stackoom
  简体   繁体   中英

Google Managed SSL Certificate Stuck on FAILED_NOT_VISIBLE

 原文  2018-12-21 14:49:54    13    ssl/ google-cloud-platform/ google-kubernetes-engine/ gke-networking

Question

I'm trying to configure an HTTPS/Layer 7 Load Balancer with GKE. I'm following SSL certificates overview and GKE Ingress for HTTP(S) Load Balancing .

My config. has worked for some time. I wanted to test Google's managed service.

This is how I've set it up so far:

k8s/staging/staging-ssl.yml : 

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-staging-lb-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
    ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
    kubernetes.io/ingress.allow-http: "false"
spec:
  rules:
  - host: staging.my-app.no
    http:
      paths:
      - path: /*
        backend:
          serviceName: my-svc
          servicePort: 3001

gcloud compute addresses list

#=>

NAME                   REGION  ADDRESS          STATUS
my-staging-global              35.244.160.NNN  RESERVED

host staging.my-app.no 

#=>

35.244.160.NNN

but it is stuck on FAILED_NOT_VISIBLE :

gcloud beta compute ssl-certificates describe staging-google-managed-ssl

#=>

creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
  domainStatus:
    staging.my-app.no: FAILED_NOT_VISIBLE
  domains:
  - staging.my-app.no
  status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGED

Any idea on how I can fix or debug this further?

I found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:

Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.

gcloud compute target-https-proxies create [NAME] \
--url-map=[URL_MAP] \
--ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2], [SSL_CERTIFICATE3],...]

Is that necessary when I have this line in k8s/staging/staging-ssl.yml ?

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    . . .
    ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
    . . .

13 answers

solution1
 11  2019-08-09 07:47:01

I'm trying to configure an https load balancer on GKE. I'm following: https://cloud.google.com/load-balancing/docs/ssl-certificates and https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

My config has worked for some time using a certificate from Let's Encrypt. But it's too much hassle to renew the certificates all the time so I wanted to test Google's managed service.

This is how I've set it up so far, but stucks on FAILED_NOT_VISIBLE . Any idea on how I can fix or debug this further?

k8s/staging/staging-ssl.yml 

  7 apiVersion: extensions/v1beta1
  8 kind: Ingress
  9 metadata:
 10   name: my-staging-lb-ingress
 11   annotations:
 12     kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
 13     ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
 14     kubernetes.io/ingress.allow-http: "false"
 15 spec:
 16   rules:
 17   - host: staging.my-app.no
 18     http:
 19       paths:
 20       - path: /*
 21         backend:
 22           serviceName: my-svc
 23           servicePort: 3001

Reserved IP

$ gcloud compute addresses list
NAME                   REGION  ADDRESS         STATUS
my-staging-global              35.244.160.NNN  RESERVED


$ host staging.my-app.no 
35.244.160.NNN

$ gcloud beta compute ssl-certificates describe staging-google-managed-ssl 

creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
  domainStatus:
    staging.my-app.no: FAILED_NOT_VISIBLE
  domains:
  - staging.my-app.no
  status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGED

I found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:

Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.

gcloud compute target-https-proxies create [NAME] \
    --url-map=[URL_MAP] \
    --ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2],[SSL_CERTIFICATE3],...]

Is that necessary when I have this line in my Ingress config?

13 ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"

solution2
 1  2018-12-22 03:18:22

I'm trying to configure an https load balancer on GKE. I'm following: https://cloud.google.com/load-balancing/docs/ssl-certificates and https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

My config has worked for some time using a certificate from Let's Encrypt. But it's too much hassle to renew the certificates all the time so I wanted to test Google's managed service.

