“Certificate for GCP Load Balancer not validating.”

huangapple go评论64阅读模式
英文:

Certificate for gcp loadbalancer not validating

问题

我一直在尝试设置经典负载均衡器来为我的网站提供服务。代码/容器正在Cloud Run上运行,并且工作正常。

HTTP路由通过负载均衡器正常工作,但是SSL证书继续显示FAILED_NOT_VISIBLE。显然,我漏掉了一些东西!我已经使用一个shell脚本部署了负载均衡器,并在下面附上了该脚本。我已从证书中删除了域名。

SSL_CERTIFICATE_NAME='ea-ssl2'
DOMAIN='xxxxx.co.uk'
TARGET_HTTP_PROXY_NAME='ea-http-proxy2'
TARGET_HTTPS_PROXY_NAME='ea-https-proxy2'
URL_MAP_NAME='ea-url-map2'
EXTERNAL_IP='ea-external-ip'
SERVERLESS_NEG_NAME='ea-serverless2-neg'
CLOUD_RUN_SERVICE_NAME='ea-website'
BACKEND_SERVICE_NAME='ea-backend-service'
REGION=europe-west2
HTTP_FORWARDING_RULE_NAME='ea-http-forwarding-rule'
HTTPS_FORWARDING_RULE_NAME='ea-https-forwarding-rule'

echo '**** 首先,创建一个外部IP\n\n'

#gcloud compute addresses create $EXTERNAL_IP \
#    --network-tier=PREMIUM \
#    --ip-version=IPV4 \
#    --global

gcloud compute addresses describe $EXTERNAL_IP \
    --format="get(address)" \
    --global


echo "\n\n*** 现在创建网络终结点组(NEG)***\n\n"

gcloud compute network-endpoint-groups create $SERVERLESS_NEG_NAME \
   --region=$REGION \
   --network-endpoint-type=serverless  \
   --cloud-run-service=$CLOUD_RUN_SERVICE_NAME


echo '*** 创建后端服务 ***\n\n'

gcloud compute backend-services create $BACKEND_SERVICE_NAME \
  --load-balancing-scheme=EXTERNAL \
  --global

echo '*** 将NEG添加到后端服务 ***\n\n'

gcloud compute backend-services add-backend $BACKEND_SERVICE_NAME \
   --global \
   --network-endpoint-group=$SERVERLESS_NEG_NAME \
   --network-endpoint-group-region=$REGION

echo '*** 现在创建URL映射 ***\n\n'

gcloud compute url-maps create $URL_MAP_NAME \
   --default-service $BACKEND_SERVICE_NAME

gcloud compute target-http-proxies create $TARGET_HTTP_PROXY_NAME \
   --url-map=$URL_MAP_NAME


echo "\n\n*** 现在创建SSL证书 ***\n\n"
gcloud compute ssl-certificates create $SSL_CERTIFICATE_NAME \
   --domains $DOMAIN

echo '*** 创建目标代理 ***'
echo ' --- 目标代理名称',$TARGET_HTTPS_PROXY_NAME
echo ' --- 证书名称',$SSL_CERTIFICATE_NAME

gcloud compute target-https-proxies create $TARGET_HTTPS_PROXY_NAME \
  --ssl-certificates=$SSL_CERTIFICATE_NAME \
  --url-map=$URL_MAP_NAME

echo '************************************************************'
echo '***********  添加转发规则                ***********'
echo '************************************************************'
gcloud compute forwarding-rules create $HTTP_FORWARDING_RULE_NAME \
   --load-balancing-scheme=EXTERNAL \
   --network-tier=PREMIUM \
   --address='ea-http-ip' \
   --target-http-proxy=$TARGET_HTTP_PROXY_NAME \
   --global \
   --ports=80

echo "现在添加443目标代理"
gcloud compute forwarding-rules create $HTTPS_FORWARDING_RULE_NAME \
    --load-balancing-scheme=EXTERNAL \
    --network-tier=PREMIUM \
    --address=$EXTERNAL_IP \
    --target-https-proxy=$TARGET_HTTPS_PROXY_NAME \
    --global \
    --ports=443

注意:以上是您提供的Shell脚本的翻译部分,没有包括代码。

英文:

I have been trying to setup a classic load balancer to for my website. The code/container is running on Cloud Run and works fine.

The http route works fine through the load balancer, however the ssl certificate continues to give FAILED_NOT_VISIBLE. Clearly, I am missing something! I have deployed the LB using a shell script and have attached the script below. I have removed the domain name from the certificate.

