In Switch from Regional Load Balancer to a Global HTTPS Load Balancer we used a self signed certificate on the load balancer. This serves as a default / backup certificate. We now need to use a google-managed certificate with wildcards which will be checked before the self signed one. Google right now does not support creating a certificate for wildcards in domains via their certificate manager. We need to do it via DNS-Authorization. There are a few steps to consider (and adjust from google documentation), to make this work.
When i was switching from a deployed cert-manager in the kubernetes cluster to a google managed certificate, there was no easy / documented way to do this for wildcard domains.
UPDATE:
Google updated their documentation and added the information on how to set up a managed certificate for wildcard domains. There are no more deviation of the documentation needed. Refer to the following documentation:
https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth
Additional Information
Adding of the acme-challenge via frontend
While adding the acme-challenge to the DNS-Zone by using the frontend / cloud console, you will see a field with the name “canonical name”. In here you need to add the value of the “data” field from the the created DNS-Authorization.
Be Patient
The creation of the DNS-Authorization should be fairly quick. However the creation of the certificate itself may take some time (could be 2 hours). Refresh on the status so you can always see if its still “provisioning” or if its finished (Hopefully “Authorized” 😉 ).
It took me around 5 minutes until the applied certification-map to the target-proxy of the load-balancer was reflected. I was then able to see the new certificate.