Google managed SSL certificate stuck on FAILED_NOT_VISIBLE
What worked for me after checking the answers here (I worked with a load balancer but IMO this is correct for all cases):
- If some time passed this certificate will not work for you (It may be permamnently gone and it will take time to show that) - I created a new one and replaced it in the Load Balancer (just edit it)
- Make sure that the certificate is being used a few minutes after creating it
- Make sure that the DNS points to your service. And that your configuration is working when using http!! - This is the best and safest way (also if you just moved a domain - make sure that when you check it you reach to the correct IP)
- After creating a new cert or if the problem was fixed - your domain will turn green but you still need to wait (can take an hour or more)
I have faced this issue recently. You need to check whether your A Record correctly points to the Ingress static IP.
If you are using a service like Cloudflare, then disable the Cloudflare proxy setting so that ping to the domain will give the actual IP of Ingress. THis will create the Google Managed SSL certificate correctly with 10 to 15 minutes.
Once the certificate is up, you can again enable Cloudflare proxy setting.
I'm leaving this for anyone who might end up in the same situation as me. I needed to migrate from a self-managed certificate to a google-managed one.
I did create the google-managed certificate following the guide and was expecting to see it being activated before applying the certificate to my Kubernetes ingress (to avoid the possibility of a downtime)
Turns out, as stated by the docs,
the target proxy must reference the Google-managed certificate resource
So applying the configuration with kubectl apply -f ingress-conf.yaml
made the load balancer use the newly created certificate, which became active shortly after (15 min or so)