If you are not sure if the website you would like to visit is secure, you can verify it here. Enter the website address of the page and see parts of its content and the thumbnail images on this site. None (if any) dangerous scripts on the referenced page will be executed. Additionally, if the selected site contains subpages, you can verify it (review) in batches containing 5 pages.
favicon.ico: docs.cloud.google.com/load-balancing/docs/ssl-certificates/troubleshooting - Troubleshoot SSL certificates .

site address: docs.cloud.google.com/load-balancing/docs/ssl-certificates/troubleshooting redirected to: docs.cloud.google.com/load-balancing/docs/ssl-certificates/troubleshooting

site title: Troubleshoot SSL certificates     Cloud Load Balancing     Google Cloud Documentation

Our opinion (on Saturday 18 July 2026 20:56:37 UTC):

GREEN status (no comments) - no comments
After content analysis of this website we propose the following hashtags:



Meta tags:

Headings (most frequently used words):

certificates, managed, troubleshoot, ssl, certificate, with, and, status, domain, cannot, be, parsed, name, private, stay, organized, collections, save, categorize, content, based, on, your, preferences, google, self, renewal, multi, perspective, validation, missing, common, or, subject, alternative, key, keys, passphrases, expiring, intermediate, rsa, public, exponent, is, too, large, remove, from, target, proxy, products, pricing, support, resources, engage, verify, configuration, changes, load, balancers, behind, cdn,

