Search code examples
sslhttpsssl-certificategoogle-kubernetes-enginekubernetes-ingress

Google managed SSL certificate stuck on "Provisioning" with FAILED_NOT_VISIBLE for domains

Following this tutorial, I have deployed an app on GKE, in a regional auto-pilot cluster. I made it publicly accessible using an ingress linked to a domain I own, with a static IP, and a Google Managed Certificate for HTTPS.

Accessing my app by the ip, or my domain name works well in HTTP, but when using HTTPS, I get a ERR_SSL_VERSION_OR_CIPHER_MISMATCH mydomain.com uses an incompatible protocol error (I have this error using the IP, and also using the domain). Indeed, when consulting my managed certificate on the Google Cloud Cnsole I see that it is still in PROVISIONING status (it has been more than 3 days now), and I have a warning triangle next to my domain specifying FAILED_NOT_VISIBLE.

I have checked my domain name setup and it has a A record pointing to the static IP used by my ingress (I configured it while doing the tutorial). I've also checked my load balancer on GKE and it has a target proxy for HTTPS using my managed certificate

Here is my ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-app-api
  annotations:
    # specifies the name of the global IP address resource to be associated with the HTTP(S) Load Balancer
    kubernetes.io/ingress.global-static-ip-name: my-app-ip
    networking.gke.io/managed-certificates: managed-cert
    kubernetes.io/ingress.class: "gce"
  labels:
    app: my-app-api
spec:
  defaultBackend:
    service:
      name: my-app-api
      port:
        name: http

and my managed certificate

apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: managed-cert
spec:
  domains:
    - mydomain.com
    - www.mydomain.com

I've applied them using kubectl apply -f my-file.yaml

I don't understand what I did wrong or what is missing. Can someone please help me make my app work in HTTPS please?

Edit Here is the output of kubectl describe managedcertificate managed-cert

...
Spec:
  Domains:
    mydomain.com
    www.mydomain.com
Status:
  Certificate Name:    mcrt-...
  Certificate Status:  Provisioning
  Domain Status:
    Domain:  www.mydomain.com
    Status:  FailedNotVisible
    Domain:  mydomain.com
    Status:  FailedNotVisible
Events:      <none>
Solution

  • So it looks like it was due to a misconfiguration on my DNS. I added the A record, but when taking a closer look at the update DNS part, I noticed that my CNAME record was misconfigured