I recently installed a new self managed certificate on the Google Cloud Platform. This is be cause the old one was out of date. I believe that I have done this correctly.
sgnapper#cloudshell:~ (tactical-curve-284112)$ gcloud compute ssl-certificates list \
--global
NAME: eris-sypro
TYPE: SELF_MANAGED
CREATION_TIMESTAMP: 2022-06-23T06:32:33.689-07:00
EXPIRE_TIME: 2023-06-22T16:59:59.000-07:00
MANAGED_STATUS:
Yet I get:
Your connection isn't private
Attackers might be trying to steal your information from syproltd.co.uk (for example, passwords, messages or credit cards).
NET::ERR_CERT_REVOKED
When I try and connect to the site.
I am not familiar with Google Cloud and I wonder if there is a step I have missed.
If anybody can help, I would be grateful.
gcloud compute ssl-certificates create does not automagically provision the SSL certificate to any services, but only adds it to the infrastructure. NET::ERR_CERT_DATE_INVALID expired 9 days ago. And the new one likely isn't provisioned to the load balancer. This is being explained here: Step 3: Associate an SSL certificate with a target proxy. When the certificate is installed on a VM instance (no load balancer), you may run gcloud compute ssl-certificates delete eris-sypro --global and instead replace the SSL certificate installed on the VM instance.
Related
I have nodejs app using kafkajs package for connecting to AWS MSK.
We are moving to Strimzi Kafka because we already have a kubernetes cluster and we don't need the MSK anymore.
Until now we were connected with SSL but didn't have to specify any CA path or something. We used this way of connection both on our nodejs apps and kafka-ui and it worked with no issues.
We are trying to the same with Strimzi Kafka, but we get SSL handshake failed.
For my understanding is AWS MSK is using amazon certificates that are known while the Strimzi Kafka is generating self signed certificates which is ok by us.
How can I still using this way like we used with AWS MSK? With just use ssl: true in kafkajs (It works)
Thanks.
The easiest way to use a certificate signed by some public CA is using the listener certificate which lets you provide your own server certificate for given listener. I'm not sure how the Amazon CA works, but this blog post shows how to do it for example using Cert-Manager and Let's Encrypt.
Keep in mind that to use the public CAs, you usually need to use some proper domain names and not just internal Kubernetes services. This might for example increase costs or latency if your applications run in the same Kubernetes cluster because the traffic might need to go through a load balancer or ingress.
We have 3 load balancers on GCP: Dev, Staging and Production.
Our SSL certificate expired, so it was time to replace it. I went to:
Network services > Load balancing > Load balancers > Edit > Frontend configuration
and added new certificate. It worked perfectly for Staging and Production.
Dev was working for 5-10 minutes, and after that old certificate was re-applied automatically. I decided to delete the old certificate (if it is not there, it cannot be applied). It worked for 10 minutes and miraculously GCP restored deleted certificate and re-applied it to Dev.
Tried it a few times with the same result.
Is this a bug, or am I missing something?
Visit the certificates list in the advanced load-balancing menu, and delete the certificates you want to:
https://console.cloud.google.com/net-services/loadbalancing/advanced/sslCertificates/list?project=[project_name]
Because target proxy also using same SSL certificate. Update the target proxy with another SSL certificate, after that you can delete SSL certificate from load balancer.
Go to cloud sdk shell or cloud shell on browser and run the below command on exact project
gcloud compute target-https-proxies update PROXY_NAME --ssl-certificates=SSL_CERTIFIFCATE
replace PROXY_NAME & SSL_CERTIFIFCATE with exact names
you will get an output like below
Updated [https://www.googleapis.com/compute/v1/projects/project-id/global/targetHttpsProxies/target-proxy-name].
Now try to delete old SSL certificate from LB.
I have an app (hosted in heroku) where customers have an individual subdomain e.g. client1.myapp.com, client2.myapp.com I am using a wildcard SSL cert here.
If however a client wants to use their own custom domain e.g. CNAME app.client1.com
How can i automatically provide an SSL cert (I'm guessing using Lets Encrypt) for the client without them providing me a certificate to upload in a similar way to firebase etc.. provides SSL certs for domains.
As long as app.client1.com is reachable from the internet, you are free to set up a lets-encrypt certificate.
If your applications run on unix-like system, then the cerbot docs describe all the steps for automating the renewal.
