Google managed SSL certificate stuck on FAILED_NOT_VISIBLE

17
votes

I'm trying to configure an https load balancer on GKE. I'm following: https://cloud.google.com/load-balancing/docs/ssl-certificates and https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

My config has worked for some time using a certificate from Let's Encrypt. But it's too much hassle to renew the certificates all the time so I wanted to test Google's managed service.

This is how I've set it up so far, but stucks on FAILED_NOT_VISIBLE. Any idea on how I can fix or debug this further?

k8s/staging/staging-ssl.yml

  7 apiVersion: extensions/v1beta1
  8 kind: Ingress
  9 metadata:
 10   name: my-staging-lb-ingress
 11   annotations:
 12     kubernetes.io/ingress.global-static-ip-name: "my-staging-global"
 13     ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"
 14     kubernetes.io/ingress.allow-http: "false"
 15 spec:
 16   rules:
 17   - host: staging.my-app.no
 18     http:
 19       paths:
 20       - path: /*
 21         backend:
 22           serviceName: my-svc
 23           servicePort: 3001

Reserved IP

$ gcloud compute addresses list
NAME                   REGION  ADDRESS         STATUS
my-staging-global              35.244.160.NNN  RESERVED


$ host staging.my-app.no 
35.244.160.NNN

$ gcloud beta compute ssl-certificates describe staging-google-managed-ssl

creationTimestamp: '2018-12-20T04:59:39.450-08:00'
id: 'NNNN'
kind: compute#sslCertificate
managed:
  domainStatus:
    staging.my-app.no: FAILED_NOT_VISIBLE
  domains:
  - staging.my-app.no
  status: PROVISIONING
name: staging-google-managed-ssl
selfLink: https://www.googleapis.com/compute/beta/projects/my-project/global/sslCertificates/staging-google-managed-ssl
type: MANAGED

I found a section in the doc I linked to at the beginning of the post Associating SSL certificate resources with a target proxy:

Use the following gcloud command to associate SSL certificate resources with a target proxy, whether the SSL certificates are self-managed or Google-managed.

gcloud compute target-https-proxies create [NAME] \
    --url-map=[URL_MAP] \
    --ssl-certificates=[SSL_CERTIFICATE1][,[SSL_CERTIFICATE2],[SSL_CERTIFICATE3],...]

Is that necessary when I have this line in my Ingress config?

13 ingress.gcp.kubernetes.io/pre-shared-cert: "staging-google-managed-ssl"

10
sslgoogle-cloud-platformgoogle-kubernetes-enginegke-networking
A work-around I used, was to "abuse" the lack of proper ipv6 support. I updated the SSL certificate manually via the dashboard to the target proxy. This isn't removed by gcloud / k8s and it allows for it to become ACTIVE, at the point where you can swap the k8s managed certificates for the managed GCP ones. - Dynom
I'm having this same exact issue with a google-provisioned SSL, it's so frustrating, have you made any progress? - Andrew Hansen

10 Answers

12
votes

I'm leaving this for anyone who might end up in the same situation as me. I needed to migrate from a self-managed certificate to a google-managed one.

I did create the google-managed certificate following the guide and was expecting to see it being activated before applying the certificate to my Kubernetes ingress (to avoid the possibility of a downtime)

Turns out, as stated by the docs,

the target proxy must reference the Google-managed certificate resource

So applying the configuration with kubectl apply -f ingress-conf.yaml made the load balancer use the newly created certificate, which became active shortly after (15 min or so)

6
votes

I have faced this issue recently. You need to check whether your A Record correctly points to the Ingress static IP.

If you are using a service like Cloudflare, then disable the Cloudflare proxy setting so that ping to the domain will give the actual IP of Ingress. THis will create the Google Managed SSL certificate correctly with 10 to 15 minutes.

Once the certificate is up, you can again enable Cloudflare proxy setting.

1
votes

As per the following documentation which you provided, this should help you out:

The status FAILED_NOT_VISIBLE indicates that certificate provisioning failed for a domain because of a problem with DNS or the load balancing configuration. Make sure that DNS is configured so that the certificate's domain resolves to the IP address of the load balancer.

