Troubleshooting Certificate Manager

Stay organized with collections Save and categorize content based on your preferences.

This page describes the most common errors you might encounter when using Certificate Manager. It also provides steps to diagnose and resolve those errors.

For help with resolving issues related to TLS (SSL) certificates, see Troubleshooting SSL certificates.

Error when detaching a certificate map from a target proxy

When detaching a certificate map from a target proxy, you receive the following error:

"There must be at least one certificate configured for a target proxy."

This error occurs when there are no certificates assigned to the target proxy aside from those specified in the certificate map that you are trying to detach. To detach the map, first assign one or more certificates directly to the proxy.

Problems related to certificates issued by a CA Service instance

This section lists the most common errors you might encounter when using Certificate Manager to deploy Google-managed certificates issued by your CA Service instance and their possible causes.

If you receive a Failed to create Certificate Issuance Config resources error, check the following:

  • The lifetime has been specified incorrectly. Valid certificate lifetime values are from 21 to 30 days.
  • The rotation window percentage value has been specified incorrectly. Valid rotation window percentages are from 1 to 99 percent. You must set the rotation window percentage in relation to the certificate lifetime so that certificate renewal occurs at least 7 days after the certificate has been issued and at least 7 days before it expires.
  • The key algorithm has been specified incorrectly. Valid key algorithm values are: RSA_2048 and ECDSA_P256.
  • The CA pool has been specified incorrectly, does not exist, or has been misconfigured. The CA pool must contain at least one enabled CA and the caller must have the privateca.capools.use permission on the CA pool.

If you receive a Failed to create a managed certificate error, check the following:

  • The Certificate Issuance Config resource you specified when creating the certificate exists.
  • The caller has the certificatemanager.certissuanceconfigs.use permission on the Certificate Issuance Config resource you specified when creating the certificate.

If you receive a Failed to renew certificate or a Failed to provision certificate error, check the following:

  • The Certificate Manager service account has the roles/privateca.certificateRequester permission on the CA pool specified in the Certificate Issuance Config resource used for this certificate.

    Use the following command to check permissions on the target CA pool:

    gcloud privateca pools get-iam-policy CA_POOL --location REGION

    Replace the following:

    • CA_POOL is the full resource path and name of the target CA pool.
    • REGION is the target Google Cloud region.

  • There is no certificate issuance policy in effect on the CA pool specified in the associated Certificate Issuance Config.

    Use the following command to check whether a certificate issuance policy is in effect on the target CA pool:

    gcloud privateca pools describe CA_POOL --location REGION

    Replace the following:

    • CA_POOL is the full resource path and name of the target CA pool.
    • REGION is the target Google Cloud region.