"Certificate data is invalid" when uploading origin cert to Google Cloud

When uploading a Cloudflare “origin certificate” to Google Cloud I get the error:

The certificate data is invalid. Please ensure that the private key and public certificate match.

I was hoping to use this feature to minimize certificate management overhead with EV certs in Cloudflare and long-lived Cloudflare origin certs on the backend. Maybe GCP just doesn’t like the long lived certs?

It could be that Google Cloud doesn’t like self-signed certificates. They don’t have a way to provide a Let’s Encrypt or some other certificate to that domain?

Thanks for the reply! They do provide LetsEncrypt certs but “it’s complicated”.

Like all the platforms offering LetsEncrypt managed certs, they require you to validate domain ownership. Unlike Heroku and Pantheon (the two I have some experience with) they don’t ask you to add a special TXT or CNAME record to prove ownership. Rather they require you to point the desired hostname at ghs.googlehosted.com.

That doesn’t work where your DNS service provider is a 3rd party and you have Cloudflare sitting in the middle. Your DNS records will point to Cloudflare instead. So Google does a lookup, sees the associated record not pointing to ghs.googlehosted.com, and refuses to issue the cert. One way to solve this is to move DNS hosting to Cloudflare, but we’re not there yet.

So I have been uploading the EV certs I use at Cloudflare to GCP. Not a huge deal but a little less work if I could push one of these long-lived Cloudflare generated certs to GCP instead.


Thats really something for Google to clarify. To me it would not appear as if the certificate itself is the issue but rather that there is some mismatch between the private and public part of the certificate, but thats merely a guess from the message you posted.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.