Google Load balancer refuses self-signed certificate

Question

I want to create a self signed certificate to be used in Google Loadbalancer, I have composed a following script to prepare it:

#!/bin/bash

FQDN=*.domain.net
SUBJ="/C=CZ/ST=Country/L=City/O=Authority/CN=$FQDN"
VALIDITY=3650

# make directories to work from
mkdir -p certs

# generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout certs/ca.key -out certs/ca.crt -subj $SUBJ

# generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout certs/server.key -out certs/server.csr -subj $SUBJ

# sign the server cert
openssl x509 -req -in certs/server.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/server.crt

# create server PEM file
cat certs/server.key certs/server.crt > certs/server.pem

# generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -days $VALIDITY -keyout certs/client.key -out certs/client.csr -subj $SUBJ

# sign the client cert
openssl x509 -req -in certs/client.csr -CA certs/ca.crt -CAkey certs/ca.key -CAserial certs/ca.srl -out certs/client.crt

# create client PEM file
cat certs/client.key certs/client.crt > certs/client.pem

This works correctly and produces all certificates with no errors.

However, when I try to put these into google loadbalancer, it refuses to accept the generated certificates. I am putting:

1. certs/client.crt to the "public key certificate" field
2. certs/client.pem to the "Certificate chain" field
3. certs/server.key to the "private key" field

Answer 1

You can use self-signed certificates for backend services. You cannot use self-signed certificates for frontend services.

Google Cloud HTTP Load Balancers only accept SSL certificates that are Domain Validated or higher.

Do not confuse Self Managed and Self Signed certificates.

Self-managed and Google-managed SSL certificates

The error message in your question means you are importing the wrong private key. You also have another error VALIDITY=3650. Public facing SSL certificates cannot be longer than 825 days (I think the practice is 398 days now), almost all vendors will not issue one longer than 365 days. For certificates valid longer than 365 days require even more details attached to the certificate.