google-cloud-platformgoogle-cloud-load-balancergoogle-cloud-proxy

Is it possible to delete "classic" ssl certificates from a target-https-proxy?

I recently updated a target-https-proxy to use a certificate map:

$ gcloud compute target-https-proxies list
NAME                             SSL_CERTIFICATES                             URL_MAP           CERTIFICATE_MAP
lb-global-legacy-target-proxy-2  cert-lb-global-legacy2,cert-lb-globalegacy3  lb-global-legacy  cert-map-1

My question is: How can I delete cert-lb-global-legacy2 and cert-lb-globalegacy3 since they are no longer needed due to cert-map-1?

Is this impossible?

The only workaround seems to be to:

  1. Create a new target-https-proxy that omits the ssl_certificates during creation
  2. Create a new forwarding rule with a new IP address that uses the new target-https-proxy (because it seems like forwarding rules are also immutable; can't use existing ip address because it is currently in use by a different forwarding rule)
  3. Go into DNS and repoint every subdomain to the new IP address

This seems ridiculous for what should be a simple task (remove "classic" SSL certs from a target proxy that no longer needs them)

Solution

  • You can use the update command with --clear-ssl-certificates flag.

    Example:

     gcloud compute target-https-proxies update PROXY_NAME --global --clear-ssl-certificates

    That will delete classic certs, but keep certificate maps.

    Docs link: https://cloud.google.com/sdk/gcloud/reference/compute/target-https-proxies/update#--clear-ssl-certificates