Some or all of the information on this page might not apply to Trusted Cloud by S3NS.

Troubleshoot SSL certificates

The troubleshooting procedures depend on the type of SSL certificates that are used.

Troubleshoot self-managed SSL certificates

This guide describes how to troubleshoot configuration issues for self-managed SSL certificates.

Certificate cannot be parsed

Trusted Cloud requires certificates in PEM format. If the certificate is PEM formatted, check the following:

You can validate your certificate using the following OpenSSL command, replacing CERTIFICATE_FILE with the path to your certificate file:

openssl x509 -in CERTIFICATE_FILE -text -noout

If OpenSSL is unable to parse your certificate:

Contact your CA for help.
Create a new private key and certificate.

Missing common name or subject alternative name

Trusted Cloud requires that your certificate have either a common name (CN) or subject alternative name (SAN) attribute. See Create a CSR for additional information.

When both attributes are absent, Trusted Cloud displays an error message like the following when you try to create a self-managed certificate:

ERROR: (gcloud.compute.ssl-certificates.create) Could not fetch resource:
 -   The SSL certificate is missing a Common Name(CN) or Subject Alternative
   Name(SAN).

Private key cannot be parsed

Trusted Cloud requires PEM-formatted private keys that meet the private key criteria.

You can validate your private key using the following OpenSSL command, replacing PRIVATE_KEY_FILE with the path to your private key:

    openssl rsa -in PRIVATE_KEY_FILE -check

The following responses indicate a problem with your private key:

unable to load Private Key
Expecting: ANY PRIVATE KEY
RSA key error: n does not equal p q
RSA key error: d e not congruent to 1
RSA key error: dmp1 not congruent to d
RSA key error: dmq1 not congruent to d
RSA key error: iqmp not inverse of q

To fix the problem, you must create a new private key and certificate.

Private keys with passphrases

If OpenSSL prompts for a passphrase, you'll need to remove the passphrase from your private key before you can use it with Trusted Cloud. You can use the following OpenSSL command:

openssl rsa -in PRIVATE_KEY_FILE \
    -out REPLACEMENT_PRIVATE_KEY_FILE

Replace the placeholders with valid values:

PRIVATE_KEY_FILE: The path to your private key that's protected with a passphrase
REPLACEMENT_PRIVATE_KEY_FILE: The path where you'd like to save a copy of your plain text private key

Expiring intermediate certificates

If an intermediate certificate expires before the server (leaf) certificate, this might indicate that your CA isn't following best practices.

When an intermediate certificate expires, your leaf certificate used in Trusted Cloud might become invalid. This depends on the SSL client, as follows:

Some SSL clients only look at the expire time of the leaf certificate and ignore expired intermediate certificates.
Some SSL clients treat a chain with any expired intermediate certificate(s) as invalid and display a warning.

To resolve this issue:

Wait for the CA to switch to a new intermediate certificate.
Request a new certificate from them.
Re-upload the new certificate with the new keys.

Your CA might also allow cross-signing for intermediate certificates. Check with your CA to confirm.

RSA public exponent is too large

The following error message appears when the RSA public exponent is larger than 65537. Make sure to use 65537, as specified in RFC 4871.

ERROR: (gcloud.compute.ssl-certificates.create) Could not fetch resource:
 -   The RSA public exponent is too large.

Remove SSL certificate from target-proxy

The following steps demonstrate how to remove a single SSL certificate attached to the target https proxy:

Export the target-https-proxy to a temporary file.

gcloud compute target-https-proxies export TARGET_PROXY_NAME > /tmp/proxy

Edit /tmp/proxy file and remove the following lines:

sslCertificates:
-   https://www.googleapis.com/compute/v1/projects/...

Import the /tmp/proxy file.

gcloud compute target-https-proxies import TARGET_PROXY_NAME \
   --source=/tmp/proxy

Optional: Delete the SSL certificate.

gcloud compute ssl-certificates delete SSL_CERT_NAME

Replace the following:

TARGET_PROXY_NAME: the name of the target https proxy resource.
SSL_CERT_NAME: the name of the SSL certificate.