Text of the page (most frequently used words):
the (157), load (87), certificate (83), and (71), balancer (59), with (48), cloud (47), your (47), google (46), #managed (43), set (42), for (35), ssl (35), #certificates (35), backend (35), overview (32), backends (29), dns (26), domain (26), status (24), that (24), you (23), proxy (21), can (21), neg (21), this (20), target (18), key (17), instance (17), use (16), using (16), provisioning (16), global (16), balancing (16), group (16), following (15), private (15), https (14), new (13), hybrid (13), zonal (13), compute (12), configuration (12), validation (12), external (12), management (12), from (11), error (11), create (11), traffic (11), application (11), other (10), rsa (10), balancers (10), records (10), internet (10), are (9), name (9), gcloud (9), might (9), check (9), troubleshoot (9), address (9), service (9), buckets (9), custom (9), architecture (8), not (8), intermediate (8), any (8), openssl (8), have (8), domains (8), forwarding (8), run (8), regional (8), see (7), all (7), thumb (7), information (7), cross (7), resolve (7), issue (7), only (7), time (7), http (7), based (7), ensure (7), storage (7), url (7), negs (7), internal (7), mtls (7), add (7), capabilities (7), sign (6), resources (6), more (6), policies (6), request (6), path (6), command (6), cdn (6), multi (6), correct (6), process (6), active (6), verify (6), changes (6), propagation (6), multiple (6), aaaa (6), record (6), renewal (6), authority (6), network (6), serverless (6), premises (6), shared (6), vpc (6), code (5), contact (5), delete (5), proxies (5), remove (5), attached (5), when (5), common (5), self (5), doesn (5), perspective (5), has (5), take (5), fail (5), ipv6 (5), rules (5), get (5), failed (5), because (5), troubleshooting (5), metrics (5), tcp (5), redirect (5), português (4), español (4), down (4), updated (4), content (4), resource (4), tmp (4), file (4), switch (4), clients (4), private_key_file (4), requests (4), been (4), minutes (4), across (4), addresses (4), failed_not_visible (4), map (4), frontend (4), classic (4), takes (4), hours (4), but (4), created (4), describe (4), tools (4), maps (4), services (4), view (4), logs (4), monitor (4), configure (4), terraform (4), examples (4), region (4), headers (4), third (3), about (3), samples (3), support (3), problem (3), missing (3), need (3), target_proxy_name (3), steps (3), how (3), public (3), exponent (3), make (3), sure (3), keys (3), some (3), expired (3), leaf (3), expires (3), passphrase (3), values (3), must (3), congruent (3), responses (3), requires (3), pem (3), subject (3), alternative (3), help (3), format (3), provision (3), authorization (3), provider (3), behind (3), correctly (3), setup (3), point (3), same (3), existing (3), cause (3), associated (3), rule (3), typically (3), continues (3), remains (3), provisioning_failed (3), data (3), guides (3), networking (3), health (3), connectivity (3), tls (3), explore (3), tutorials (3), connected (3), networks (3), directory (3), registration (3), distribution (3), udp (3), migrate (3), 한국어 (2), 日本語 (2), עברית (2), brasil (2), italiano (2), indonesia (2), français (2), américa (2), latina (2), deutsch (2), english (2), terms (2), site (2), youtube (2), started (2), pricing (2), products (2), understand (2), last (2), 2026 (2), utc (2), licensed (2), under (2), its (2), license (2), send (2), feedback (2), ssl_cert_name (2), replace (2), import (2), export (2), could (2), fetch (2), too (2), large (2), message (2), than (2), 65537 (2), signing (2), them (2), invalid (2), follows (2), before (2), server (2), indicate (2), isn (2), best (2), practices (2), like (2), save (2), text (2), replacement_private_key_file (2), valid (2), out (2), unable (2), validate (2), replacing (2), formatted (2), cannot (2), parsed (2), san (2), additional (2), either (2), certificate_file (2), describes (2), issues (2), such (2), recommend (2), method (2), manager (2), party (2), prevent (2), serves (2), mpic (2), works (2), issued (2), two (2), after (2), configured (2), step (2), without (2), consistently (2), specify (2), needs (2), directly (2), document (2), geodns (2), location (2), subdomains (2), failures (2), authorities (2), cas (2), renew (2), fails (2), connection (2), don (2), overlapping (2), aren (2), previous (2), caa (2), followed (2), procedure (2), retry (2), even (2), resolved (2), port (2), 443 (2), update (2), significant (2), amount (2), fully (2), propagated (2), sometimes (2), worldwide (2), although (2), few (2), until (2), complete (2), resolves (2), completed (2), working (2), explanation (2), certificate_name (2), renewal_failed (2), state (2), replacement (2), provisioning_failed_permanently (2), availability (2), documentation (2), sdk (2), languages (2), frameworks (2), infrastructure (2), costs (2), usage (2), access (2), security (2), observability (2), monitoring (2), migration (2), industry (2), solutions (2), distributed (2), multicloud (2), databases (2), analytics (2), pipelines (2), hosting (2), development (2), logging (2), pools (2), tags (2), checks (2), optimizations (2), workload (2), identity (2), protocol (2), next (2), failover (2), protocols (2), concepts (2), pool (2), convert (2), capacity (2), over (2), web (2), routing (2), app (2), engine (2), functions (2), constraints (2), console (2), product (2), reference (2), technology (2), areas (2), close (2), subscribe, newsletter, our, decade, climate, action, join, manage, cookies, privacy, tech, twitter, events, blog, engage, training, certification, center, getting, github, system, release, notes, community, forums, sales, marketplace, easy, easytounderstand, solved, solvedmyproblem, otherup, hard, hardtounderstand, incorrect, sample, incorrectinformationorsamplecode, missingtheinformationsamplesineed, otherdown, tell, except, otherwise, noted, page, details, java, registered, trademark, oracle, affiliates, developers, apache, creative, commons, attribution, optional, source, www, googleapis, com, projects, sslcertificates, edit, lines, temporary, demonstrate, single, appears, larger, specified, rfc, 4871, also, allow, confirm, upload, wait, treat, chain, display, warning, look, expire, ignore, used, become, depends, client, expiring, where, copy, plain, protected, placeholders, prompts, passphrases, fix, iqmp, inverse, dmq1, dmp1, does, equal, expecting, meet, criteria, both, attributes, absent, displays, try, attribute, csr, parse, x509, noout, guide, cases, latter, approach, require, migrating, enabled, providers, succeeding, happen, actively, proxying, tool, creation, confirms, becomes, indicates, thereby, confirming, earlier, avoid, having, separate, interrupt, they, creating, connecting, along, forces, immediate, letting, within, automatic, renewals, days, weeks, leaving, uncertainty, recommended, checker, choice, relevant, globe, explicitly, layers, unpredictable, behavior, accessible, redirects, firewalls, cdns, learn, section, returning, different, lead, inconsistent, uses, disable, regions, return, which, performs, queries, locations, responds, ipv4, existence, misconfigured, note, periodically, renews, requesting, known, part, control, checking, settings, attempting, these, verifications, conducted, vantage, points, result, causing, browser, users, encounter, errors, api, experience, issuance, corroboration, review, requirements, delayed, requested, short, span, sets, processed, parallel, one, per, attempts, incorrectly, whereas, much, less, important, rate, limited, failed_rate_limited, failed_caa_forbidden, failed_caa_checking, gets, precedence, ignored, detaching, ports, include, adding, newly, example, something, else, hasn, successfully, validated, provisioned, once, well, described, table, domainstatus, pointing, serve, shortly, afterwards, permanently, briefly, actually, recheck, retries, successful, obtained, available, running, moment, recently, propagate, there, types, diagnose, problems, protect, transit, deployments, categorize, preferences, stay, organized, collections, home, clean, audit, operate, maintain, size, quota, units, subnets, endpoint, groups, names, firewall, draining, advanced, customize, post, quantum, authenticated, user, provided, mutual, encryption, secure, between, deploy, hub, spoke, hop, appliances, hops, affinity, weighted, passthrough, testing, optimize, latency, deliver, published, faster, performance, improved, protection, high, rewrite, header, query, parameter, roll, back, response, project, bucket, organization, policy, iam, conditions, roles, permissions, feature, comparison, model, choose, discover, start, free, skip, main,


