Certificate name mismatch on Google Cloud Load Balancer


#1

Dear encryptors,

I have to create an SSL certificate for Google Cloud Load Balancer.

What I did:

  1. Create a manual certificate with the lovely certbot:
    sudo certbot certonly --manual -d staging.brainpal.io -d c.storage.googleapis.com
  2. add it to my Load Balancer configuration (I followed this guide https://medium.com/google-cloud/let-s-encrypt-with-app-engine-8047b0642895#.9iob5y4sp):

As you can see my SSL has a name mismatch, and I don’t have a smile on my face :cry:
https://www.ssllabs.com/ssltest/analyze.html?d=staging.brainpal.io

Extra Info:
OS: MacOs (latest)
My web server : Google Cloud Load Balancer
I am using cPanel to create a CNAME from staging.brainpal.io to c.storage.googleapis.com


#2

I’m not sure if I understand that “frontend configuration”, but the IP addresses listed there are completely different from the IP address your hostname ultimately results in?

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;staging.brainpal.io.           IN      A
 
;; ANSWER SECTION:
staging.brainpal.io.    1200    IN      CNAME   c.storage.googleapi
s.com.
c.storage.googleapis.com. 677   IN      CNAME   storage.l.googleuse
rcontent.com.
storage.l.googleusercontent.com. 218 IN A       216.58.212.144

Can’t be correct, right?


#3

To summarize what @Osiris pointed out: If you update your DNS for staging.brainpal.io to point at 35.186.217.250, everything should work just fine.


#4

I will check that with Google support. How did you get this IP?


#5

Is the certificate actually being generated correctly? I doubt LE would let you get one for a Google domain (googleapis.com)


#6

Just ran dig staging.brainpal.io. But it’s not surprising: you said yourself that you created a CNAME for your hostname to c.storage.googleapis.com. And that results in the above posted IP :slight_smile:

Yeah, I was asking myself the same question. Turns out, he’s got one certificate just for staging.brainpal.io without the Google hostname. I guess he tried certbot a second time without the Google hostname :slight_smile:


#7

that’s true :slight_smile:


#8

I changed the CNAME to an A record to that IP, and indeed everything plays beautifully :smile:


#9

Great! I’m guessing that, for the long term, you should go back to using a CNAME, since most likely Google will at some point change that IP. I think probably your original CNAME pointed to the wrong hostname, since when I looked it up I got a different IP address. I would double check with Google what domain name you should be pointing your CNAME at.


#10

Totally no clue about the whole Google Cloud stuff, but the IP addresses you have listed in your “Frontend configuration” for HTTP and HTTPS are different.

When I connect to your HTTPS site on 35.186.217.250:443, I’m getting a 403 Forbidden error. But when I go to 35.186.217.250:80, I’m getting a 404 File Not Found?
On the other hand, when I go to 35.186.225.127:80 (i.e.: the IP address listed for HTTP in your “Frontend configuration”), I’m getting the same result as with the HTTPS above: 403 Forbidden (I’m guessing that’s the correct response, not the 404 error).

So if you run into troubles with your non-HTTPS stuff, the above might be the problem :wink:


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.