1
votes

What is the TTL (time to live) of the A Resource Record for staging.my-app.no? Use, e.g.,

dig +nocmd +noall +answer staging.my-app.no

to figure it out.

In my case, increasing the TTL from 60 seconds to 7200 let the domainStatus finally arrive in ACTIVE.

1
votes

In addition to the other answers, when migrating from self-managed to google-managed certs I had to:

  • Enable http to my ingress service with kubernetes.io/ingress.allow-http: true
  • Leave the existing SSL cert running in the original ingress service until the new managed cert was Active

I also had an expired original SSL cert, though I'm not sure this mattered.

1
votes

What worked for me after checking the answers here (I worked with a load balancer but IMO this is correct for all cases):

  1. If some time passed this certificate will not work for you (It may be permamnently gone and it will take time to show that) - I created a new one and replaced it in the Load Balancer (just edit it)
  2. Make sure that the certificate is being used a few minutes after creating it
  3. Make sure that the DNS points to your service. And that your configuration is working when using http!! - This is the best and safest way (also if you just moved a domain - make sure that when you check it you reach to the correct IP)
  4. After creating a new cert or if the problem was fixed - your domain will turn green but you still need to wait (can take an hour or more)
0
votes

It turns out that I had mistakenly done some changes to the production environment and others to staging. Everything worked as expected when I figured that out and followed the guide. :-)

0
votes

In my case I needed alter the healthcheck and point it to the proper endpoint ( /healthz on nginx-ingress) and after the healtcheck returned true I had to make sure the managed certificate was created in the same namespace as the gce-ingress. After these two things were done it finally went through, otherwise I got the same error. "FAILED_NOT_VISIBLE"

0
votes

I met the same issue. I fixed it by re-looking at the documentation.

https://cloud.google.com/load-balancing/docs/ssl-certificates/troubleshooting?_ga=2.107191426.-1891616718.1598062234#domain-status

FAILED_NOT_VISIBLE  
Certificate provisioning failed for the domain. Either of the following might be the issue:
The domain's DNS record doesn't resolve to the IP address of the Google Cloud load balancer. To resolve this issue, update the DNS records to point to your load balancer's IP address.
The SSL certificate isn't attached to the load balancer's target proxy. To resolve this issue, update your load balancer configuration.
Google Cloud continues to try to provision the certificate while the managed status is PROVISIONING.

Because my loadbalancer is behind cloudflare. By default cloudflare has cdn proxy enabled, and i need to first disable it after the DNS verified by Google, the cert state changed to active.

0
votes

In my case, at work. We are leveraging the managed certificate a lot in order to provide dynamic environment for Developers & QA. As a result, we are provisioning & removing managed certificate quite a lot. This mean that we are also updating the Ingress resource as we are generating & removing managed certificate.

What we have founded out is that even if you delete the reference of the managed certificate from this annotation:

networking.gke.io/managed-certificates: <list>

It seems that randomly the Ingress does not remove the associated ssl-certificates from the LoadBalancer.

ingress.gcp.kubernetes.io/pre-shared-cert: <list>

As a result, when the managed certificate is deleted. The ingress will be "stuck" in a way, that no new managed certificate could be provision. Hence, new managed-ceritifcate will after some times transition from PROVISIONING state to FAILED_NOT_VISIBLE state

The only solution that we founded out so far, is that if a new certificate does not get provision after 30min. We will check if the annotation ingress.gcp.kubernetes.io/pre-shared-cert contains ssl-certificate that does not exist anymore.

You can check existing ssl-certificate with the command below

gcloud compute ssl-certificates list

If it happens that one ssl-certificate that does not exist anymore is still hanging around in the annotation. We'll then remove the unnecessary ssl-certificate from the ingress.gcp.kubernetes.io/pre-shared-cert annotation manually.

After applying the updated configuration, in about 5 minutes, the new managed certificate which was in FAILED_NOT_VISIBLE state should be provision and in ACTIVE state.