This is how I've set it up so far, but stucks on FAILED_NOT_VISIBLE . Any idea on how I can fix or debug this further?

k8s/staging/staging-ssl.yml 

  7 apiVersion: extensions/v1beta1
  8 kind: Ingress
  9 metadata:
 10   name: my-staging-lb-ingress
 11   annotations:
 12     kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
 13     ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
 14     kubernetes.io/ingress.allow-http: "false"
 15 spec:
 16   rules:
 17   - host: staging.my-app.no
 18     http:
 19       paths:
 20       - path: /*
 21         backend:
 22           serviceName: my-svc
 23           servicePort: 3001

Reserved IP

$ gcloud compute addresses list
NAME                   REGION  ADDRESS         STATUS
my-staging-global              35.244.160.NNN  RESERVED


$ host staging.my-app.no 
35.244.160.NNN

$ gcloud beta compute ssl-certificates describe staging-google-managed-ssl 

creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
  domainStatus:
    staging.my-app.no: FAILED_NOT_VISIBLE
  domains:
  - staging.my-app.no
  status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGED

I found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:

Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.

gcloud compute target-https-proxies create [NAME] \
    --url-map=[URL_MAP] \
    --ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2],[SSL_CERTIFICATE3],...]

Is that necessary when I have this line in my Ingress config?

13 ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"

solution3
 1  2018-12-25 21:35:41

I'm trying to configure an https load balancer on GKE. I'm following: https://cloud.google.com/load-balancing/docs/ssl-certificates and https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

My config has worked for some time using a certificate from Let's Encrypt. But it's too much hassle to renew the certificates all the time so I wanted to test Google's managed service.

This is how I've set it up so far, but stucks on FAILED_NOT_VISIBLE . Any idea on how I can fix or debug this further?

k8s/staging/staging-ssl.yml 

  7 apiVersion: extensions/v1beta1
  8 kind: Ingress
  9 metadata:
 10   name: my-staging-lb-ingress
 11   annotations:
 12     kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
 13     ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
 14     kubernetes.io/ingress.allow-http: "false"
 15 spec:
 16   rules:
 17   - host: staging.my-app.no
 18     http:
 19       paths:
 20       - path: /*
 21         backend:
 22           serviceName: my-svc
 23           servicePort: 3001

Reserved IP

$ gcloud compute addresses list
NAME                   REGION  ADDRESS         STATUS
my-staging-global              35.244.160.NNN  RESERVED


$ host staging.my-app.no 
35.244.160.NNN

$ gcloud beta compute ssl-certificates describe staging-google-managed-ssl 

creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
  domainStatus:
    staging.my-app.no: FAILED_NOT_VISIBLE
  domains:
  - staging.my-app.no
  status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGED

I found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:

Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.

gcloud compute target-https-proxies create [NAME] \
    --url-map=[URL_MAP] \
    --ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2],[SSL_CERTIFICATE3],...]

Is that necessary when I have this line in my Ingress config?

13 ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"

solution4
 1  2020-03-12 19:53:53

I'm trying to configure an https load balancer on GKE. I'm following: https://cloud.google.com/load-balancing/docs/ssl-certificates and https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

My config has worked for some time using a certificate from Let's Encrypt. But it's too much hassle to renew the certificates all the time so I wanted to test Google's managed service.

This is how I've set it up so far, but stucks on FAILED_NOT_VISIBLE . Any idea on how I can fix or debug this further?

k8s/staging/staging-ssl.yml 

  7 apiVersion: extensions/v1beta1
  8 kind: Ingress
  9 metadata:
 10   name: my-staging-lb-ingress
 11   annotations:
 12     kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
 13     ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
 14     kubernetes.io/ingress.allow-http: "false"
 15 spec:
 16   rules:
 17   - host: staging.my-app.no
 18     http:
 19       paths:
 20       - path: /*
 21         backend:
 22           serviceName: my-svc
 23           servicePort: 3001

Reserved IP

$ gcloud compute addresses list
NAME                   REGION  ADDRESS         STATUS
my-staging-global              35.244.160.NNN  RESERVED


$ host staging.my-app.no 
35.244.160.NNN

$ gcloud beta compute ssl-certificates describe staging-google-managed-ssl 

creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
  domainStatus:
    staging.my-app.no: FAILED_NOT_VISIBLE
  domains:
  - staging.my-app.no
  status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGED

I found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:

Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.

gcloud compute target-https-proxies create [NAME] \
    --url-map=[URL_MAP] \
    --ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2],[SSL_CERTIFICATE3],...]

