Closed leobut closed 4 years ago
krzykwas
commented
4 years ago Please follow GCP docs on SSL Policies to configure them the way you need it. SSL Policies are a GKE Ingress thing, GKE Managed Certificates don't need to be configured in any way to require any TLS version. I don't know the level of Ingress's support for SSL Policies, you may need to use GCLB API (i. e. for instance gcloud) to configure the policies.
leobut
commented
4 years ago Please follow GCP docs on SSL Policies to configure them the way you need it. SSL Policies are a GKE Ingress thing, GKE Managed Certificates don't need to be configured in any way to require any TLS version. I don't know the level of Ingress's support for SSL Policies, you may need to use GCLB API (i. e. for instance gcloud) to configure the policies.
Thanks for the response. I already tried to configure the SSL Policy as TLS 1.0, which is GCP default, when when I don't explicitly add a new SSL Policy for my load balancer that enforces TLS 1.2, I get "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" in chrome when I try to access my API.
I followed this short tutorial to secure my load balancer with Google Managed Certificates, the guy in the tutorial experienced the same issue --> https://geekflare.com/google-managed-certificate-lb/
Maybe I am misunderstanding something.
krzykwas
commented
4 years ago When the ManagedCertificate becomes Active, it unfortunately does not mean it has successfully propagated to all the endpoints yet. The problem described in the article most probably has been caused by exactly this reason, i. e. it would work if you allow more time for certificate propagation. The SSL policies do not have anything in common with this issue.
krzykwas
commented
4 years ago Please let me know if you'd like to reopen this issue.
leobut
commented
4 years ago Hi
Sorry, I forgot to answer. Your answer makes a lot of sense, as I could also not figure out how TLS and the Cert might be related to each other.
I think this solves the issue for me. Thank you 👍
We have some old machines that connect to our backend through https and had a wildcard certificate in use before. Now we want to switch to a google managed certificate, but this requires to also have an SSL Policy in place in GCP that forces traffic to use TLS 1.2. How can I get a managed certificate that supports TLS 1.0?