Google managed wildcard ssl in multiple projects

Ftornik · 09-09-2022 02:11 AM

Hi.

I have a web app deployed in 3 environments (dev, stage, and prod). Each environment has its own Google Project.

I want to assign the following subdomains to each environment:

Google Certificate Manager provides me with a wildcard SSL for the root domain. But I could use it only in one project because CNAME for domain verification is not unique.

Is it possible to have the wildcard certificate for my root domain in all three projects?

grobledo

From the description on your question, I am under the impression that you are using a Google-Managed Certificate, but one of the limitations is that they do not support wildcards, so I am not really sure what kind of certificate you are using.

In the case you are using a Google-Managed Certificate, then no, you cannot add the same certificate in different projects, and that is precisely because of the limitation described above. On the other hand, if you are bringing your own certificate, you can certainly use it in the three different projects, just start following the directions in the console to create a new one, and at some point you will be able to add the keys of the existing certificate.

Ftornik

I'm using the Google-Managed Certificate created by the Certificate Manager. It supports wildcard with DNS Authorication

The problem is that I am limited to only 1 DNS Authorization for the domain. Because each project provides me with a different CNAME value for the same key.

I can't reuse the same Certificate for multiple projects. And I can't generate a wildcard Certificate in more than one project. So I'm stuck.

For now, I've switched to Load Balancer Authorization. Hope in future it could be improved.

davidg527

Hey. So, are you creating one certificate for dev, one for stg , and one for prod subdomains within each project and attaching them to each load balancer? That's a limitation if you're creating several subdomains. I am facing the same issue. Hopefully GCP can implement some workaround.

Ftornik

For now, I'm using an individual certificate for each service (not the env) with Load Balancer Authorization. I've found this solution pretty flexible.

Gerardo1

I have a similar situation. We have wild cards certificate used in both a dev and prod designated projects. Since the CNAME is the same for both projects but with different data I can't have both records exist authorizing both projects to generate a certificate so that I can properly map it to a cert map within each project. Any input from Google here? Is it possible to maybe provide the CNAME they should look for instead? I'm autogenerating all this via cuelang and KCC as well.

stanwise_goog

There's a recently-launched feature (in preview) called "per-project DNS authorization" which generates unique validation subdomains, so that your CNAME records don't collide across projects or regions when validating the same domain.

You can use it like this:

gcloud certificate-manager dns-authorizations create AUTHORIZATION_NAME \
   --domain="DOMAIN_NAME" \
   --type="PER_PROJECT_RECORD"

See https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth for an end-to-end tutorial (use the per-project variants throughout).