Is that necessary when I have this line in my Ingress config?

13 ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"

solution5
 1  2021-03-11 07:43:18

I'm trying to configure an https load balancer on GKE. I'm following: https://cloud.google.com/load-balancing/docs/ssl-certificates and https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

My config has worked for some time using a certificate from Let's Encrypt. But it's too much hassle to renew the certificates all the time so I wanted to test Google's managed service.

This is how I've set it up so far, but stucks on FAILED_NOT_VISIBLE . Any idea on how I can fix or debug this further?

k8s/staging/staging-ssl.yml 

  7 apiVersion: extensions/v1beta1
  8 kind: Ingress
  9 metadata:
 10   name: my-staging-lb-ingress
 11   annotations:
 12     kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
 13     ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
 14     kubernetes.io/ingress.allow-http: "false"
 15 spec:
 16   rules:
 17   - host: staging.my-app.no
 18     http:
 19       paths:
 20       - path: /*
 21         backend:
 22           serviceName: my-svc
 23           servicePort: 3001

Reserved IP

$ gcloud compute addresses list
NAME                   REGION  ADDRESS         STATUS
my-staging-global              35.244.160.NNN  RESERVED


$ host staging.my-app.no 
35.244.160.NNN

$ gcloud beta compute ssl-certificates describe staging-google-managed-ssl 

creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
  domainStatus:
    staging.my-app.no: FAILED_NOT_VISIBLE
  domains:
  - staging.my-app.no
  status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGED

I found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:

Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.

gcloud compute target-https-proxies create [NAME] \
    --url-map=[URL_MAP] \
    --ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2],[SSL_CERTIFICATE3],...]

Is that necessary when I have this line in my Ingress config?

13 ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"

solution6
 0 ACCPTED  2019-01-07 13:13:45

I'm trying to configure an https load balancer on GKE. I'm following: https://cloud.google.com/load-balancing/docs/ssl-certificates and https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

My config has worked for some time using a certificate from Let's Encrypt. But it's too much hassle to renew the certificates all the time so I wanted to test Google's managed service.

This is how I've set it up so far, but stucks on FAILED_NOT_VISIBLE . Any idea on how I can fix or debug this further?

k8s/staging/staging-ssl.yml 

  7 apiVersion: extensions/v1beta1
  8 kind: Ingress
  9 metadata:
 10   name: my-staging-lb-ingress
 11   annotations:
 12     kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
 13     ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
 14     kubernetes.io/ingress.allow-http: "false"
 15 spec:
 16   rules:
 17   - host: staging.my-app.no
 18     http:
 19       paths:
 20       - path: /*
 21         backend:
 22           serviceName: my-svc
 23           servicePort: 3001

Reserved IP

$ gcloud compute addresses list
NAME                   REGION  ADDRESS         STATUS
my-staging-global              35.244.160.NNN  RESERVED


$ host staging.my-app.no 
35.244.160.NNN

$ gcloud beta compute ssl-certificates describe staging-google-managed-ssl 

creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
  domainStatus:
    staging.my-app.no: FAILED_NOT_VISIBLE
  domains:
  - staging.my-app.no
  status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGED

I found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:

Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.

gcloud compute target-https-proxies create [NAME] \
    --url-map=[URL_MAP] \
    --ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2],[SSL_CERTIFICATE3],...]

Is that necessary when I have this line in my Ingress config?

13 ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"

solution7
 0  2020-04-16 13:45:09

I'm trying to configure an https load balancer on GKE. I'm following: https://cloud.google.com/load-balancing/docs/ssl-certificates and https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

My config has worked for some time using a certificate from Let's Encrypt. But it's too much hassle to renew the certificates all the time so I wanted to test Google's managed service.

