Reputation: 167
Change domain for load balancer's SSL certificates
I am going around in circles for the past hour trying to change the domain for HTTP(S) Load Balancer's SSL certificates.
I can't seem to find an option from the console or CLI to change/update the domains. After created a new one, I cannot delete the old one because it is attached to the load balancer. To remove the old SSL certificate, I have to delete the LB and its dependencies, and to go through all the steps to create the load balancer again.
May I know if it is a bug or expected behavior?
Thanks.
Upvotes: 1
Views: 1366
Answers (1)
Reputation: 110
Before you can delete an SSL certificate, you must first update each target proxy that references the certificate. For each target proxy, run the appropriate gcloud update command to update the target proxy's CERTIFICATE_LIST such that it no longer includes the SSL certificate you need to delete.
Please find below steps to replacing SSL certificates.
1.Create a new SSL certificate resource. The new SSL certificate must have a unique name within the project. 2. Update the target proxy so that its list of SSL certificate(s) includes the new SSL certificate in the first position to make it the primary certificate. After the new certificate, include any existing SSL certificates that you want to retain. Make sure to exclude the old SSL certificate that you no longer need. To avoid downtime, run a single gcloud command with the --ssl-certificates flag. For example:
For external HTTP(S) load balancers:
Use the gcloud compute target-https-proxies update command with the --global flag.
gcloud compute target-https-proxies update TARGET_PROXY_NAME
--global
--ssl-certificates=new-ssl-cert,other-certificates
--global-ssl-certificates.
For internal HTTP(S) load balancers:
gcloud compute target-https-proxies update TARGET_PROXY_NAME
--region REGION
--ssl-certificates=new-ssl-cert,other-certificates
--global-ssl-certificates
For SSL proxy load balancers:
Use the gcloud compute target-ssl-proxies update command with the --backend-service flag.
gcloud compute target-ssl-proxies update TARGET_PROXY_NAME
--ssl-certificates=new-ssl-cert,other-certificates
- Verify that the load balancer is serving the replacement certificate by running the following OpenSSL command:
echo | openssl s_client -showcerts -connect IP_ADDRESS:443 -verify 99 -verify_return_error
- Wait 15 minutes to ensure that the replacement certificate is available to all Google Front Ends (GFEs).
- (Optional) Delete the old SSL certificate.
For further reading please follow the links below: Deleting/ Replacing SSL certificates :
Replacing an existing SSL certificate
https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#replace-ssl
Upvotes: 1
Related Questions
- How to remove SSL certificate from Load balancer on Google Cloud Platform?
- Gcloud LoadBalancer: change Google Managed certificate without downtime
- Even if the second SSL certificate is set to Google Cloud Platform load balancer, it disappears from the target
- How to set DNS records for my domain to reference the IP address of my load balancer also getting FAILED_NOT_VISIBLE in LB Google Cloud Console
- GCP Https Load Balancer SSL Certificate
- Setting up an SSL cert with Google Cloud Load Balancer
- How to make my Google Cloud Load Balancer work?
- Using Google Cloud Load Balancer & SSL For MANY Domains
- Google Managed Certificate with ip address
- Google Cloud SSL/HTTPS Load Balancer