4

I recently updated a target-https-proxy to use a certificate map:

$ gcloud compute target-https-proxies list
NAME                             SSL_CERTIFICATES                             URL_MAP           CERTIFICATE_MAP
lb-global-legacy-target-proxy-2  cert-lb-global-legacy2,cert-lb-globalegacy3  lb-global-legacy  cert-map-1

My question is: How can I delete cert-lb-global-legacy2 and cert-lb-globalegacy3 since they are no longer needed due to cert-map-1?

Is this impossible?

The only workaround seems to be to:

  1. Create a new target-https-proxy that omits the ssl_certificates during creation
  2. Create a new forwarding rule with a new IP address that uses the new target-https-proxy (because it seems like forwarding rules are also immutable; can't use existing ip address because it is currently in use by a different forwarding rule)
  3. Go into DNS and repoint every subdomain to the new IP address

This seems ridiculous for what should be a simple task (remove "classic" SSL certs from a target proxy that no longer needs them)

Gillespie
  • 5,780
  • 3
  • 32
  • 54

2 Answers2

1

Since you've updated the target https-proxy, you can delete the SSL certificate by running the command

gcloud compute ssl-certificates delete CERTIFICATE_NAME \
    --global

A temporary workaround will be:

  1. Open Cloud Shell and run the below command :

gcloud compute target-https-proxies export (Load_Balancer_Name) > /tmp/proxy
  1. Edit /tmp/proxy file manually, Run the command :
- cat /tmp/proxy
  1. Remove the below lines from the file :
sslCertificates:
           https://www.googleapis.com/compute/v1/projects/...

  1. After removing the lines, save the file by using ‘CTRL + O’ and exit from the file ‘CTRL+X’ .

  2. Then import the file with certificates removed.

gcloud compute target-https-proxies import (Load_Balancer_Name) --source=/tmp/proxy
  1. And then you should be able to delete the certificate.
gcloud compute ssl-certificates delete <certificate name>
James S
  • 1,181
  • 1
  • 7
  • Hmm, I had tried that, but I get `- The ssl_certificate resource 'projects/production/global/sslCertificates/cert-lb-global-legacy2' is already being used by 'projects/production/global/targetHttpsProxies/lb-global-legacy-target-proxy-2'` – Gillespie Apr 07 '23 at 04:15
  • Hello, I added another workaround that you may try – James S Apr 08 '23 at 05:59
  • @Gillespie I have the same issue. Were you able to resolve it with this workaround? – Dave May 24 '23 at 18:10
  • Sorry, ran out of time to try it. I just decided to move on without deleting the old certs. – Gillespie May 24 '23 at 23:56
1

You can use the update command with --clear-ssl-certificates flag.

Example:

 gcloud compute target-https-proxies update PROXY_NAME --global --clear-ssl-certificates

That will delete classic certs, but keep certificate maps.

Docs link: https://cloud.google.com/sdk/gcloud/reference/compute/target-https-proxies/update#--clear-ssl-certificates

Zouhir
  • 181
  • 1
  • 5