Google managed SSL certificate stuck on Provisioning

4
votes

I created a google managed SSL certificate while creating an HTTPS load balancer. It's been 4 days and the status for the certificate is stuck on Provisioning and the Domain status is showing FAILED_NOT_VISIBLE. I created the subdomain and pointed it to the IP address provided. Reference link which I followed: https://medium.com/techintoo/serving-static-files-using-google-cloud-cdn-storage-bucket-db1287cb5e40

{
  "creationTimestamp": "2019-07-08T02:08:03.303-07:00",
  "id": "3676362840736708892",
  "kind": "compute#sslCertificate",
  "managed": {
    "domainStatus": {
      "gcloud.test.5gmark.com": "FAILED_NOT_VISIBLE"
    },
    "domains": [
      "gcloud.test.5gmark.com"
    ],
    "status": "PROVISIONING"
  },
  "name": "test-5gmark-google-certificate",
  "selfLink": "projects/eng-scene-245109/global/sslCertificates/test-5gmark-google-certificate",
  "type": "MANAGED"
}
2
google-cloud-platformdnsssl-certificatesubdomain
This error means that you did not setup the DNS record for verification correctly. Use a Internet tool like MxToolbox to debug your DNS resource record settings.John Hanley
The status is now PROVISIONING_FAILED and Domain Status is FAILED_CAA_FORBIDDEN. So after I troubleshoot whatever is wrong in my domain. Will the certificate provision automatically or do I have to do something on my google cloud console also?Prateek Gothwal
CAA is a special type of record that lists what Certificate Authorities are allowed to issue SSL certificates for a domain. You will need to modify your DNS Server's Resource Record for CAA and add "Let's Encrypt". letsencrypt.org/docs/caa Once you fix this, you will have to retry again.John Hanley

2 Answers

1
votes

I also experienced this problem.

As I understand, status FAILED_NOT_VISIBLE indicates that the DNS record for your domain was not visible in DNS when the certificate issuer checked.

After I saw this error, I made sure that my domain is resolvable via DNS - to follow your example:

  1. Add a DNS A-record for gcloud.test.5mark.com that resolves to your server IP address.
  2. Check the domain resolves, directly on google's domain name server.
  3. Wait a while, and the provisioning will automatically continue and complete.

For step 2, you could do something like (check the name server with your DNS registrar - I'm assuming google domains here):

$ nslookup gcloud.test.5mark.com ns-cloud-d1.googledomains.com
0
votes

The FAILED_NOT_VISIBLE error means that the DNS record is not pointing to the correct IP address or that the certificate is not attached to the proper load balancer. The FAILED_CAA_FORBIDDEN means that the CAA record is not specifying the correct Certificate Authorities. To solve this issue pki.goog and letsencrypt.org have to be included in the CAA record.