4

I need help with configuring ssl certificate on google cloud. I've already obtained my ssl certificate (crt file & private key). And I've followed the link trying to create a "SSL certificate resource".

I've tried everything but the cmd below just doesn't work:

gcloud compute ssl-certificates create cert --certificate /opt/bitnami/etc/
smartmeetingroom_tk.crt  --private-key /opt/bitnami/etc/serv.key

The error message I got is: enter image description here Could anyone tell me what is wrong with my command (or file)?

Thanks a million!!

update: below is the screenshot of error msg when I add "--verbosity debug": enter image description here I obtained ssl certificate from this website.

BTW the crt & private key is already pem encoded. Cos they are all readable using text editor and: The start&end of crt file looks like:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

The start&end of private key file looks like:

-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----

Yuge Chen
  • 125
  • 1
  • 10
  • 1. Could you add the --verbosity debug flag to your gcloud commands for more info. 2.Could you give more details/steps on how you got your certificate. – dany L Nov 21 '18 at 18:22
  • The error received is possibly indicative of 1.wrong file type, 2 wrong file path, or 3 the file itself. Did you check with Gogetssl regarding the validity of your certificate? – dany L Nov 21 '18 at 20:15
  • Please check that your file is in [PEM](https://cloud.google.com/sdk/gcloud/reference/compute/ssl-certificates/create) format. Let me know if this [thread](https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files) helps. – dany L Nov 21 '18 at 22:55
  • Hi dany. Thanks for helping. I got the below error when I tried to convert to PEM: `C:\OpenSSL-Win64\bin>openssl x509 -inform DER -outform PEM -in C:\Users\chen_\Desktop\smartmeetingroom_tk.crt -out smartmeetingroom_tk.crt.pem unable to load certificate 53576:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto\asn1\tasn_dec.c:1129: 53576:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto\asn1\tasn_dec.c:289:Type=X509` – Yuge Chen Nov 22 '18 at 04:47
  • When you opened the file, was it in binary or did it start with"-------BEGIN CERTIFICATE------ .......". – dany L Nov 22 '18 at 13:56
  • I just saw it was in readable form in your first thread. – dany L Nov 22 '18 at 14:03
  • If it is already in PEM format, change the extension to .pem and try the gcloud command again. I do not believe you need to convert if it is in PEM format. – dany L Nov 22 '18 at 14:05

4 Answers4

0
  1. Do you have read permissions for those files?
  2. As suggested, add verbosity flag for more details.
  3. If you are trying to create SSL certificate for HTTPS load balancer- I'd suggest using Google's managed certificate
Boris Bakshiyev
  • 1
  • 5
  • Yes I got the permission error previously but fixed it by signing in. Then I got another error related to certificate parsing – Yuge Chen Nov 22 '18 at 04:50
0

As described here, you can try your command with the equals sign as follows:

gcloud compute ssl-certificates create cert --certificate=/opt/bitnami/etc/smartmeetingroom_tk.crt --private-key=/opt/bitnami/etc/serv.key

Consider:

  1. A managed SslCertificate is provisioned and renewed for you. A self-managed certificate is created by passing the certificate obtained from Certificate Authority through --certificate and --private-key flags.

  2. The certificate must be in PEM format. The certificate chain must be no greater than 5 certs long. The chain must include at least one intermediate cert.

  3. The private key must be in PEM format and must use RSA or ECDSA encryption.

If the certificate is PEM formatted, check the following as established in the official documentation:

You can validate your certificate using the following OpenSSL command, replacing CERTIFICATE_FILE with the path to your certificate file:

openssl x509 -in CERTIFICATE_FILE -text -noout

If OpenSSL is unable to parse your certificate:

  1. Contact your CA for help.
  2. Create a new private key and certificate.
Osvaldo
  • 473
  • 1
  • 12
0

I recently got this problem and the issue was due to certificate holding an passkey phrase. So you need to remove that to fix this for GCP.

https://cloud.google.com/load-balancing/docs/ssl-certificates/troubleshooting

Run below via Powershell to generate new file without privatekey phrase

openssl rsa -in sample.pem -out samplewopk.pem

this fixed the issue

Rajavel S
  • 1
0

If the key happens to be encrypted using ecparam -name prime256v1 (that was my case) you should add "EC" to both

-----BEGIN PRIVATE KEY-----
your_key_content_here
-----END PRIVATE KEY-----

so, you key file will look like:

-----BEGIN EC PRIVATE KEY-----
your_key_content_here
-----END EC PRIVATE KEY-----

After this change it worked for me.

This might be helpful to someone else even after four years the original question was asked (It'll save me plenty of time)

ignivs
  • 636
  • 7
  • 18