This is how I've set it up so far, but stucks on FAILED_NOT_VISIBLE . Any idea on how I can fix or debug this further?

k8s/staging/staging-ssl.yml 

  7 apiVersion: extensions/v1beta1
  8 kind: Ingress
  9 metadata:
 10   name: my-staging-lb-ingress
 11   annotations:
 12     kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
 13     ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
 14     kubernetes.io/ingress.allow-http: "false"
 15 spec:
 16   rules:
 17   - host: staging.my-app.no
 18     http:
 19       paths:
 20       - path: /*
 21         backend:
 22           serviceName: my-svc
 23           servicePort: 3001

Reserved IP

$ gcloud compute addresses list
NAME                   REGION  ADDRESS         STATUS
my-staging-global              35.244.160.NNN  RESERVED


$ host staging.my-app.no 
35.244.160.NNN

$ gcloud beta compute ssl-certificates describe staging-google-managed-ssl 

creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
  domainStatus:
    staging.my-app.no: FAILED_NOT_VISIBLE
  domains:
  - staging.my-app.no
  status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGED

I found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:

Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.

gcloud compute target-https-proxies create [NAME] \
    --url-map=[URL_MAP] \
    --ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2],[SSL_CERTIFICATE3],...]

Is that necessary when I have this line in my Ingress config?

13 ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"

solution8
 0  2020-12-08 02:45:13

I'm trying to configure an https load balancer on GKE. I'm following: https://cloud.google.com/load-balancing/docs/ssl-certificates and https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

My config has worked for some time using a certificate from Let's Encrypt. But it's too much hassle to renew the certificates all the time so I wanted to test Google's managed service.

This is how I've set it up so far, but stucks on FAILED_NOT_VISIBLE . Any idea on how I can fix or debug this further?

k8s/staging/staging-ssl.yml 

  7 apiVersion: extensions/v1beta1
  8 kind: Ingress
  9 metadata:
 10   name: my-staging-lb-ingress
 11   annotations:
 12     kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
 13     ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
 14     kubernetes.io/ingress.allow-http: "false"
 15 spec:
 16   rules:
 17   - host: staging.my-app.no
 18     http:
 19       paths:
 20       - path: /*
 21         backend:
 22           serviceName: my-svc
 23           servicePort: 3001

Reserved IP

$ gcloud compute addresses list
NAME                   REGION  ADDRESS         STATUS
my-staging-global              35.244.160.NNN  RESERVED


$ host staging.my-app.no 
35.244.160.NNN

$ gcloud beta compute ssl-certificates describe staging-google-managed-ssl 

creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
  domainStatus:
    staging.my-app.no: FAILED_NOT_VISIBLE
  domains:
  - staging.my-app.no
  status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGED

I found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:

Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.

gcloud compute target-https-proxies create [NAME] \
    --url-map=[URL_MAP] \
    --ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2],[SSL_CERTIFICATE3],...]

Is that necessary when I have this line in my Ingress config?

13 ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"

solution9
 0  2021-03-11 20:23:49

I'm trying to configure an https load balancer on GKE. I'm following: https://cloud.google.com/load-balancing/docs/ssl-certificates and https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

My config has worked for some time using a certificate from Let's Encrypt. But it's too much hassle to renew the certificates all the time so I wanted to test Google's managed service.

This is how I've set it up so far, but stucks on FAILED_NOT_VISIBLE . Any idea on how I can fix or debug this further?

k8s/staging/staging-ssl.yml 

  7 apiVersion: extensions/v1beta1
  8 kind: Ingress
  9 metadata:
 10   name: my-staging-lb-ingress
 11   annotations:
 12     kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
 13     ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
 14     kubernetes.io/ingress.allow-http: "false"
 15 spec:
 16   rules:
 17   - host: staging.my-app.no
 18     http:
 19       paths:
 20       - path: /*
 21         backend:
 22           serviceName: my-svc
 23           servicePort: 3001

Reserved IP

$ gcloud compute addresses list
NAME                   REGION  ADDRESS         STATUS
my-staging-global              35.244.160.NNN  RESERVED


$ host staging.my-app.no 
35.244.160.NNN

$ gcloud beta compute ssl-certificates describe staging-google-managed-ssl 

creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
  domainStatus:
    staging.my-app.no: FAILED_NOT_VISIBLE
  domains:
  - staging.my-app.no
  status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGED

I found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:

Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.

gcloud compute target-https-proxies create [NAME] \
    --url-map=[URL_MAP] \
    --ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2],[SSL_CERTIFICATE3],...]