Text of the page (random words):
internal load balancer architecture overview set up cross region load balancer managed vm instance group backends on premises or other cloud backends zonal and hybrid neg set up regional load balancer managed vm instance group backends zonal neg backends hybrid connectivity hybrid negs external backend internet neg add capabilities load balancing and connected networks view logs and metrics convert load balancer to ipv6 passthrough network load balancer tcp udp overview external load balancer backend service based architecture traffic distribution concepts target pool based architecture set up load balancer vm instance group backends tcp udp only vm instance group backends multiple protocols zonal neg backends target pool based load balancer add capabilities configure failover configure weighted load balancing migrate from target pools to backend services service directory registration explore tutorials use udp with network load balancers monitor and troubleshoot view logs and metrics troubleshooting internal load balancer architecture overview traffic distribution concepts set up load balancer terraform examples vm instance group backends vm instance group backend for multiple protocols zonal neg backends add capabilities configure failover zonal affinity load balancers as next hops overview set up load balancing for third party appliances forwarding rules that use a common ip address service directory registration load balancing and connected networks explore tutorials set up load balancer as next hop with tags deploy a hub and spoke network set up a load balancer with internal ipv6 only backends monitor and troubleshoot view logs and metrics troubleshooting protocol forwarding overview set up protocol forwarding switch between a target instance and a backend service secure ssl certificates overview use self managed ssl certificates use google managed ssl certificates encryption to the backends troubleshooting ssl policies overview use ssl policies mutual tls frontend mtls overview set up frontend mtls with user provided certificates set up frontend mtls with a private ca backend mtls overview set up backend authenticated tls set up backend mtls backend mtls with managed workload identity overview set up backend mtls using managed workload identity post quantum tls authorization policies overview set up authorization policies customize load balancer advanced load balancing optimizations backend buckets backend services connection draining firewall rules forwarding rules health checks overview use health checks internal dns names ipv6 network endpoint groups overview hybrid connectivity negs internet negs serverless negs zonal negs overview set up zonal negs proxy only subnets tags target pools target proxies url maps overview use url maps url map size and quota units operate and maintain audit logging information health check logging information clean up a load balancer setup ai and ml application development application hosting compute data analytics and pipelines databases distributed hybrid and multicloud industry solutions migration networking observability and monitoring security storage access and resources management costs and usage management infrastructure as code sdk languages frameworks and tools home documentation networking load balancing guides send feedback troubleshoot ssl certificates stay organized with collections save and categorize content based on your preferences this document describes how to diagnose and resolve common problems with google managed and self managed ssl certificates valid ssl certificates protect data in transit and help ensure service availability for your load balancing deployments troubleshoot google managed certificates for google managed certificates there are two types of status managed status domain status managed status to check the certificate status run the following command gcloud compute ssl certificates describe certificate_name global format get name managed status values for managed status are as follows managed status explanation provisioning the google managed certificate has been created and google cloud is working with the certificate authority to sign it provisioning a google managed certificate might take up to 60 minutes from the moment your dns and load balancer configuration changes have propagated across the internet if you have updated your dns configuration recently it can take a significant amount of time for the changes to fully propagate sometimes propagation takes up to 72 hours worldwide although it typically takes a few hours for more information on dns propagation see propagation of changes if the certificate remains in the provisioning state make sure that the correct certificate is associated with the target proxy you can check this by running either the gcloud compute target https proxies describe or the gcloud compute target ssl proxies describe command active the google managed ssl certificate is obtained from the certificate authority it might take an additional 30 minutes to be available for use by a load balancer provisioning_failed you might briefly see provisioning_failed even when your certificate is actually active recheck the status if the status remains provisioning_failed the google managed certificate has been created but the certificate authority can t sign it ensure that you completed all steps in using google managed ssl certificates google cloud retries provisioning until successful or the status changes to provisioning_failed_permanently provisioning_failed_permanently the google managed certificate is created but the certificate authority can t sign it because of a dns or load balancer configuration issue in this state google cloud doesn t retry provisioning create a replacement google managed ssl certificate and make sure that the replacement is associated with your load balancer s target proxy verify or complete all steps in using google managed ssl certificates afterwards you can delete the certificate that permanently failed provisioning renewal_failed the google managed certificate renewal failed because of an issue with the load balancer or dns configuration if any of the domains or subdomains in a managed certificate aren t pointing to the load balancer s ip address by using an a aaaa record the renewal process fails the existing certificate continues to serve but expires shortly check your configuration if the status remains renewal_failed provision a new certificate switch to using the new certificate and delete the previous certificate for more information about certificate renewal see google managed ssl certificate renewal domain status to check the domain status run the following command gcloud compute ssl certificates describe certificate_name global format get managed domainstatus values for domain status are described in this table domain status explanation provisioning the google managed certificate is created for the domain google cloud is working with the certificate authority to sign the certificate active the domain has been successfully validated for provisioning the certificate if the ssl certificate is for multiple domains the certificate can only be provisioned once all the domains have an active status and the managed status of the certificate is active as well failed_not_visible certificate provisioning hasn t completed for the domain any of the following might be the issue the domain s dns record doesn t resolve to the ip address of the google cloud load balancer to resolve this issue