Why is my GCP Load Balancer Certificate stuck at provisioning?

Question

I've set up everything according to the documentation:

For the certificate provisioning process to proceed, all of the following conditions must be met:

The DNS records for your domain must reference the IP address of your load balancer's target proxy,

Your target proxy must reference the Google-managed certificate resource.

Your load balancer configuration must be complete, including the creation of a forwarding rule.

With a correct configuration the total time for provisioning certificates is likely to take from 30 to 60 minutes.

It's been 2 hours.

If you are still experiencing the issue, I would suggest to follow this link and create a case in [Google Issue Tracker](https://cloud.google.com/sql/docs/mysql/private-ip#benefits). Please follow the URL link in the ‘public user’ section. Then create an issue. In the component part, select ‘Public Trackers > Cloud Platform > GCP Private Issues’. Provide the project no. and all the detailed information (like the type of SSL certificate, type of LB, steps taken for provisioning etc...) that are relevant to your issue. These information are required for further investigation. — Md Zubayer, Oct 16 '18 at 02:27
I have seen it take a while but not two hours. It sounds like you need to double check the DNS entry and make sure that the domain name exactly matches the DNS entry. — John Hanley, Oct 16 '18 at 03:00

score 11 · Accepted Answer · answered Oct 20 '18 at 08:43

11

I managed to get a reply from someone via https://issuetracker.google.com/issues/117900454. I was ignorantly using Cloud DNS' "CNAME" to point to my IP address instead of using an "A" record. Everything is working now.

answered Oct 20 '18 at 08:43

geoyws

3,326
3
35
47

4

That issue is not publicly accessible for me. Would you mind pasting the conversation? Is it not possible to use a CNAME record for a google managed cert? – Eric Guan Jun 18 '20 at 07:03
@EricGuan I think if you are using CNAME you are bypassing your load balancer therefore the cert will not work because it is attached to the LB. – patotoma Mar 01 '21 at 01:48

Mauricio · Answer 2 · 2022-08-05T11:58:09.510

These are the steps to Deploy a Cloud Run service that will:

Communicate with the internet passing through your VPC.
Be accessible through a custom domain managed outside GCP.

NOTE: If your VPC has a Nat Gateway and Router with an static IP address, then your Cloud Run will have a static Outbound IP allowing things like database whitelisting.

Now with the steps:

Create and static preimum Global IP to bind to the LoadBalancer later. Point the subdomain to that IP on CloudFlare

PROJECT_ID=<set-your-own>
REGION=us-central1
SERVICE_NAME=<set-your-own>
NETWORK_NAME=<set-your-own>
SUBNET_NAME=<set-your-own>-servless-connector
SUBNET_CIDR_RANGE=11.0.0.0/28
VPC_CONNECTOR_NAME=serveless-connector
IMAGE_PATH=<set-your-own>
SERVICE_ACCOUNT_EMAIL=<set-your-own>
SERVICE_ENVS="^;^FOO=BAR;HELLO=WORLD"
CERTIFICATE_DOMAIN=<set-your-own>

NOTE: VPC_CONNECTOR_NAME needs to be smaller than 23 characters

Create Subnet for VPC Serverless Connector

gcloud compute networks subnets create $SUBNET_NAME \
--network=$NETWORK_NAME \
--range=$SUBNET_CIDR_RANGE \
--region=$REGION \
--project=$PROJECT_ID

Create VPC Serverless Connector

gcloud compute networks vpc-access connectors create $VPC_CONNECTOR_NAME \
--region=$REGION \
--subnet=$SUBNET_NAME \
--min-instances=2 \
--max-instances=10 \
--machine-type=e2-micro \
--project=$PROJECT_ID

Deploy your Clour Run/Function specifying

gcloud beta run deploy $SERVICE_NAME \
--image=$IMAGE_PATH \
--allow-unauthenticated \
--port=8080 \
--service-account=$SERVICE_ACCOUNT \
--vpc-connector=$VPC_CONNECTOR_NAME \
--vpc-egress=all-traffic \
--timeout=600 \
--cpu=1 \
--memory=128Mi \
--max-instances=1 \
--concurrency=10 \
--set-env-vars=$SERVICE_ENVS \
--region=$REGION \
--project=$PROJECT_ID

Create network endpoint group (NEG) foo the Cloud Run service

gcloud compute network-endpoint-groups create ${SERVICE_NAME} \
--project=$PROJECT_ID \
--region=$REGION \
--network=$NETWORK_NAME \
--network-endpoint-type=GCE_VM_IP_PORT \
--subnet=$SUBNET_NAME \
--network-endpoint-type=serverless \
--cloud-run-service=$SERVICE_NAME

Create Backend Service for our LoadBalancer

gcloud compute backend-services create ${SERVICE_NAME}-back-end \
    --load-balancing-scheme=EXTERNAL \
    --project=$PROJECT_ID \
    --global

Set Cloud Run's Network Endpoint Group (NEG created earlier) as the Backend of the Backend Service from previous step

gcloud compute backend-services add-backend ${SERVICE_NAME}-back-end \
    --global \
    --network-endpoint-group=${SERVICE_NAME} \
    --project=$PROJECT_ID \
    --network-endpoint-group-region=$REGION

Create URL Map (LoadBalancer itself) pointing it to the recently configured Backendd Service

gcloud compute url-maps create ${SERVICE_NAME}-load-balancer \
    --project=$PROJECT_ID \
    --default-service ${SERVICE_NAME}-back-end

Create the certificate

gcloud beta compute ssl-certificates create ${SERVICE_NAME}-certificate \
--project=$PROJECT_ID \
--global \
--domains=$CERTIFICATE_DOMAIN

NOTE: Make sure you have pointed the domain to the previously reserved Premium Global IP

Then, go to LoadBalancer at the Browser's Console interface, edit the LoadBalancer then:

Click "ADD FRONTEND IP AND PORT".
Give it a name
At "Protocol" select "HTTPS(includes HTTP/2)" on the dropdown.
At "IP Address" select the previously reserved Premium Global IP.
At "Certificate" select the previously created Certificate on the dropdown.
Check "Enable HTTP to HTTPS redirect" to create a secondary HTTP LoadBalancer to serve as proxy for redirecting HTTP request to HTTPS.
Click "UPDATE" to update the LoadBalancer.
Go to the Certificates Tab and wait for your certifcate "Status" to be "Active"

NOTE: Even after the certificate "Status" becomes "Active", it might take a few minutes for your service be available at the domain.

Why is my GCP Load Balancer Certificate stuck at provisioning?

2 Answers2