCER_IP 2>&1 | grep "expire date")

  • all requests serve certificate with expire date: 2019-07

  • 18:44:41 switch to SSL resources certificate_valid-2021-07,certificate_valid-2019-07

  • 18:50:26 switch back to SSL resource certificate_valid-2019-07 (automatically done by ingress-gce)

  • 18:52:04 first expire date: 2021-07 appeared

  • 18:52:35 all requests expire date: 2021-07

  • 18:56:34 first expire date: 2019-07 appeared

  • 18:57:10 all requests expire date: 2019-07


Wait for the replacement SSL certificate to complete provisioning. Provisioning might take up to 60 minutes. When provisioning is complete, the certificate status becomes ACTIVE. After the certificate and domain status are active, the maximum time will be 30 minutes for your load balancer to begin with your Google-managed SSL certificate. You can use Google-managed SSL certificates or self-managed SSL certificates to renew SSL certificates without any downtime.