update the dns a and aaaa records to point to your load balancer s ip address dns must not resolve to any other ip address than the load balancer s for example if an a record resolves to the correct load balancer but the aaaa resolves to something else the domain status is failed_not_visible newly updated dns a and aaaa records can take a significant amount of time to be fully propagated sometimes propagation across the internet takes up to 72 hours worldwide although it typically takes a few hours the domain status continues to be failed_not_visible until propagation is complete the ssl certificate isn t attached to the load balancer s target proxy to resolve this issue update your load balancer configuration the frontend ports for the forwarding rule don t include port 443 for application load balancers global or classic or external proxy network load balancers this can be resolved by adding a new forwarding rule with port 443 a certificate manager certificate map is attached to the target proxy the attached certificate map gets precedence and directly attached certificates are ignored this can be resolved by detaching the certificate map from the proxy if the managed status is provisioning google cloud continues to retry provisioning even if the domain status is failed_not_visible failed_caa_checking certificate provisioning failed because of a configuration issue with your domain s caa record ensure that you have followed the correct procedure failed_caa_forbidden certificate provisioning failed because your domain s caa record doesn t specify a ca that google cloud needs to use ensure that you have followed the correct procedure failed_rate_limited certificate provisioning failed because a certificate authority has rate limited certificate signing requests you can provision a new certificate switch to using the new certificate and delete the previous certificate or you can contact google cloud support important for google managed certificates the provisioning process might get delayed if multiple certificates with overlapping domains are requested in a short span of time certificate requests with overlapping sets of domains aren t processed in parallel google cloud only issues one managed certificate per domain at a time attempts for certificates with incorrectly configured domains time out after 30 minutes whereas certificates with correctly set domains typically get issued in much less time managed certificate renewal to help ensure that your certificates don t fail the domain validation step of the renewal process review the requirements for your dns a and aaaa records multi perspective domain validation google cloud periodically renews your google managed certificates by requesting them from certificate authorities cas the cas that google cloud works with to renew your certificates use a multi perspective domain validation method known as multi perspective issuance corroboration mpic as part of this process the certificate authorities verify domain control by checking the domain s dns settings and attempting to contact the server behind the domain s ip address these verifications are conducted from multiple vantage points across the internet if the validation process fails google managed certificates fail to renew as a result your load balancer serves an expired certificate to clients causing browser users to encounter certificate errors and api clients to experience connection failures to prevent multi perspective domain validation failures for misconfigured dns records note the following your dns a records ipv4 and dns aaaa ipv6 records for your domains and any subdomains point only to the ip address or addresses associated with the load balancer s forwarding rule or rules the existence of any other addresses in the record can cause validation to fail the ca which performs validation of dns records queries dns records from multiple locations ensure that your dns provider responds consistently to all the global domain validation requests using geodns returning different ip addresses based on the request location or location based dns policies can lead to inconsistent responses and cause validation to fail if your dns provider uses geodns disable it or ensure that all regions return the same load balancer s ip address you must explicitly specify the ip addresses of your load balancer in your dns configuration intermediate layers such as a cdn can cause unpredictable behavior the ip address needs to be directly accessible without any redirects firewalls or cdns in the request path to learn more see the load balancers behind a cdn section in this document we recommended that you use a dns global propagation checker of your choice to verify that all the relevant dns records resolve correctly and consistently across the globe verify configuration changes after you have configured your dns records you can verify that they are correct by creating a new certificate and connecting it to your load balancer along with the existing certificate this step forces an immediate certificate provisioning check with the ca letting you verify your configuration changes within minutes without this automatic renewals of the existing certificate can take days or weeks leaving uncertainty about your setup if the certificate status becomes active it indicates that the certificate has been issued thereby confirming that your dns configuration is correct at this point we recommend that you remove the earlier certificate to avoid having two separate certificates for the same domain this process doesn t interrupt traffic to your load balancer the new certificate serves as a validation tool its creation confirms that multi perspective domain validation using mpic works correctly for your setup load balancers behind a cdn for load balancers that have cdn enabled some third party cdn providers in the request path might prevent validation requests from succeeding this can happen if the cdn provider is actively proxying http s traffic in such cases we recommend migrating your certificates to certificate manager and using the dns authorization method to provision google managed certificates the latter approach doesn t require the ca to contact your load balancer troubleshoot self managed ssl certificates this guide describes how to troubleshoot configuration issues for self managed ssl certificates certificate cannot be parsed google cloud requires certificates in pem format if the certificate is pem formatted check the following you can validate your certificate using the following openssl command replacing certificate_file with the path to your certificate file openssl x509 in certificate_file text noout if openssl is unable to parse your certificate contact your ca for help create a new private key and certificate missing common name or subject alternative name google cloud requires that your certificate have either a common name cn or subject alternative name san attribute see create a csr for additional information when both attributes are absent google cloud displays an error message like the following when you try to create a self managed certificate error gcloud compute ssl certificates create could not fetch resource the ssl certificate is missing a common name cn or subject alternative name san private key cannot be parsed google cloud requires pem formatted private keys that meet the private key criteria you can validate ...
Thumbnail images (randomly selected): * Images may be subject to copyright.GREEN status (no comments)
  • Google Cloud Documentatio...

