'FAILED_NOT_VISIBLE' domain status on GCP load balancer

0
votes

I am facing a problem configuring my load balancer on GCP, and I hope someone could point me in the right direction to get it resolved.

I run a web server on one instance in GCP, and I want to secure it with HTTPS access. For this purpose, I followed the example provided on this link https://cloud.google.com/iap/docs/load-balancer-howto. So, I reserved a domain name, static IP address, and an SSL certificate; and configured the load balancer as in the link.

  • The instance resides behind an HTTPS external load balancer that should communicate with clients over HTTPS and a back-end service over HTTP.
  • The load balancer's front-end points to the static IP address, formally reserved, the port 443 is open, and the SSL certificate is in place.
  • The load balancer's back-end is a service that includes the instance on which the web service runs.

The problem: secure connection is never successful!! I check the certificate details and the page shows 'domain status: FAILED_NOT_VISIBLE' and ' Status: PROVISIONING'. So, I consulted the page 'Troubleshooting SSL certificates' https://cloud.google.com/load-balancing/docs/ssl-certificates/troubleshooting?&_ga=2.170344355.-201250651.1616078055#domain-status and tried to check all possibilities without success.

  • I configured the load balancer with an additional front-end to allow HTTP, then I could connect to the web server via the load balancer using both the static IP address and the domain name which indicates that the problem is only in the SSL certificate.
  • I tried to create a new certificate and replace the old one without success.
  • The web browser returns 'PR_END_OF_FILE_ERROR' when trying to connect to the load balancer's static IP address.

It would be great of you if you could help.

++++++UPDATE--Following @JohnHanley comment++++++++
The DNS information, as obtained from GCP, is as follows:

$ gcloud compute addresses list
NAME              ADDRESS/RANGE   TYPE      PURPOSE  NETWORK  REGION  SUBNET  STATUS
followup-ipv4     34.120.aaa.bbb  EXTERNAL                                    IN_USE

$ gcloud dns managed-zones list
NAME             DNS_NAME          DESCRIPTION  VISIBILITY
followup-com     followup.com.                  public

$ gcloud dns record-sets list --zone=followup-com
NAME                  TYPE   TTL    DATA
followup.com.         A      300    34.120.aaa.bbb
followup.com.         NS     21600  ns-cloud-d1.googledomains.com.,ns-cloud-d2.googledomains.com.,ns-cloud-d3.googledomains.com.,ns-cloud-d4.googledomains.com.
followup.com.         SOA    21600  ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300
www.followup.com.     CNAME  300    followup.com.
$ gcloud compute forwarding-rules list
NAME                       REGION  IP_ADDRESS      IP_PROTOCOL  TARGET
followup-frontend                  34.120.aaa.bbb  TCP          followup-lb-target-proxy
followup-http-frontend             34.120.aaa.bbb  TCP          followup-lb-target-proxy-2
$ gcloud compute forwarding-rules describe followup-frontend
For the following forwarding rule:
 - [followup-frontend]
choose a region or global:
 [1] global
 [2] region: asia-east1
 [3] region: asia-east2
 [4] region: asia-northeast1
 [5] region: asia-northeast2
 [6] region: asia-northeast3
 [7] region: asia-south1
 [8] region: asia-south2
 [9] region: asia-southeast1
 [10] region: asia-southeast2
 [11] region: australia-southeast1
 [12] region: australia-southeast2
 [13] region: europe-central2
 [14] region: europe-north1
 [15] region: europe-west1
 [16] region: europe-west2
 [17] region: europe-west3
 [18] region: europe-west4
 [19] region: europe-west6
 [20] region: northamerica-northeast1
 [21] region: southamerica-east1
 [22] region: us-central1
 [23] region: us-east1
 [24] region: us-east4
 [25] region: us-west1
 [26] region: us-west2
 [27] region: us-west3
 [28] region: us-west4
Please enter your numeric choice:  1

IPAddress: 34.120.aaa.bbb
IPProtocol: TCP
creationTimestamp: '2021-06-04T20:06:37.991-07:00'
description: ''
fingerprint: RBZP24MTKcQ=
id: '2154259932761248978'
kind: compute#forwardingRule
labelFingerprint: 42WmSpB8rSM=
loadBalancingScheme: EXTERNAL
name: followup-frontend
networkTier: PREMIUM
portRange: 443-443
selfLink: https://www.googleapis.com/compute/v1/projects/projectID/global/forwardingRules/followup-frontend
target: https://www.googleapis.com/compute/v1/projects/projectID/global/targetHttpsProxies/followup-lb-target-proxy
1
google-cloud-platformload-balancing
Your domain's authoritative name servers do not have the correct DNS resource records pointing to the HTTP(S) Load Balancer. If you need help with that configuration edit your question with your domain name and each resource record configured for (pointing to) the load balancer. Otherwise,, there are Internet tools that can help you debug this problem such as mxtoolbox.com/DnsLookup.aspxJohn Hanley
Thanks, @JohnHanley for commenting. I reserved the DNS records in GCP and the configuration is working for the HTTP (NOT HTTPS) forwarding rule!! So, if I point the web browser to visit the webserver on an HTTP link, it succeeds in connecting! BTW, I checked the tool you indicated, and it fails to resolve the domain name into an IP!? Although the web browser (on different devices connected to different networks) works!!!Mhd.Wanous
If your domain is followup.com your DNS servers are located at Cloudflare and not Google. You need to set up your A and CNAME records at Cloudflare.John Hanley

1 Answers

-1
votes

Digging into GCP documents (specifically this), I found that I missed to add one piece of information (CAA entries for pki.goog and letsencrypt.org) to the project's DNS records as recommended in GCP. The working DNS records with the added one in BOLD are below:

$ gcloud dns record-sets list --zone=followup-com
NAME                  TYPE   TTL    DATA
followup.com.      A      300    34.120.aaa.bbb
followup.com.      CAA    300    0 issue "pki.goog",0 issue "letsencrypt.org"
followup.com.      NS     21600  ns-cloud-d1.googledomains.com.,ns-cloud-d2.googledomains.com.,ns-cloud-d3.googledomains.com.,ns-cloud-d4.googledomains.com.
followup.com.      SOA    21600  ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300
www.followup.com.  CNAME  300    followup.com.