Migrating a LB from non-proxied to proxied


Because the UX to create this post falsely detects too many links in my post, first, a couple of definitions:

I have a LB for PRODUCTION_GSLB that is currently non-proxied. This LB has a couple of pools and origins that are able to receive and process https queries for PRODUCTION. There is a CNAME dns entry for PRODUCTION that points to PRODUCTION_GSLB and clients do HTTPS over PRODUCTION.

This works fine but I would like to move SSL termination to cloudflare. I cannot really change the name used by clients so, naively, I would have thought that it should be sufficient to:

  1. delete the PRODUCTION entry from the DNS
  2. configure the cloudflare LB to do proxying and change its name from PRODUCTION_GSLB to PRODUCTION.

So, I did that. As expected, DNS queries for PRODUCTION started to resolve to some cloudflare ssl-termination endpoint. However, sadly, it looks like the cloudflare servers did not know about PRODUCTION:

$ curl -v  https://PRODUCTION/health --resolve PRODUCTION:443:
* processing: https://PRODUCTION/health
* Added PRODUCTION:443: to DNS cache
* Hostname PRODUCTION was found in DNS cache
*   Trying
* Connected to PRODUCTION ( port 443
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* OpenSSL/3.1.1: error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection
curl: (35) OpenSSL/3.1.1: error:0A000410:SSL routines::sslv3 alert handshake failure

Now, I can imagine that generating and distributing to all servers involved certificates for PRODUCTION might take some time which might explain what I have observed.

However, I’d like to know what the right strategy would be to execute this migration: anyone ?