FailedNotVisible for domains w/ DNS managed by CloudFlare (proxy)

[kpurdon]

Some details:

• I have a domain synd.io.
• This domains DNS is managed by CloudFlare.
• An A record for ce-staging points to my external static IP 34.98.108.89 but dig resolves to the CloudFlare proxy IPs

kpurdon@syndio: ~ dig ce-staging.synd.io.

; <<>> DiG 9.10.6 <<>> ce-staging.synd.io.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3902
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ce-staging.synd.io.        IN  A

;; ANSWER SECTION:
ce-staging.synd.io. 215 IN  A   104.25.113.9
ce-staging.synd.io. 215 IN  A   104.25.112.9

;; Query time: 25 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Mon Mar 16 18:43:01 MDT 2020
;; MSG SIZE  rcvd: 79

• I created a managed certificate

apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: ceweb-staging
spec:
  domains:
    - ce-staging.synd.io

• I created an ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ceweb
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.global-static-ip-name: ceweb
    networking.gke.io/managed-certificates: ceweb-staging
spec:
  backend:
    serviceName: ceweb
    servicePort: 80

Everything works, except the domain status always results in FailedNotVisible. Is this an undocumented limitation, a misunderstanding by me, or a misconfiguration by me?

Please let me know if I can provide any more details.

[kpurdon]

@krzykwas is this repo still a valid place to file issues for GKE managed certs? If not could you point me to the correct place? Thanks.

[krzykwas]

The certificates for TLS-ALPN challenge method are not visible under the IP addresses that ce-staging.synd.io. resolves to, so a certificate cannot be provisioned. I don't know what Cloudflare proxy does, but it would have to pass through the TLS-ALPN challenges. I can say the current setup does not work.

This is a proper place (or else for GKE-related questions you can ask the GCP support). I'd like to be able to respond to the issues here more frequently.

[kpurdon]

@krzykwas thanks for the response. I think this is now going to turn in to a feature question/request. I'm certainly no expert here (which is why I'd love managed certs).

It seems Cloudflare (and most proxies I can find) do not support the TLS-ALPN challenge, but do support the HTTP? challenge? https://support.cloudflare.com/hc/en-us/articles/214820528-Validating-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare

Here is a similar issue:

https://caddy.community/t/cannot-use-caddy-when-run-with-cloudflare-ssl-strict/5809/2

I've also found a note in a Cloudflare support thread that I could add synd.io/.well-known/acme-challenge/ as a page-rule and disable SSL for that link, allowing the TLS-ALPN check to pass. Does that sound like something that would actually work, and/or be sane?

[krzykwas]

We only use TLS-ALPN, not HTTP challenges. The page-rule would be for supporting an HTTP challenge. If Cloudflare terminates SSL for you, this can't work. The idea behind GKE Managed Certificates is that it's the Google Cloud Load Balancer that has to terminate SSL.

[1nfility]

Any way to use cloudflare with GKE?

[krzykwas]

I have no knowledge on cloudflare offering. If they pass all the requests verbatim, without TLS termination, then it should work.

[kpurdon]

@1nfility the way I make it work is using CloudFlare in ~FlexibleSSL~ Full (not strict) mode w/ a generated origin cert from CloudFlare installed on the GKE ingress as a pre-shared static cert. This works, but the origin (GKE) will only be valid for CloudFlare.

[aaadipopt]

any updates?

[krzykwas]

Nothing has changed.

[dhilst]

@kpurdon I suppose that one cannot generate certificate on Cloudflare with it's free tier right? Also, the automatic renew will not work, right?