1

I've got server sites set up on GCS but currently they are getting the "Not Secure" badge when someone browses them. I'd like to set them up with a load balancer and google managed certificates so they don't get flagged by the browser. Here is the structure of the sites (not the real domains or hosts):

  • flintstones.com
  • www.flintstones.com (alias for flintstones.com)
  • fred.flintstones.com (completely separate site - currently in it's own storage bucket)
  • barney.flintstones.com (completely separate site in it's own storage bucket)

Can I have just one load balancer for all of these or do I need a separate LB or each? I know I can put all of these on one google-managed certificate but I'm not sure it's a good idea. I tried that and the cert was forever in "PROVISIONING" status. If I put them in one certificate do they all need to have the A record point to the load balancer before the cert will be provisioned? Long and short, is that I can never seem to get a cert that isn't in "PROVISIONING" status.

Thanks for your help!

gordjohn
  • 11
  • 2
  • If a cert is stuck in provisioning, one of the DNS names is incorrectly configured at the DNS server OR you configured the certificate first and then updated the DNS server (which returned NXDOMAIN which is cached). https://stackoverflow.com/a/68386511/8016720 – John Hanley Jul 15 '21 at 21:53

1 Answers1

0

Can I have just one load balancer for all of these or do I need a separate LB or each?

Yes, you can have one LB, with one IP address, and each domain configured to point to that IP address (by CNAME or A/AAAA record). The URL Map for the LB should then dispatch different paths to different backend buckets with host rules.

I know I can put all of these on one google-managed certificate but I'm not sure it's a good idea.

This is up to you, both can work. Some factors to consider:

  • There is a limit of 100 domains on each SSL certificate
  • There is a limit of 15 certificates on each targetHTTPSProxy
  • If you use one certificate with multiple domains, a user visiting one of those domains can get a list of other domains on the certificate. If you use separate certificates, that is not the case.
  • It is a simpler config to have one certificate
  • Separate certificates is safer/easier if you need to change domains frequently.

If I put them in one certificate do they all need to have the A record point to the load balancer before the cert will be provisioned?

Google will only provision a certificate if the domains requested point to your Load Balancer. So you do need to set up the DNS records for all the domains.

David
  • 9,288
  • 1
  • 20
  • 52