0

I'm new to this topic. We're using GCP (App Engine, standard) to host one nodejs application. However, for different reasons we decided to create two services - stage and default (think as the same app running in parallel).

Default one is connected with custom domain (GAE provided SSL cert) and working properly. The stage service can be accessed with google generated URL (stage-dot-example.appspot.com) and obviously protected with ssl certificates.

Then, we had to go through security review from our partners and we used stage for this.

The result is we have to disable of TLSv1.0 and TLSv1.1. With GAE - we need to create Load Balancer and switch SSL policies to the TLS specific.

The problem: to create External HTTPS load balancer - you have to create SSL Certificate resource (i.e. you have to own domain). With custom domain I guess it should not be hard but how do I do this for stage? Do I use my stage domain (...appspot.com) in SSL Certificate resource? If so - what do I do with DNS records and external IP (you need to switch IP to external IP in A and AAAA records)?

Or if I'm doing something wrong - could you point me to the right direction?

UPDATE + UPDATE 2

I decided to go to the path proposed by Wojtek_B. So I verified stage.example.com and it worked fine without Load Balancer.

At that point, my DNS Records include 4 A and 4 AAAA records from @ with google provided IPs, and 3 CNAME records (www, stage, www.stage) pointing to "ghs.googlehosted.com."

Next, I created SSL certificate resource with 4 domains: example.com, www.example.com, stage.example.com, www.stage.example.com.

Then I added an External HTTPS Load Balancer (with external IP, for example, 1.2.3.4 and SSL cert mentioned above).

I added new A records for @, www, stage, and www.stage to point to 1.2.3.4. I've dropped CNAME records because they are excessive.

After waiting for 2-3 hours (TTL is 1/2 hour) all subdomains were activated except for example.com (stuck in FAILED_NOT_VISIBLE).

ANSWER

I've been fighting managed SSL certificate getting stuck in provisioning state for a while. I followed this tutorial where you're supposed to create external IP (v4) only. But I also had 4 AAAA records (got those during domain verification) with (obviously) ipv6. So I tried to reserve external IP (v6) and it took less than minute to push all 4 (sub)domains to the active state.

In just a few minutes both services through LB were up and running with required TLS configs.

Alexander B.
  • 103
  • 4
  • 1
    Google HTTP(S) Load Balancers only support SSL certificates for domains you own/control. You cannot create certificates or frontends for Google's autogenerated domains. – John Hanley May 23 '21 at 01:54

1 Answers1

1

You can use SSL certificates in GCP only with the domains pointing to a load balancer. If you try to provision a certificate for the app engine application it won't be generated.

There are few reasons why it may happen:

  • The domain's DNS record doesn't resolve to the IP address of the Google Cloud load balancer. To resolve this issue, update the DNS records to point to your load balancer's IP address.
  • The SSL certificate isn't attached to the load balancer's target proxy. To resolve this issue, update your load balancer configuration.
  • The frontend ports for the global forwarding rule do not include port 443 for an SSL proxy load balancer. This can be resolved by adding a new forwarding rule with port 443.

However all app engine addresses that are you can use (with *.appspot.com subdomains) have a valid SSL certificate. But then you can't use load balancer.

If you can run all your staging test without the load balancer then the GCP's SSL cetificates will do the job.

If you need to have your staging environment running in the same kind of setup as production then you need to create a new LB with backedn pointing to your GAE service. Additionally you will need another domain (or at least subdomain). You need to use domain other than *.appspot.com since for creating GCP's self managed SSL certificate you need to provide the domain pointing to the LB itself (and not GAE).

In your case I'd recommend creating a new subdomain. Then create new LB and generate new SSL cert for that subdomain. It will take up to 60 minutes for the certificate to be provisioned. You also have to change A records in you'r subdomain to point to your newly created LB - only then the SSL certificate can be successfully provisioned (since domain has to point to an LB).

Alternatively you can add your subdomain to the list of domains to your existing certificate. Keep all the records created for the domain and after you create a subdomain create a new set of A (and AAAA records of necessary).

If you're using GCP's Cloud DNS then it will look like this:

enter image description here

Also I'd recommend for you to go through the linked documentation to have better undestanding of the entire process.

Wojtek_B
  • 931
  • 3
  • 12
  • Thanks @Wojtek_B for the answer! I actually went this way and created subdomain stage.exampe.com. I verified everything with GAE and all worked fine (including www and stage and www.stage). On the provider side -A dns records (@, www, stage, www.stage, *) point to external IP. (I've deleted CNAME). Now I added LB and my SSL cert (with 4 (sub)domains ) is in provisioning already for 10 hours with all active except example.com (FAILED_NOT_VISIBLE)... www.example.com is active though. I can ping all of them and get needed IP. Do you know what could be a problem? – Alexander B. May 24 '21 at 13:30
  • Also do you know if I need to keep AAAA records (that I had to add for verification) or drop it as well? – Alexander B. May 24 '21 at 13:33
  • Keep the records. Just add new A record with subdomain and pointing to LB. I updated my answer to reflect that. – Wojtek_B May 24 '21 at 14:04
  • Thanks! so I got one A record for @ pointing to external IP and 3 CNAME (www, stage, www.stage) pointing to "example.com." (example). I also have leftover AAAA records. Now my SSL Certificate resource disabled all four domains (FAILED_NOT_VISIBLE) and it's been like this for over hour or so. dig and ping show the right external IP. – Alexander B. May 24 '21 at 16:14
  • One thing that confuses me - previously I had to add CNAME to "ghs.googlehosted.com." for www, stage, www.stage. If I keep it and add new A records - that would contradict the principle of having unique entry. So that's why instead of googlehosted I updated those CNAME records to point to "example.com." I also added back A records that was there during verification. I will wait and see but at this point I'm sceptical it will worked (I think I already tried this). – Alexander B. May 24 '21 at 16:44
  • I've updated the question to reflect what I have changed and what I have at this point. – Alexander B. May 24 '21 at 17:00
  • Thanks @Woktek_B, your answer really helped to find the right answer. The problem was a lack of external IP(v6 in addition to v4) attached to LB. (I've updated my question with the most recent details and conclusions). – Alexander B. May 25 '21 at 05:03
  • Thanks for the feedback ! – Wojtek_B May 25 '21 at 07:32