英文:
Certificate for gcp loadbalancer not validating
问题
我一直在尝试设置经典负载均衡器来为我的网站提供服务。代码/容器正在Cloud Run上运行,并且工作正常。
HTTP路由通过负载均衡器正常工作,但是SSL证书继续显示FAILED_NOT_VISIBLE。显然,我漏掉了一些东西!我已经使用一个shell脚本部署了负载均衡器,并在下面附上了该脚本。我已从证书中删除了域名。
SSL_CERTIFICATE_NAME='ea-ssl2'
DOMAIN='xxxxx.co.uk'
TARGET_HTTP_PROXY_NAME='ea-http-proxy2'
TARGET_HTTPS_PROXY_NAME='ea-https-proxy2'
URL_MAP_NAME='ea-url-map2'
EXTERNAL_IP='ea-external-ip'
SERVERLESS_NEG_NAME='ea-serverless2-neg'
CLOUD_RUN_SERVICE_NAME='ea-website'
BACKEND_SERVICE_NAME='ea-backend-service'
REGION=europe-west2
HTTP_FORWARDING_RULE_NAME='ea-http-forwarding-rule'
HTTPS_FORWARDING_RULE_NAME='ea-https-forwarding-rule'
echo '**** 首先,创建一个外部IP\n\n'
#gcloud compute addresses create $EXTERNAL_IP \
# --network-tier=PREMIUM \
# --ip-version=IPV4 \
# --global
gcloud compute addresses describe $EXTERNAL_IP \
--format="get(address)" \
--global
echo "\n\n*** 现在创建网络终结点组(NEG)***\n\n"
gcloud compute network-endpoint-groups create $SERVERLESS_NEG_NAME \
--region=$REGION \
--network-endpoint-type=serverless \
--cloud-run-service=$CLOUD_RUN_SERVICE_NAME
echo '*** 创建后端服务 ***\n\n'
gcloud compute backend-services create $BACKEND_SERVICE_NAME \
--load-balancing-scheme=EXTERNAL \
--global
echo '*** 将NEG添加到后端服务 ***\n\n'
gcloud compute backend-services add-backend $BACKEND_SERVICE_NAME \
--global \
--network-endpoint-group=$SERVERLESS_NEG_NAME \
--network-endpoint-group-region=$REGION
echo '*** 现在创建URL映射 ***\n\n'
gcloud compute url-maps create $URL_MAP_NAME \
--default-service $BACKEND_SERVICE_NAME
gcloud compute target-http-proxies create $TARGET_HTTP_PROXY_NAME \
--url-map=$URL_MAP_NAME
echo "\n\n*** 现在创建SSL证书 ***\n\n"
gcloud compute ssl-certificates create $SSL_CERTIFICATE_NAME \
--domains $DOMAIN
echo '*** 创建目标代理 ***'
echo ' --- 目标代理名称',$TARGET_HTTPS_PROXY_NAME
echo ' --- 证书名称',$SSL_CERTIFICATE_NAME
gcloud compute target-https-proxies create $TARGET_HTTPS_PROXY_NAME \
--ssl-certificates=$SSL_CERTIFICATE_NAME \
--url-map=$URL_MAP_NAME
echo '************************************************************'
echo '*********** 添加转发规则 ***********'
echo '************************************************************'
gcloud compute forwarding-rules create $HTTP_FORWARDING_RULE_NAME \
--load-balancing-scheme=EXTERNAL \
--network-tier=PREMIUM \
--address='ea-http-ip' \
--target-http-proxy=$TARGET_HTTP_PROXY_NAME \
--global \
--ports=80
echo "现在添加443目标代理"
gcloud compute forwarding-rules create $HTTPS_FORWARDING_RULE_NAME \
--load-balancing-scheme=EXTERNAL \
--network-tier=PREMIUM \
--address=$EXTERNAL_IP \
--target-https-proxy=$TARGET_HTTPS_PROXY_NAME \
--global \
--ports=443
注意:以上是您提供的Shell脚本的翻译部分,没有包括代码。
英文:
I have been trying to setup a classic load balancer to for my website. The code/container is running on Cloud Run and works fine.
The http route works fine through the load balancer, however the ssl certificate continues to give FAILED_NOT_VISIBLE. Clearly, I am missing something! I have deployed the LB using a shell script and have attached the script below. I have removed the domain name from the certificate.
