Certificate for gcp loadbalancer not validating

Question

I have been trying to setup a classic load balancer to for my website. The code/container is running on Cloud Run and works fine.

The http route works fine through the load balancer, however the ssl certificate continues to give FAILED_NOT_VISIBLE. Clearly, I am missing something! I have deployed the LB using a shell script and have attached the script below. I have removed the domain name from the certificate.

SSL_CERTIFICATE_NAME='ea-ssl2'
DOMAIN='xxxxx.co.uk'
TARGET_HTTP_PROXY_NAME='ea-http-proxy2'
TARGET_HTTPS_PROXY_NAME='ea-https-proxy2'
URL_MAP_NAME='ea-url-map2'
EXTERNAL_IP='ea-external-ip'
SERVERLESS_NEG_NAME='ea-serverless2-neg'
CLOUD_RUN_SERVICE_NAME='ea-website'
BACKEND_SERVICE_NAME='ea-backend-service'
REGION=europe-west2
HTTP_FORWARDING_RULE_NAME='ea-http-forwarding-rule'
HTTPS_FORWARDING_RULE_NAME='ea-https-forwarding-rule'

echo '**** Firstly, create an External IP \n\n'

#gcloud compute addresses create $EXTERNAL_IP \
#    --network-tier=PREMIUM \
#    --ip-version=IPV4 \
#    --global

gcloud compute addresses describe $EXTERNAL_IP \
    --format="get(address)" \
    --global


echo "\n\n*** Now Create the Network Endpoint Group (NEG) ***\n\n"

gcloud compute network-endpoint-groups create $SERVERLESS_NEG_NAME \
   --region=$REGION \
   --network-endpoint-type=serverless  \
   --cloud-run-service=$CLOUD_RUN_SERVICE_NAME


echo '\n\n*** Create the Backend Service ***\n\n'

gcloud compute backend-services create $BACKEND_SERVICE_NAME \
  --load-balancing-scheme=EXTERNAL \
  --global

echo '*** Add the NEG to the Backend Service ***\n\n'

gcloud compute backend-services add-backend $BACKEND_SERVICE_NAME \
   --global \
   --network-endpoint-group=$SERVERLESS_NEG_NAME \
   --network-endpoint-group-region=$REGION


echo '*** Now Create the URL MAP ***\n\n'

gcloud compute url-maps create $URL_MAP_NAME \
   --default-service $BACKEND_SERVICE_NAME

gcloud compute target-http-proxies create $TARGET_HTTP_PROXY_NAME \
   --url-map=$URL_MAP_NAME


echo "\n\n*** Now Create the SSL Certificate ***\n\n"
gcloud compute ssl-certificates create $SSL_CERTIFICATE_NAME \
   --domains $DOMAIN

echo '\n\n**** Create Target Proxy'
echo ' --- TargetProxy Name',$TARGET_HTTPS_PROXY_NAME
echo ' --- Certificate Name',$SSL_CERTIFICATE_NAME

gcloud compute target-https-proxies create $TARGET_HTTPS_PROXY_NAME \
  --ssl-certificates=$SSL_CERTIFICATE_NAME \
  --url-map=$URL_MAP_NAME


echo '\n************************************************************'
echo '***********  Add Forwarding Rules                ***********'
echo '************************************************************'
gcloud compute forwarding-rules create $HTTP_FORWARDING_RULE_NAME \
   --load-balancing-scheme=EXTERNAL \
   --network-tier=PREMIUM \
   --address='ea-http-ip' \
   --target-http-proxy=$TARGET_HTTP_PROXY_NAME \
   --global \
   --ports=80

echo "Now Add 443 Target Proxy"
gcloud compute forwarding-rules create $HTTPS_FORWARDING_RULE_NAME \
    --load-balancing-scheme=EXTERNAL \
    --network-tier=PREMIUM \
    --address=$EXTERNAL_IP \
    --target-https-proxy=$TARGET_HTTPS_PROXY_NAME \
    --global \
    --ports=443

Is the domain a verified domain for the credentials used by your script? Was the SSL certificate actually created? Your post does not show the DNS changes that you made. Note: your script does no error checking. You should validate the success or failure of each command. — John Hanley, Jun 26 '23 at 17:37

dany L · Answer 1 · 2023-06-26T15:57:18.283

Update the DNS A records to point to the load balancer's IP address
Run a dig EXAMPLE.com in order to check whether lb ip is properly provisioned
gcloud compute ssl-certificates describe CERTIFICATE_NAME
--format="get(managed.domainStatus)" #Sometimes propagation across the internet takes up to 72 hours worldwide, although it typically takes a few hours.
Read Troubleshooting guide
From experience, create DNS records then create LB
Other users experiencing similar error

score 1 · Answer 2 · answered Jun 26 '23 at 22:13

In addition to @dany L's answer, I would suggest to just recreate the current SSL certificate after making sure that your A record is pointed to the correct Load Balancer's Frontend IP address, if it has been more than 60 minutes since it started trying to provision.

Per the documentation:

Provisioning a Google-managed certificate might take up to 60 minutes from the moment your DNS and load balancer configuration changes have propagated across the internet. If you have updated your DNS configuration recently, it can take a significant amount of time for the changes to fully propagate. Sometimes propagation takes up to 72 hours worldwide, although it typically takes a few hours. For more information on DNS propagation.

These tools are also helpful in checking the status of both the SSL certificate and the DNS:

Certificate for gcp loadbalancer not validating

2 Answers2