Solved: Re: GCP Certificate Manager SSL Certs for Internal...

rohankalhans · 05-26-2023 12:20 AM

Hi Everyone,

Is there a way to use GCP Managed Certificate Manager Certs for Internal HTTP/HTTPS Load Balancer? As per my knowledge, it's not supported currently. (please correct me if I'm wrong).

One method/solution I've thought of is to use SSL Cert as a Secret but that will be additional management and a nightmare.

Marvin_Lucero

Hi @rohankalhans ,

Yes, you are correct, Google-managed SSL certificates aren't supported for internal HTTP(s) LB currently. You can refer to this documentation.

@rohankalhans wrote:

One method/solution I've thought of is to use SSL Cert as a Secret but that will be additional management and a nightmare.

You can actually consider this to manage and store SSL certificates as secrets using Google Cloud Secret Manager.

You can also consider this workaround if you really want to to use Google-managed certificate to an Internal HTTP(s) load balancer configuration by uploading an SSL certificate from a certificate authority (CA). Please follow the steps below :

1. Use or generate a self-signed certificate or the acquired SSL certificate from a CA. If you prefer CA, you must follow their guide/steps on how to obtain a certificate.
2. Using your GCP Console or the "gcloud" command, go to your Internal HTTP(S) Load Balancer's configuration. It has an option to upload the SSL certificate and input other details (certificate and private key).
3. Setup your load balancer (Internal HTTP(s)) with your preferred backend services and health checks. Make sure that your SSL settings are configured to enable HTTP(s) traffic.

View solution in original post

Marvin_Lucero

Hi @rohankalhans ,

Yes, you are correct, Google-managed SSL certificates aren't supported for internal HTTP(s) LB currently. You can refer to this documentation.

@rohankalhans wrote:

One method/solution I've thought of is to use SSL Cert as a Secret but that will be additional management and a nightmare.

You can actually consider this to manage and store SSL certificates as secrets using Google Cloud Secret Manager.

You can also consider this workaround if you really want to to use Google-managed certificate to an Internal HTTP(s) load balancer configuration by uploading an SSL certificate from a certificate authority (CA). Please follow the steps below :

1. Use or generate a self-signed certificate or the acquired SSL certificate from a CA. If you prefer CA, you must follow their guide/steps on how to obtain a certificate.
2. Using your GCP Console or the "gcloud" command, go to your Internal HTTP(S) Load Balancer's configuration. It has an option to upload the SSL certificate and input other details (certificate and private key).
3. Setup your load balancer (Internal HTTP(s)) with your preferred backend services and health checks. Make sure that your SSL settings are configured to enable HTTP(s) traffic.

sramak23

Hi

Is there any difference Certificate Manager vs Secret Manager? We use our own CA(Managed by Oraganization) and uploaded it to Secret Manager. When we are calling LB url via web browser then it is working fine. But if we are calling LB URL via Post Man(API) then we are getting error message "Unable to load the first certificate". Please advise if you come across this issue.

GCP Certificate Manager SSL Certs for Internal HTTPS Load Balancer