How to install Client certificate on google cloud ...

anilmoregfs · 12-14-2022 08:53 AM

I am trying to connect from serverless (cloud function) -> internal LB - > serverless internal (cloud run). The Internal LB in the above path has our cert(signed by our internal CA).

Here we are running into 2 issues

1. When the cloud function makes a call to the cloud run via Internal LB, GCP is not resolving the VIP/domain name even though we have a DNS entry in our internal DNS server and our Internal network and GCP network is peered. I was expecting it to be resolved because the network is peered. but looks like GCP uses its own DNS server even for internal domains. In this case, where do we make the DNS entry for the internal domain to get resolved?

2. Since VIP/domain was not getting resolved, we use a domain/vip/lb IP address to call the cloud run service but then cloud function is not trusting the certificate from LB because it is our internal CA signed certificate. How do make cloud function trust our internal CA-signed certificate?

Is there any we can make the cloud function trust our certificate ?? It's a java based cloud function.

Marvin_Lucero

Hi @anilmoregfs ,

It sounds like you are trying to set up a secure connection between a Google Cloud Function and a Cloud Run service. In order to do this, you will need to make sure that the certificate used by the load balancer is trusted by the Cloud Function.

To make the Cloud Function trust your internal CA-signed certificate, you will need to install the certificate on the Cloud Function's trust store. This will allow the Cloud Function to trust the certificate and establish a secure connection to the Cloud Run service.

To install a certificate on the trust store of a Java-based Cloud Function, you can follow these steps:

1. Download the certificate and save it to a file on your local machine.

2. Use the keytool command-line utility to import the certificate into the Cloud Function's trust store. The trust store is typically located at /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts

3. Use the following command to import the certificate into the trust store, replacing <certificate_file> with the path to the certificate file and <alias> with a unique alias for the certificate:

"keytool -import -alias <alias> -file <certificate_file> -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts"

4. When prompted, enter the password for the trust store. The default password is changeit.

After importing the certificate into the trust store, the Cloud Function should be able to establish a secure connection to the Cloud Run service using the internal CA-signed certificate.

As for the issue with the domain not being resolved, it is possible that the internal DNS server is not properly configured to resolve the domain name. You can try adding an entry for the domain in the internal DNS server and then verifying that the domain can be resolved using the nslookup command. Additionally, you can try using the IP address of the load balancer instead of the domain name to see if that resolves the issue. This will allow you to determine if the issue is related to DNS resolution or to the certificate not being trusted.

anilmoregfs

Thank you for the response. Actually, we implemented this solution locally. But how do we do these steps on the actual cloud function (in GCP)?

anilmoregfs

We were able to programmatically implement the solution where cloud function installs the certificates in JVM at runtime.

How to install Client certificate on google cloud functions trust store ?