0

I've set up my app running on Cloud Run with a Let's Encrypt wildcard certificate to cover subdomains. It works fine, but everytime I run testssl.sh or other similar tools they notice 2 certificates: mine and Google's. The second certificate throws errors regarding name mismatch and from time to time (couldn't reproduce it, it may not be a problem) even browser notice this and say the cert is not valid, but a refresh will fix it.

Is this something common and should I ignore it? Google's DIG shows that the domain has the correct IP as A record and everything else works fine.

antipopp
  • 409
  • 1
  • 3
  • 14

1 Answers1

0

Use only one certificate.

A wildcard certificate with Cloud Run provides few benefits. Only domain names that are mapped will be supported so the wildcard does not help. The negative is that you must manually renew the certificate every 90 days.

Use the Google Managed certificates.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Not my use case. I'm running Cloud Run behind a load balancer with an Internet NEG (basically [this](https://medium.com/google-cloud/cloud-run-and-load-balancing-go-beyond-your-own-project-adfa1c8b001d)). I need wildcards as I want to be able to spawn subdomains when a new customer registers, without waiting the provisioning of a new Google Managed cert. I'm mapping subdomains as simple CNAME for the base domain, Cloud Mapping had limitations as to how many domains I could create. I've set up only my wildcard cert on the Load Balancer. – antipopp Nov 19 '21 at 10:18
  • @cartinez - 1/2) My answer still stands. Use one certificate. Do not have two certificates that cover the same domain name. If the load balancer sends a certificate chain, it will be up to the client to determine which one to use and/or report an error about which is then outside your control. Edit your question and clearly state your configuration. You should have emphasized and included the HTTP(S) Load Balancer and NEG configuration. – John Hanley Nov 19 '21 at 10:32
  • @cartinez - 2/2) Use **openssl** and download the certificate(s) returned by the load balancer and verify. **openssl s_client -showcerts -connect domain-name:443**. Repeat for each domain name. Note: If the client does not include SNI, your strategy will fail unless you are mapping everything to one instance. – John Hanley Nov 19 '21 at 10:38