1

I got a task from my client related to adding SSL certificate on site. the site already had a Let's encrypt SSL Certificate installed on it that is now expired ( i got this info by clicking on browser "Not Secure" red notification that appears left to your entered url, and then going in Certificate option in Popup ). screenshot of popup

My client site is hosted on google cloud. The site has 4 vm instances in 1 instance group. It also has a TCP load balancer with 1 target pool with targetpool - targetinstance as Backend type and have 4 above vm instances showing in Backend. the frontend configuration of load balancer contains TCP as Protocol, Premium as Network Tier and 80-443 value in port option. screenshot of frontend configuration

Each of the 4 VM instance is showing two values in "in use by" column, one is of the instance group name and the second one is of tcp load balancer name. In the instance group its showing in use by as "production" clicking on which taking to production cluster.

I then open the cluster shell from connect option and run this command.

kubectl get secrets/tls-retail -o yaml

here i found that this secret is related to SSL and the value in tls.crt field (when base64 decoded and checked from certificate decoder) shows same expiry date as show in browser popup

i then changed the tls.crt value in the same secret file and saved it using below code but it didn't get any affect.

EDITOR=nano kubectl edit secrets tls-retail

from this stackoverflow link ( How to restart a GCP Ingress Item To Use Updated Secret ) I found that it take 10-20 minutes to take affect but even after 1 to 2 hours there isn't any affect. Can you guide me why this change isn't taking any affect. or if someone can guide me how to use a google managed ssl certificate in my above case as i am new to Google Console and GKE.

Thanks

Ali Ahmed
  • 21
  • 3

1 Answers1

1

When you go to Network Services > Load Balancing and click on the Advanced menu link, you can click on the Certificates tab to see what certs have been added to the project. Is your new cert there? Is it listed as being in use by your ingress?

finding the advanced tab on Load Balancers - they hide SSL Certs for some reason

Certificates tab will show you what certs your project knows about

How was this cluster deployed? How was the ingress deployed? Was this deployed with "clickops" (using the web interface), or with IAC like Deployment Manager (GCP product) or Terraform? When I needed to rotate my cert, I:

  1. added the new version of the cert to the project by clicking on "Create SSL Certificate" in the Advanced menu of the "Load balancing" interface
  2. uploaded the new cert file in that interface I visited in step 1. I gave it a meaningful name (let's call it "my-new-cert")
  3. updated my ingress's Deployment Manager config file to set properties.metadata.annotations.ingress.gcp.kubernetes.io/pre-shared-cert to my-new-cert
  4. redeployed the ingress with a Deployment Manager command.

Another thing to keep in mind is the second comment in that thread you linked to - it mentioned the fact that GKE won't install a cert if it's not valid. I recommend validating the cert chain with OpenSSL - here's a relevant thread that might be helpful to you.

== Edited to add == In the GCP Console, you can also go to Kubernetes Engine > Services & Ingress > "Ingress" tab, click on the ingress in question, and click on the Edit link up on top to update its YAML (to use the name of the new cert that you have added to the project). If you have used IAC of some sort to deploy this ingress, I don't recommend this method, since it basically equates to a monkey patch and will be overwritten if the IAC is ever redeployed. But you could try it. Since I use IAC for my stuff, I have not tested this method, but it is editable for a reason, I'm guessing.

ingernet
  • 1,342
  • 2
  • 12
  • 29
  • Thanks 1 i Went to Load Bal -> adv menu -> cert tabs isn't showing any certificates. i then created one cert from "Create SSL Certificate" option. can you tell me where to upload it and where is ingress's Deployment Manager config file and how to redeploy ingress. 2 I just made some testing changes in tls.crt value so that i can confirm that this is the actual place but it wasn't showing any affects of those changes 3 I went to ingress tab and selected **retail** ingress (as its showing my actual url in frontend column) but not getting where and what to update [sc](https://prnt.sc/13fhlnk) – Ali Ahmed May 26 '21 at 07:04
  • 1
    @AliAhmed how you redeploy the ingress really depends on how it was deployed in the first place. Was it created with Terraform? Deployment Manager? That's why I wasn't specific. If you would like to directly apply the certificate that you created within the system, go to Console > Network services > Load balancing and click on the LB associated with your ingress. Click on Edit at the top, then Frontend configuration. Click the pencil icon. Your new cert should be available in the "Certificate" drop-down menu. Make your change and click the "Update" button. This will cause downtime. – ingernet May 26 '21 at 22:29