Certificate name mismatch on Google Cloud Load Balancer

Dear encryptors,

I have to create an SSL certificate for Google Cloud Load Balancer.

What I did:

  1. Create a manual certificate with the lovely certbot:
    sudo certbot certonly --manual -d staging.brainpal.io -d c.storage.googleapis.com
  2. add it to my Load Balancer configuration (I followed this guide https://medium.com/google-cloud/let-s-encrypt-with-app-engine-8047b0642895#.9iob5y4sp):

As you can see my SSL has a name mismatch, and I don’t have a smile on my face :cry:

Extra Info:
OS: MacOs (latest)
My web server : Google Cloud Load Balancer
I am using cPanel to create a CNAME from staging.brainpal.io to c.storage.googleapis.com

I’m not sure if I understand that “frontend configuration”, but the IP addresses listed there are completely different from the IP address your hostname ultimately results in?

; EDNS: version: 0, flags:; udp: 4096
;staging.brainpal.io.           IN      A
staging.brainpal.io.    1200    IN      CNAME   c.storage.googleapi
c.storage.googleapis.com. 677   IN      CNAME   storage.l.googleuse
storage.l.googleusercontent.com. 218 IN A

Can’t be correct, right?

1 Like

To summarize what @Osiris pointed out: If you update your DNS for staging.brainpal.io to point at, everything should work just fine.

1 Like

I will check that with Google support. How did you get this IP?

Is the certificate actually being generated correctly? I doubt LE would let you get one for a Google domain (googleapis.com)

Just ran dig staging.brainpal.io. But it's not surprising: you said yourself that you created a CNAME for your hostname to c.storage.googleapis.com. And that results in the above posted IP :slight_smile:

Yeah, I was asking myself the same question. Turns out, he's got one certificate just for staging.brainpal.io without the Google hostname. I guess he tried certbot a second time without the Google hostname :slight_smile:

that’s true :slight_smile:

I changed the CNAME to an A record to that IP, and indeed everything plays beautifully :smile:

1 Like

Great! I’m guessing that, for the long term, you should go back to using a CNAME, since most likely Google will at some point change that IP. I think probably your original CNAME pointed to the wrong hostname, since when I looked it up I got a different IP address. I would double check with Google what domain name you should be pointing your CNAME at.

Totally no clue about the whole Google Cloud stuff, but the IP addresses you have listed in your “Frontend configuration” for HTTP and HTTPS are different.

When I connect to your HTTPS site on, I’m getting a 403 Forbidden error. But when I go to, I’m getting a 404 File Not Found?
On the other hand, when I go to (i.e.: the IP address listed for HTTP in your “Frontend configuration”), I’m getting the same result as with the HTTPS above: 403 Forbidden (I’m guessing that’s the correct response, not the 404 error).

So if you run into troubles with your non-HTTPS stuff, the above might be the problem :wink:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.