SSL_CERTIFICATE_NAME='ea-ssl2'
DOMAIN='xxxxx.co.uk'
TARGET_HTTP_PROXY_NAME='ea-http-proxy2'
TARGET_HTTPS_PROXY_NAME='ea-https-proxy2'
URL_MAP_NAME='ea-url-map2'
EXTERNAL_IP='ea-external-ip'
SERVERLESS_NEG_NAME='ea-serverless2-neg'
CLOUD_RUN_SERVICE_NAME='ea-website'
BACKEND_SERVICE_NAME='ea-backend-service'
REGION=europe-west2
HTTP_FORWARDING_RULE_NAME='ea-http-forwarding-rule'
HTTPS_FORWARDING_RULE_NAME='ea-https-forwarding-rule'

echo '**** Firstly, create an External IP \n\n'

#gcloud compute addresses create $EXTERNAL_IP \
#    --network-tier=PREMIUM \
#    --ip-version=IPV4 \
#    --global

gcloud compute addresses describe $EXTERNAL_IP \
    --format="get(address)" \
    --global


echo "\n\n*** Now Create the Network Endpoint Group (NEG) ***\n\n"

gcloud compute network-endpoint-groups create $SERVERLESS_NEG_NAME \
   --region=$REGION \
   --network-endpoint-type=serverless  \
   --cloud-run-service=$CLOUD_RUN_SERVICE_NAME


echo '\n\n*** Create the Backend Service ***\n\n'

gcloud compute backend-services create $BACKEND_SERVICE_NAME \
  --load-balancing-scheme=EXTERNAL \
  --global

echo '*** Add the NEG to the Backend Service ***\n\n'

gcloud compute backend-services add-backend $BACKEND_SERVICE_NAME \
   --global \
   --network-endpoint-group=$SERVERLESS_NEG_NAME \
   --network-endpoint-group-region=$REGION


echo '*** Now Create the URL MAP ***\n\n'

gcloud compute url-maps create $URL_MAP_NAME \
   --default-service $BACKEND_SERVICE_NAME

gcloud compute target-http-proxies create $TARGET_HTTP_PROXY_NAME \
   --url-map=$URL_MAP_NAME


echo "\n\n*** Now Create the SSL Certificate ***\n\n"
gcloud compute ssl-certificates create $SSL_CERTIFICATE_NAME \
   --domains $DOMAIN

echo '\n\n**** Create Target Proxy'
echo ' --- TargetProxy Name',$TARGET_HTTPS_PROXY_NAME
echo ' --- Certificate Name',$SSL_CERTIFICATE_NAME

gcloud compute target-https-proxies create $TARGET_HTTPS_PROXY_NAME \
  --ssl-certificates=$SSL_CERTIFICATE_NAME \
  --url-map=$URL_MAP_NAME


echo '\n************************************************************'
echo '***********  Add Forwarding Rules                ***********'
echo '************************************************************'
gcloud compute forwarding-rules create $HTTP_FORWARDING_RULE_NAME \
   --load-balancing-scheme=EXTERNAL \
   --network-tier=PREMIUM \
   --address='ea-http-ip' \
   --target-http-proxy=$TARGET_HTTP_PROXY_NAME \
   --global \
   --ports=80

echo "Now Add 443 Target Proxy"
gcloud compute forwarding-rules create $HTTPS_FORWARDING_RULE_NAME \
    --load-balancing-scheme=EXTERNAL \
    --network-tier=PREMIUM \
    --address=$EXTERNAL_IP \
    --target-https-proxy=$TARGET_HTTPS_PROXY_NAME \
    --global \
    --ports=443

答案1

得分: 1

  • 更新 DNS A 记录,将其指向负载均衡器的 IP 地址
  • 运行 dig EXAMPLE.com 命令,以检查 lb IP 是否正确配置
  • 运行以下命令来查看 SSL 证书的状态:
gcloud compute ssl-certificates describe CERTIFICATE_NAME --format="get(managed.domainStatus)" #有时全球范围内的传播可能需要最多72小时,尽管通常只需要几小时。
英文:
  • Update the DNS A records to point to the load balancer's IP address

  • Run a dig EXAMPLE.com in order to check whether lb ip is properly provisioned

  • gcloud compute ssl-certificates describe CERTIFICATE_NAME
    --format="get(managed.domainStatus)" #Sometimes propagation across the internet takes up to 72 hours worldwide, although it typically takes a few hours.

  • Read Troubleshooting guide

  • From experience, create DNS records then create LB

  • Other users experiencing similar error

答案2

得分: 1

除了 @dany L 的回答之外,我建议在确保您的 A 记录指向正确的负载均衡器前端 IP 地址后,只需重新创建当前的 SSL 证书,如果已经超过 60 分钟并且仍在尝试配置。

根据文档

从您的 DNS 和负载均衡器配置更改传播到互联网的那一刻起,配置 Google 托管证书可能需要最多 60 分钟。如果您最近更新了 DNS 配置,那么更改可能需要相当长的时间才能完全传播。有时,全球范围内的传播需要多达 72 小时,尽管通常只需几小时。有关 DNS 传播的更多信息,请参阅文档。

这些工具也有助于检查 SSL 证书和 DNS 的状态:

英文:

In addition to @dany L's answer, I would suggest to just recreate the current SSL certificate after making sure that your A record is pointed to the correct Load Balancer's Frontend IP address, if it has been more than 60 minutes since it started trying to provision.

Per the documentation:
> Provisioning a Google-managed certificate might take up to 60 minutes from the moment your DNS and load balancer configuration changes have propagated across the internet. If you have updated your DNS configuration recently, it can take a significant amount of time for the changes to fully propagate. Sometimes propagation takes up to 72 hours worldwide, although it typically takes a few hours. For more information on DNS propagation.


These tools are also helpful in checking the status of both the SSL certificate and the DNS:

huangapple
  • 本文由 发表于 2023年6月26日 19:56:52
  • 转载请务必保留本文链接:https://go.coder-hub.com/76556449.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定