This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

[GKE] Troubleshoot Error SSL Certificate Provisioning - Failed Not Visible

Posted 2 weeks ago
Marctrix14
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi everyone,

I deployed a web application which is hosted both in Google Cloud and in another server. The website, imagine it is "www.example.enterprise.com", has the domain "enterprise.com" in a different server than the subdomain "www.example.enterprise.com", which is in Google Cloud. The website needs 2 ports opened, the 80 and the 3000 to control Google login. I use Google Kubernetes Engine to run the Docker image.  I reserved an static IP and I linked it to the subdomain.

I'm struggling to get the SSL certificate work properly as I still get the message that the certificate is provisioning and that the domain status is "Failed Not Visible". I need the website to be HTTPs as it requires Google authentication. 

I updated the DNS records today but it has already passed 5h since. How much should I need to wait?

I'd like to know if I have configured the DNS settings correctly, that's why I attach an image from Google Cloud DNS and I also attach the Kubernetes YAML files, which I suppose are correct as I followed the official documentation.

Marctrix14_0-1714634510104.png

 

SSL certificate  

 

apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: example-managed-cert
  namespace: production
spec:
  domains:
    - www.example.enterprise.com

 

Ingress

 

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: example-ip
    networking.gke.io/managed-certificates: example-managed-cert
    ingressClassName: "gce" # controladador de Ingress integrado de Google Kubernetes Engine
  namespace: production
spec: 
  rules:
  - host: www.example.enterprise.com
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service-general
            port:
              number: 80
      - path: /oauth2callback
        pathType: Prefix
        backend:
          service:
            name: example-service-auth
            port:
              number: 3000

 

 

Services

 

apiVersion: v1
kind: Service
metadata:
  name: example-service-auth
  labels:
    name: example-service-auth
    app: example
  namespace: production
spec:
  type: NodePort
  selector:
    name: example-pod
    app: example
  ports:
    - name: port-general
      port: 3000
      targetPort: 3000
      protocol: TCP
apiVersion: v1
kind: Service
metadata:
  name: example-service-general
  labels:
    name: example-service-general
    app: example
  namespace: production
spec:
  type: NodePort
  selector:
    name: example-pod
    app: example
  ports:
    - name: port-general
      port: 80
      targetPort: 80
      protocol: TCP

 

4 1 122
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
lawrencenelson
Staff
Reply posted on --/--/---- --:-- AM

Hi @Marctrix14,

Welcome to the Google Cloud Community!

Based on the official documentation:

Certificate provisioning hasn't completed for the domain. Any of the following might be the issue:
  • The domain's DNS record doesn't resolve to the IP address of the Google Cloud load balancer. To resolve this issue, update the DNS A and AAAA records to point to your load balancer's IP address.DNS must not resolve to any other IP address than the load balancer's. For example, if an A record resolves to the correct load balancer, but the AAAA resolves to something else, the domain status is FAILED_NOT_VISIBLE.
  • Newly updated DNS A and AAAA records can take a significant amount of time to be fully propagated. Sometimes propagation across the internet takes up to 72 hours worldwide, although it typically takes a few hours. The domain status continues to be FAILED_NOT_VISIBLE until propagation is complete.
  • The SSL certificate isn't attached to the load balancer's target proxy. To resolve this issue, update your load balancer configuration.
  • The frontend ports for the global forwarding rule don't include port 443 for an external proxy Network Load Balancer with an SSL proxy. This can be resolved by adding a new forwarding rule with port 443.
  • A Certificate Manager certificate map is attached to the target proxy. The attached certificate map gets precedence and directly attached certificates are ignored. This can be resolved by detaching the certificate map from the proxy.
If the managed status is PROVISIONING, Google Cloud continues to retry provisioning, even if the domain status is FAILED_NOT_VISIBLE

You can always contact Google Cloud Support to further look into your case. Thank you!

Top Labels in this Space