Unable to connect to GKE-hosted web server w/ https (google-managed cert)

Google Cloud Serverless Applications
1

Hello,

I have set up a chat server for my lab group (via Rocket Chat helm chart) and it seems to be working fine and I am able to connect to it via my domain, but only http.

The page is not able to resolve via https (so I can’t actually link w/ our company auth to have us sign in)

My ingress has an https proxy that is associated w/ the google-managed cert but when I run “describe” against my cert it is stuck like this :

Certificate Status: Provisioning
Domain Status:
Domain: example.mydomain
Status: FailedNotVisible

I had done this yesterday and it was stuck for 12 hours, and so I deleted and tried again later - same issue so I don’t think it’s just me being impatient.

These are the config options I used in deploying my ingress (w/ the rocket chat helm chart -hopefully doesnt affect things)

annotations:

This is teh load balancer associated w/ my ingress:

Classic Application Load Balancer

Frontend

ProtocolIP:PortCertificateSSL PolicyNetwork Tier

HTTP

chat-ip

Premium

HTTPS

chat-ip

my-chat-cert

GCP default

Premium

Host and path rules

HostsPathsBackend

All unmatched (default)

All unmatched (default)

default-http-backend-80

/*

my-app-80

/*

kube-system-default-http-backend-80

Backend services

1.kube-system-default-http-backend-80

Endpoint protocolHTTP
Timeout30 seconds
Health check kube-system-default-http-backend-80
Cloud CDNDisabled
LoggingEnabled (sample rate: 1)

Session affinityNone
Connection draining timeout0 seconds
Backend security policyNone
Edge security policyNone
Identity-Aware ProxyDisabled

Backends

NameTypeScopeHealthyAutoscalingBalancing modeCapacity

kube-system-default-http-backend-80 Zonal network endpoint group my-scope


1 of 1


 No configuration Max RPS: 1 (per endpoint) 100%
2. my-app-80

Endpoint protocolHTTP
Timeout30 seconds
Health check my-app-80
Cloud CDNDisabled
LoggingEnabled (sample rate: 1)

Session affinityNone
Connection draining timeout0 seconds
Backend security policyNone
Edge security policyNone
Identity-Aware ProxyDisabled

Backends

NameTypeScopeHealthyAutoscalingBalancing modeCapacity

my-app-80 Zonal network endpoint group my-scope


1 of 1


 No configuration Max RPS: 1 (per endpoint) 100%

App-specific names obscured for obv reasons. Please bear with me as I am a complete beginner when it comes to networking like this (I sincerely did not realize it could be so complicated to host a simple web server on the internet). I notice none of these frontend/backends have the https port? could that be the issue?

My domain is registered with squarespace, but I am using cloudflare for DNS, i have end to end encryption enabled and, once again, i am able to connect via my domain w/ http.

thank you for any help - sincerely been stuck on this for two days with no progress and it’s important that i have this up and runnign soon (more like two days ago haha)

2

Hi @smoolio76 ,

By the looks of it, the managed certificate is not being provisioned correctly, which causes the HTTPS connection to fail. To gather more information about this, check first the status of the managed cert. Use the command below for more information about its status :

kubectl describe managedcertificate my-chat-cert

You can also check your domain’s DNS records and make sure they are pointing to the correct IP address. You can use a tool like dig or nslookup to check the DNS records for your domain. The IP address should match the IP address of your load balancer.

Lastly, it may have something to do with the ingress configuration. Check if it is using the correct managed certificate. Below is my sample yaml.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: chat-ip
    networking.gke.io/managed-certificates: my-chat-cert
spec:
  rules:
  - host: example.mydomain
    http:
      paths:
      - pathType: ImplementationSpecific
        path: /*
        backend:
          service:
            name: my-app-80
            port:
              number: 80

Let me know if this helps.

3 Likes
3

Hi! Thank you, I ended up figuring it out. I think there were two issues:

my Ingress wasn’t being classed properly as “gce” unless I specified it in spec.ingressClassName (NOT annotations.kubernetes.io/ingressClass), so it wasn’t able to use my google managed cert

i had my domain on cloudflare set to proxy my IP address, so I don’t believe whatever magic is used to verify my domain could resolve my IP properly.

thank you for your help! And hopefully if anyone else has a similar issue, here’s two things to look out for