You basically have to set up a cronjob that launches the renewal command.
You can edit the crons in you linux machine with the command crontab -e and place something like this at the end of the file:
0 15 1 * * certbot renew
This will run the command the first day of each month and attempt the renewal of your certificate. Check crontab.guru if you need different settings.
If you want to call the cerbot command from a custom script, you can add such script to your cronjob (and save the output to a custom file).
E.g:
0 15 1 * * python cert_autorenew.py >> cron.log 2>&1
Keep in mind that if you want a certificate for app.client1.com, then the renewal request you send, must resolve to the server app.client1.com.
That's how you demonstrate the control over your domain to letsencrypt.
If you are hosting the new application in Heroku/new domain is directed to Heroku app, they will take care of the SSL Certificates for you, as long as you run the application on a paid dyno. Which you should as its a client's application!
https://devcenter.heroku.com/articles/ssl
Heroku provides free Automated Certificate Management (ACM) for all
applications running on paid dynos. With ACM, Heroku automatically
provisions and renews SSL certificates for your application. If you
prefer to upload your own certificate manually, follow the steps in
this article.
You only have to make an application in Heroku, upgrade the dyno and configure the custom domain name (app.client1.com) for the application, following instructions at https://devcenter.heroku.com/articles/custom-domains
I've setup my Google Cloud Project to use a load balancer in combination with auto scaling instance templates. Currently the instance group only has one instance.
My domain name successfully refers to the load balancers IP. Till these steps everything is working correctly.
Now I want to setup SSL for this project. I would like to do this with the Letsencrypt service, however I'm having no success when trying to set this up.
In the Google Cloud Engine load balancer window there is an option to setup an earlier created certificate with Google Cloud shell to the load balancer frontend. Unfortunately I can only create a .csr and .key file with the Google Cloud Shell. Furthermore, I can create an unsafe ssl certificate and get the .cert file from it, but I would like to create a safe SSL cert file using letsencrypt. The Letsencrypt services requires direct access to the domain from to command line interface the commando was executed on, this is probably the reason why I’m getting an error indicating the domain name cannot be retrieved.
I’m looking for a way to install the Letsencrypt certificate on the loadbalancer using Google Cloud. Is there a way how I can manually create a .cert file with letsencrypt instead of installing this directly? If not is there another way or service to create a .cert file from a .csr and .key file?
You can use sslforfree.com, which calls LetsEncrypt for you and gives you the keys for downloading. It can also remind you to renew your certs. (There's currently no way to auto-renew certs in Google LB)
You can use certbot
Here is an example of how to create only the certificates
$ ./certbot-auto certonly --standalone --email admin#example.com -d example.com -d www.example.com
If you use Kubernetes on top of Google Compute Engine, a good solution is cert-manager, which is a successor of kube-lego. Both can automatically requests certificates for Kubernetes Ingress resources from Let's Encrypt:
Features
Recognizes the need of a new certificate for this cases:
No certificate existing
Existing certificate is not containing all domain names
Existing certificate is expired or near to its expiry date (cf. option LEGO_MINIMUM_VALIDITY)
Existing certificate is unparseable, invalid or not matching the secret key
Creates a user account (incl. private key) for Let's Encrypt and stores it in Kubernetes secrets (secret name is configurable via LEGO_SECRET_NAME)
Obtains the missing certificates from Let's Encrypt and authorizes the request with the HTTP-01 challenge
Makes sure that the specific Kubernetes objects (Services, Ingress) contain the rights configuration for the HTTP-01 challenge to succeed
Official Kubernetes Helm chart for simplistic deployment.
A step-by-step tutorial for GCE is available.
A good way to achieve your goal is cloud function + cloud scheduler + https://github.com/bloomapi/letsencrypt-gcloud-balancer
I've setup and been managing a Puppet (enterprise 2016.1) instance with over 50 nodes. PE console uses self-signed certificate (https://<fully-qualified-domain-name>/) which is starting to get flagged down by the security audits and forcing me to update the cert. I'm trying to overwrite the self-signed certificate with a CA cert and also do a DNS binding so the URL is more user-friendly. I tried to follow Puppet article here (https://docs.puppet.com/pe/latest/custom_console_cert.html) but it broke my environment and made the console inaccessible. It's since been recovered using Azure backup.
If anybody ever carried out this activity, please would you let me know how I can go about it? Thanks.