我在GCP上配置负载均衡器时遇到了一个问题,我希望有人能为我指明正确的方向来解决这个问题。
我在GCP中的一个实例上运行了一个web服务器,我想用HTTPS访问来保护它。为此,我遵循了此链接上提供的示例https://cloud.google.com/iap/docs/load-balancer-howto.因此,我保留了域名、静态IP地址和SSL证书;并且将负载平衡器配置为与链路中一样。
- 该实例位于HTTPS外部负载平衡器后面,该负载平衡器应通过HTTPS与客户端通信,并通过HTTP与后端服务通信
- 负载均衡器的前端指向静态IP地址,该地址是正式保留的,端口443是打开的,SSL证书已经就位
- 负载平衡器的后端是一个服务,其中包括运行web服务的实例
问题是:安全连接永远不会成功!!我检查了证书详细信息,页面显示"域状态:FAILED_NOT_VISIBLE"one_answers"状态:PROVISING"。因此,我查阅了"SSL证书疑难解答"页面https://cloud.google.com/load-balancing/docs/ssl-certificates/troubleshooting?&_ga=2170344355.-201250651.1616078055#域状态,并试图检查所有可能性,但没有成功。
- 我为负载平衡器配置了一个额外的前端,以允许HTTP,然后我可以使用静态IP地址和域名通过负载平衡器连接到web服务器,这表明问题仅存在于SSL证书中
- 我尝试创建一个新证书并替换旧证书,但没有成功
- 当尝试连接到负载平衡器的静态IP地址时,web浏览器会返回"PR_END_OF_FILE_ERROR">
如果你能帮忙,我将不胜感激。
++++++更新-跟随@JohnHanley评论++++++
从GCP获得的DNS信息如下:
$ gcloud compute addresses list
NAME ADDRESS/RANGE TYPE PURPOSE NETWORK REGION SUBNET STATUS
followup-ipv4 34.120.aaa.bbb EXTERNAL IN_USE
$ gcloud dns managed-zones list
NAME DNS_NAME DESCRIPTION VISIBILITY
followup-com followup.com. public
$ gcloud dns record-sets list --zone=followup-com
NAME TYPE TTL DATA
followup.com. A 300 34.120.aaa.bbb
followup.com. NS 21600 ns-cloud-d1.googledomains.com.,ns-cloud-d2.googledomains.com.,ns-cloud-d3.googledomains.com.,ns-cloud-d4.googledomains.com.
followup.com. SOA 21600 ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300
www.followup.com. CNAME 300 followup.com.
$ gcloud compute forwarding-rules list
NAME REGION IP_ADDRESS IP_PROTOCOL TARGET
followup-frontend 34.120.aaa.bbb TCP followup-lb-target-proxy
followup-http-frontend 34.120.aaa.bbb TCP followup-lb-target-proxy-2
$ gcloud compute forwarding-rules describe followup-frontend
For the following forwarding rule:
- [followup-frontend]
choose a region or global:
[1] global
[2] region: asia-east1
[3] region: asia-east2
[4] region: asia-northeast1
[5] region: asia-northeast2
[6] region: asia-northeast3
[7] region: asia-south1
[8] region: asia-south2
[9] region: asia-southeast1
[10] region: asia-southeast2
[11] region: australia-southeast1
[12] region: australia-southeast2
[13] region: europe-central2
[14] region: europe-north1
[15] region: europe-west1
[16] region: europe-west2
[17] region: europe-west3
[18] region: europe-west4
[19] region: europe-west6
[20] region: northamerica-northeast1
[21] region: southamerica-east1
[22] region: us-central1
[23] region: us-east1
[24] region: us-east4
[25] region: us-west1
[26] region: us-west2
[27] region: us-west3
[28] region: us-west4
Please enter your numeric choice: 1
IPAddress: 34.120.aaa.bbb
IPProtocol: TCP
creationTimestamp: '2021-06-04T20:06:37.991-07:00'
description: ''
fingerprint: RBZP24MTKcQ=
id: '2154259932761248978'
kind: compute#forwardingRule
labelFingerprint: 42WmSpB8rSM=
loadBalancingScheme: EXTERNAL
name: followup-frontend
networkTier: PREMIUM
portRange: 443-443
selfLink: https://www.googleapis.com/compute/v1/projects/projectID/global/forwardingRules/followup-frontend
target: https://www.googleapis.com/compute/v1/projects/projectID/global/targetHttpsProxies/followup-lb-target-proxy
深入研究GCP文档(特别是这个(,我发现我错过了按照GCP中的建议向项目的DNS记录添加一条信息(pki.goog和letsencrypt.org的CAA条目(。在BOLD中添加一个的工作DNS记录如下:
$gcloud dns记录集列表--zone=follow-up.com名称类型TTL数据followup.com.A 300 34.120.aaa.bbbfollowup.com.CAA 300 0期"pki.goog",0期"letsencrypt.org">followup.com。NS 21600 NS-cloud-d1.googledomains.com,NS-cloud-d2.googledomains.com、NS-cloud.d3.googledomains.com和NS-cloud-d 4.googledomains.com。followup.com.SOA 21600 ns-cloud-d1.googledomains.com。cloud-dns-hostmaster.google.com。1 21600 3600 259200 300www.followup.com.CNME 300 followup.com。