Is that necessary when I have this line in my Ingress config?

13 ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"

solution10
 0  2021-04-26 15:44:48

I'm trying to configure an https load balancer on GKE. I'm following: https://cloud.google.com/load-balancing/docs/ssl-certificates and https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

My config has worked for some time using a certificate from Let's Encrypt. But it's too much hassle to renew the certificates all the time so I wanted to test Google's managed service.

This is how I've set it up so far, but stucks on FAILED_NOT_VISIBLE . Any idea on how I can fix or debug this further?

k8s/staging/staging-ssl.yml 

  7 apiVersion: extensions/v1beta1
  8 kind: Ingress
  9 metadata:
 10   name: my-staging-lb-ingress
 11   annotations:
 12     kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
 13     ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
 14     kubernetes.io/ingress.allow-http: "false"
 15 spec:
 16   rules:
 17   - host: staging.my-app.no
 18     http:
 19       paths:
 20       - path: /*
 21         backend:
 22           serviceName: my-svc
 23           servicePort: 3001

Reserved IP

$ gcloud compute addresses list
NAME                   REGION  ADDRESS         STATUS
my-staging-global              35.244.160.NNN  RESERVED


$ host staging.my-app.no 
35.244.160.NNN

$ gcloud beta compute ssl-certificates describe staging-google-managed-ssl 

creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
  domainStatus:
    staging.my-app.no: FAILED_NOT_VISIBLE
  domains:
  - staging.my-app.no
  status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGED

I found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:

Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.

gcloud compute target-https-proxies create [NAME] \
    --url-map=[URL_MAP] \
    --ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2],[SSL_CERTIFICATE3],...]

Is that necessary when I have this line in my Ingress config?

13 ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"

solution11
 0  2022-07-29 07:24:42

I had this problem for days. Even though the FQDN in Google Cloud public DNS zone correctly resolved to the IP of the HTTPS Load Balancer, certificate created failed with FAILED_NOT_VISIBLE. I eventually resolved the problem as my domain was set up in Google Domains with DNSSEC but had an incorrect DNSSEC record when pointing to the Google Cloud Public DNS zone. DNSSEC configuration can be verified using https://dnsviz.net/

solution12
 0  2022-09-06 07:26:43

As already pointed by Mitzi https://stackoverflow.com/a/66578266/7588668

This is what worked for me

  1. Create cert with subdomains/domains
  2. Must Add it load balancer ( I was waiting for it to become active but only when you add it becomes active !! )
  3. Add static IP as A record for domains/subdomain

It worked in 5min

solution13
 0  2023-01-17 17:27:06

I had the same problem. But my problem was in the deployment. I ran

kubectl describe ingress [INGRESS-NAME] -n [NAMESPACE]

The result shows an error in the resources.timeoutsec for the deployment. Allowed values must be less than 300 sec. My original value was above that. I reduced readinessProbe.timeoutSeconds to a lower number. After 30 mins the SSL cert was generated and the subdomain was verified.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Google managed SSL certificate stuck on "Provisioning" with FAILED_NOT_VISIBLE for domains Can not delete Google-managed SSL certificate SSL CERTIFICATE_VERIFY_FAILED in aws cli Mixed content issue - Google managed SSL and Web Server SSL AWS CLI - [SSL : CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1056) Gcloud LoadBalancer: change Google Managed certificate without downtime Google Cloud Run - Domain Mapping stuck at Certificate Provisioning How to get a Google managed certificate (ingress)? I received no matches for "ManagedCertificate" SSL Certificate add failed,Cannot create a file when that file already exists How to automatically renew the Let's Encrypt SSL certificate for Cloud Run for Anthos on Google Cloud with Serverless?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM