Closed kpurdon closed 4 years ago
@krzykwas is this repo still a valid place to file issues for GKE managed certs? If not could you point me to the correct place? Thanks.
The certificates for TLS-ALPN challenge method are not visible under the IP addresses that ce-staging.synd.io. resolves to, so a certificate cannot be provisioned. I don't know what Cloudflare proxy does, but it would have to pass through the TLS-ALPN challenges. I can say the current setup does not work.
This is a proper place (or else for GKE-related questions you can ask the GCP support). I'd like to be able to respond to the issues here more frequently.
@krzykwas thanks for the response. I think this is now going to turn in to a feature question/request. I'm certainly no expert here (which is why I'd love managed certs).
It seems Cloudflare (and most proxies I can find) do not support the TLS-ALPN challenge, but do support the HTTP? challenge? https://support.cloudflare.com/hc/en-us/articles/214820528-Validating-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare
Here is a similar issue:
https://caddy.community/t/cannot-use-caddy-when-run-with-cloudflare-ssl-strict/5809/2
I've also found a note in a Cloudflare support thread that I could add synd.io/.well-known/acme-challenge/
as a page-rule and disable SSL for that link, allowing the TLS-ALPN check to pass. Does that sound like something that would actually work, and/or be sane?
We only use TLS-ALPN, not HTTP challenges. The page-rule would be for supporting an HTTP challenge. If Cloudflare terminates SSL for you, this can't work. The idea behind GKE Managed Certificates is that it's the Google Cloud Load Balancer that has to terminate SSL.
Any way to use cloudflare with GKE?
I have no knowledge on cloudflare offering. If they pass all the requests verbatim, without TLS termination, then it should work.
@1nfility the way I make it work is using CloudFlare in ~FlexibleSSL~ Full (not strict) mode w/ a generated origin cert from CloudFlare installed on the GKE ingress as a pre-shared static cert. This works, but the origin (GKE) will only be valid for CloudFlare.
any updates?
Nothing has changed.
@kpurdon I suppose that one cannot generate certificate on Cloudflare with it's free tier right? Also, the automatic renew will not work, right?
Some details:
synd.io
.ce-staging
points to my external static IP34.98.108.89
but dig resolves to the CloudFlare proxy IPsEverything works, except the domain status always results in FailedNotVisible. Is this an undocumented limitation, a misunderstanding by me, or a misconfiguration by me?
Please let me know if I can provide any more details.