FAILED_NOT_VISIBLE Certificate Issues With Proxied Domains

The domain is vita-staging.benefitslaunch.org

This isn’t a subdomain too deep issue but when we use proxy the SSL cert fails to provision for the load balancer in GCP. When I turn off proxy it provisions fine and is validated. I was told that you can’t have subdomains that are too deep, so I changed it to the fqdn above and recreated the let’s encrypt Google managed cert, and still this problem persists… why?

So you’re saying that GCP can provision a cert for your domain behind Cloudflare, but not a subdomain behind Cloudflare?

Maybe @matteo has played with GCP load balancers and SSL.

Never played with GCP load balancers (they are way too expensive in bandwidth to be used by themselves unless there is other reasons on the platform…), but I would presume it would work. If it doesn’t, is there a way to put a custom cert on there @tech101? You could put one of Cloudflare’s free Origin certs, they last up to 15 years and are trusted by Cloudflare (and only by them…).

1 Like

Yes to the initial question by @sdayman and It appears that disabling proxy temporarily and then turning it back on once the cert is validated seems to work so far fingers crossed. We hope to just keep using the let’s encrypt certs for everything so that it’s easily configured all within GCP. Worst case we could resort to these certs you speak of but I haven’t looked into them.

The issue with that is once the lets encrypt cert expires, 90 days from now. The cloudflare certa last up to 15 years and are obtainable via API in case you want to automate that. They can also be revoked instantly.

Seems to be the usual issue with Lets Encrypt not able to get through to the origin server to validate the certificate.

@matteo’s suggestion of an Origin certificate might be the easiest solution. Otherwise you’d need to tweak your Cloudflare configuration in order to let LE pass.