SSL_CERTIFICATE_NAME='ea-ssl2'
DOMAIN='xxxxx.co.uk'
TARGET_HTTP_PROXY_NAME='ea-http-proxy2'
TARGET_HTTPS_PROXY_NAME='ea-https-proxy2'
URL_MAP_NAME='ea-url-map2'
EXTERNAL_IP='ea-external-ip'
SERVERLESS_NEG_NAME='ea-serverless2-neg'
CLOUD_RUN_SERVICE_NAME='ea-website'
BACKEND_SERVICE_NAME='ea-backend-service'
REGION=europe-west2
HTTP_FORWARDING_RULE_NAME='ea-http-forwarding-rule'
HTTPS_FORWARDING_RULE_NAME='ea-https-forwarding-rule'
echo '**** Firstly, create an External IP \n\n'
#gcloud compute addresses create $EXTERNAL_IP \
# --network-tier=PREMIUM \
# --ip-version=IPV4 \
# --global
gcloud compute addresses describe $EXTERNAL_IP \
--format="get(address)" \
--global
echo "\n\n*** Now Create the Network Endpoint Group (NEG) ***\n\n"
gcloud compute network-endpoint-groups create $SERVERLESS_NEG_NAME \
--region=$REGION \
--network-endpoint-type=serverless \
--cloud-run-service=$CLOUD_RUN_SERVICE_NAME
echo '\n\n*** Create the Backend Service ***\n\n'
gcloud compute backend-services create $BACKEND_SERVICE_NAME \
--load-balancing-scheme=EXTERNAL \
--global
echo '*** Add the NEG to the Backend Service ***\n\n'
gcloud compute backend-services add-backend $BACKEND_SERVICE_NAME \
--global \
--network-endpoint-group=$SERVERLESS_NEG_NAME \
--network-endpoint-group-region=$REGION
echo '*** Now Create the URL MAP ***\n\n'
gcloud compute url-maps create $URL_MAP_NAME \
--default-service $BACKEND_SERVICE_NAME
gcloud compute target-http-proxies create $TARGET_HTTP_PROXY_NAME \
--url-map=$URL_MAP_NAME
echo "\n\n*** Now Create the SSL Certificate ***\n\n"
gcloud compute ssl-certificates create $SSL_CERTIFICATE_NAME \
--domains $DOMAIN
echo '\n\n**** Create Target Proxy'
echo ' --- TargetProxy Name',$TARGET_HTTPS_PROXY_NAME
echo ' --- Certificate Name',$SSL_CERTIFICATE_NAME
gcloud compute target-https-proxies create $TARGET_HTTPS_PROXY_NAME \
--ssl-certificates=$SSL_CERTIFICATE_NAME \
--url-map=$URL_MAP_NAME
echo '\n************************************************************'
echo '*********** Add Forwarding Rules ***********'
echo '************************************************************'
gcloud compute forwarding-rules create $HTTP_FORWARDING_RULE_NAME \
--load-balancing-scheme=EXTERNAL \
--network-tier=PREMIUM \
--address='ea-http-ip' \
--target-http-proxy=$TARGET_HTTP_PROXY_NAME \
--global \
--ports=80
echo "Now Add 443 Target Proxy"
gcloud compute forwarding-rules create $HTTPS_FORWARDING_RULE_NAME \
--load-balancing-scheme=EXTERNAL \
--network-tier=PREMIUM \
--address=$EXTERNAL_IP \
--target-https-proxy=$TARGET_HTTPS_PROXY_NAME \
--global \
--ports=443
答案1
得分: 1
- 更新 DNS A 记录,将其指向负载均衡器的 IP 地址
- 运行 dig EXAMPLE.com 命令,以检查 lb IP 是否正确配置
- 运行以下命令来查看 SSL 证书的状态:
gcloud compute ssl-certificates describe CERTIFICATE_NAME --format="get(managed.domainStatus)" #有时全球范围内的传播可能需要最多72小时,尽管通常只需要几小时。
- 阅读故障排除指南
- 从经验来看,首先创建 DNS 记录,然后创建负载均衡器
- 其他用户遇到类似错误
英文:
-
Update the DNS A records to point to the load balancer's IP address
-
Run a dig EXAMPLE.com in order to check whether lb ip is properly provisioned
-
gcloud compute ssl-certificates describe CERTIFICATE_NAME
--format="get(managed.domainStatus)" #Sometimes propagation across the internet takes up to 72 hours worldwide, although it typically takes a few hours. -
From experience, create DNS records then create LB
答案2
得分: 1
除了 @dany L 的回答之外,我建议在确保您的 A 记录指向正确的负载均衡器前端 IP 地址后,只需重新创建当前的 SSL 证书,如果已经超过 60 分钟并且仍在尝试配置。
根据文档:
从您的 DNS 和负载均衡器配置更改传播到互联网的那一刻起,配置 Google 托管证书可能需要最多
60 分钟。如果您最近更新了 DNS 配置,那么更改可能需要相当长的时间才能完全传播。有时,全球范围内的传播需要多达 72 小时,尽管通常只需几小时。有关 DNS 传播的更多信息,请参阅文档。
这些工具也有助于检查 SSL 证书和 DNS 的状态:
英文:
In addition to @dany L's answer, I would suggest to just recreate the current SSL certificate after making sure that your A record is pointed to the correct Load Balancer's Frontend IP address, if it has been more than 60 minutes since it started trying to provision.
Per the documentation:
> Provisioning a Google-managed certificate might take up to 60 minutes from the moment your DNS and load balancer configuration changes have propagated across the internet. If you have updated your DNS configuration recently, it can take a significant amount of time for the changes to fully propagate. Sometimes propagation takes up to 72 hours worldwide, although it typically takes a few hours. For more information on DNS propagation.
These tools are also helpful in checking the status of both the SSL certificate and the DNS:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论