Load Balancer & Cloud Run Domain Mappings

Jlguti · 10-02-2024 02:54 PM

Hello!

I have a Cloud Run Function which essentially only job is to function as an ODATA towards Excel, PowerBI, etc.

However for SAP DataSphere, it requieres that the SSL certificate is provided and installed in said tool, as for now the workaround I have been doing is manually downloading the Certificate Provided by Google, however this one only lasts for aprox. 3 months.

In Cloud Run Domain Mappings for both my Prod and QA env I have them configured as the following:
prod : odata.blabla.com
qa: odata.qa.blabla.com

Up to this day, everthing has been working as intended, with the only expection that the certificate has to be manually installed every 3 months.
In order to have a more permanent solution I have been suggested to use a load balancer, everything has been relatively straight-forward, however when it comes to generating the certificate I'm having issues.

I used the option of a 'Classic Certificate' in the Certificate Manager and filled out the requested information:

Name: x
Create Mode: Create Google-managed certificate
Domains: odata.qa.blabla.com

It's been almost two days, but It still has not changed from the status 'PROVISIONING' and on the Status section it says:
odata.qa.blabla.com FAILED_NOT_VISIBLE

I have attempted to find information about what that status is and it points out to be something related to the DNS, however when using DNS Looker tools all seems to be pointing towards the DNS provided by GCP in the Domain Mapping of Cloud Run.

How can I fix this?

diannemcm

Hi @Jlguti,

Welcome to Google Cloud Community!

FAILED_NOT_VISIBLE - Certificate provisioning hasn't been completed for the domain. Any of the following might be the issue:

The domain's DNS record doesn't resolve to the IP address of the Google Cloud load balancer. To resolve this issue, update the DNS records to point to your load balancer's IP address.
The SSL certificate isn't attached to the load balancer's target proxy. To resolve this issue, update your load balancer configuration.
The frontend ports for the global forwarding rule do not include port 443 for an SSL proxy load balancer. This can be resolved by adding a new forwarding rule with port 443.

If the managed status is PROVISIONING, Google Cloud continues to retry provisioning, even if the domain status is FAILED_NOT_VISIBLE.

Please be aware that sometimes propagation across the internet takes up to 72 hours worldwide, although it typically takes a few hours. The domain status continues to be FAILED_NOT_VISIBLE until propagation is complete as stated on this documentation.

In case you are using cloud CDN in front of your Load Balancer, you should not use Load Balancer Authorization, as the certificate will fail to renew, you should use DNS Authorization. See Domain authorization for Google-managed certificates and Create a DNS authorization as a guide.

I hope the above information is helpful.