Verified site has: 216 subpage(s). Do you want to verify them? Verify pages:

1-5 6-10 11-15 16-20 21-25 26-30 31-35 36-40 41-45 46-50
51-55 56-60 61-65 66-70 71-75 76-80 81-85 86-90 91-95 96-100
101-105 106-110 111-115 116-120 121-125 126-130 131-135 136-140 141-145 146-150
151-155 156-160 161-165 166-170 171-175 176-180 181-185 186-190 191-195 196-200
201-205 206-210 211-215 216-216


The site also has 1 references to other resources (not html/xhtml )

 www.ietf.org/rfc/rfc4871.txt  Verify


Top 50 hastags from of all verified websites.

Supplementary Information (add-on for SEO geeks)*- See more on header.verify-www.com

Header

HTTP/1.1 301 Moved Permanently
location htt????/docs.cloud.google.com/load-balancing/docs/ssl-certificates/troubleshooting
x-cloud-trace-context d006a6ad545636d90bf6c6f7da3432cd
date Sat, 18 Jul 2026 20:56:36 GMT
content-type text/html
server Google Frontend
Content-Length 0
Connection close
HTTP/2 200
last-modified Fri, 10 Jul 2026 18:44:30 GMT
content-type text/html; charset=utf-8
vary Cookie
vary Accept-Encoding
content-security-policy base-uri self ; object-src none ; script-src strict-dynamic unsafe-inline https: http: nonce-G+wOlKFHn3mBs7byIvFTgloLVArv/g unsafe-eval ; frame-ancestors self htt????/developers.google.com/_d/analytics-iframe; report-uri htt????/csp.withgoogle.com/csp/devsite/v2
strict-transport-security max-age=63072000; includeSubdomains; preload
x-xss-protection 0
x-content-type-options nosniff
cache-control no-cache, must-revalidate
expires 0
pragma no-cache
content-encoding gzip
x-cloud-trace-context df31cfbc6cea69ce217c213fa3ef1f2f
date Sat, 18 Jul 2026 20:56:37 GMT
server Google Frontend
content-length 30375
alt-svc h3= :443 ; ma=2592000,h3-29= :443 ; ma=2592000

Meta Tags

title="Troubleshoot SSL certificates  |  Cloud Load Balancing  |  Google Cloud Documentation"
name="google-signin-client-id" content="721724668570-nbkv1cfusk7kk4eni4pjvepaus73b13t.apps.googleusercontent.com"
name="google-signin-scope" content="profile email htt????/www.googleapis.com/auth/developerprofiles htt????/www.googleapis.com/auth/developerprofiles.award htt????/www.googleapis.com/auth/devprofiles.full_control.firstparty"
property="og:site_name" content="Google Cloud Documentation"
property="og:type" content="website"
name="theme-color" content="#1a73e8"
charset="utf-8"
content="IE=Edge" http-equiv="X-UA-Compatible"
name="viewport" content="width=device-width, initial-scale=1"
property="og:title" content="Troubleshoot SSL certificates  |  Cloud Load Balancing  |  Google Cloud Documentation"
property="og:url" content="htt????/docs.cloud.google.com/load-balancing/docs/ssl-certificates/troubleshooting"
property="og:image" content="htt????/docs.cloud.google.com/_static/cloud/images/social-icon-google-cloud-1200-630.png"
property="og:image:width" content="1200"
property="og:image:height" content="630"
property="og:locale" content="en"
name="twitter:card" content="summary_large_image"
name="gtm_var" data-key="docType" data-value="troubleshooting"

Load Info

page size30375
load time (s)0.863154
redirect count1
speed download35196
server IP 172.217.22.174
* all occurrences of the string "http://" have been changed to "htt???/"