I have a domain hosted on Google Cloud, with the domain mapped to their load balancer endpoint
The certificate was generated by temporarily pointing the domain to an instance and running nginx on it
Once I had the certificate, it was installed on the LB using GCE’s CLI tools
What is the recommended way to update a certificate in such cases? There are multiple instances behind the LB so trying out the renew utility might hit any one of the instances, and might fail. Is there a way to update the certificate offline?
Note that I cannot point my domain to a temporary server for updating since that would lead to service disruption.
What is the DNS provider for your domain name? It may be easiest to look at using the DNS-01 challenge and a hook script for your provider to add/remove a TXT challenge record during renewal. This will let you renew the certificate without changing where the domain points or having to respond to an HTTP/TLS request with a challenge answer.
If you are using Google Cloud DNS as well there is a hook script for the dehydrated client that both gets the certificate for you and uploads it to your load balancer automatically.
You can run it on any machine with the gcloud tools installed and authenticated to your project, so you can run it locally or automate the launch of a preemptible GCE instance to do it.