1

What's the expected duration to provision/finish serving an updated TLS certificate (called "SSL certificate resource" in GCE) for the target HTTPS proxy (part of the GCP HTTPS-Load-Balancer)? Is it documented somewhere?

My test below reveals:

  • GCP HTTPS-Load-Balancer needs ca. 8 minutes after updating to serve only the new TLS certificate
  • ... ca. 7 minutes after applying to serve only the old certificate

Test setup

  • 18:44 Update the proxy to use the new TLS certificate (keeping the old certificate_valid-2019-07 as "backup")

      gcloud compute target-https-proxies update NAME --ssl-certificates certificate_valid-2021-07,certificate_valid-2019-07

  • (running each 5 seconds: gcloud compute target-https-proxies list --filter="name=NAME") & curl -v https://LOAD_BALANCER_IP 2>&1 | grep "expire date")

  • all requests serve certificate with expire date: 2019-07

  • 18:44:41 switch to SSL resources certificate_valid-2021-07,certificate_valid-2019-07

  • 18:50:26 switch back to SSL resource certificate_valid-2019-07 (automatically done by ingress-gce)

  • 18:52:04 first expire date: 2021-07 appeared

  • 18:52:35 all requests expire date: 2021-07

  • 18:56:34 first expire date: 2019-07 appeared

  • 18:57:10 all requests expire date: 2019-07

Community
  • 1
Dominik
  • 225
  • 2
  • 7

2 Answers2

1

Wait for the replacement SSL certificate to complete provisioning. Provisioning might take up to 60 minutes. When provisioning is complete, the certificate status becomes ACTIVE. After the certificate and domain status are active, the maximum time will be 30 minutes for your load balancer to begin with your Google-managed SSL certificate. You can use Google-managed SSL certificates or self-managed SSL certificates to renew SSL certificates without any downtime.

Ramesh kollisetty
  • 111
  • 3
  • Do you have a documented source for these times? – Dominik Aug 30 '21 at 06:08
  • Please find the [link](https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#replace-ssl) to get the timings. Wait for the replacement SSL certificate to complete provisioning. Provisioning might take up to 60 minutes. – Ramesh kollisetty Sep 03 '21 at 12:06
  • Thanks for the link. Yeah, that's for the Google-managed certificate. Interestingly, for the self-managed certificates, it's said you just need to wait 15 minutes ([see doc](https://cloud.google.com/load-balancing/docs/ssl-certificates/self-managed-certs#replacing-certificates)). When you add this info, I'll accept your answer. Thanks – Dominik Sep 14 '21 at 10:33
0

I don't see any documentation specifying exactly what you want to know. The only related information I can find is this.

Alex6Zam
  • 46
  • 2
  • The doc you linked is about provisioning a new TLS/SSL certificate itself. My question is about the time to provision an already existing certificate to the global load-balancer instances. I guess the duration will be the same for the managed certificate once it's successfully created. – Dominik Jun 07 '19 at 12:26
  • You are right, the documentation is about provisioning new certificates and that's the most close documentation I found. Regarding your question we can only speculate or made your own measurements, as you already did. In the field of the speculation, I agree with you in that must take a similar among of time than used for managed certificates once its are created. – Alex6Zam Jun 07 '19 at 13:17