Running on Kubernetes 1.14.8-gke.12, with nginx-ingress-1.26.2, managed certificates failed. DNS are resolved, DNSSEC is working. If I use the default gce-ingress, it actually works.

cert.yaml

---
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: www-certificate
spec:
  domains:
    - www.domain.se

ingress.yaml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: www-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/ingress.global-static-ip-name: www-domain-com # is a regional address for nginx
    networking.gke.io/managed-certificates: www-certificate
spec:
  rules:
    - host: www.domain.com
      http:
        paths:
          - path: /
            backend:
              serviceName: www
              servicePort: 8080

$ kubectl describe managedcertificates.networking.gke.io www-certificate                                            
Name:         www-certificate
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  networking.gke.io/v1beta1
Kind:         ManagedCertificate
Metadata:
  Creation Timestamp:  2019-12-09T10:25:46Z
  Generation:          3
  Resource Version:    2967605
  Self Link:           /apis/networking.gke.io/v1beta1/namespaces/default/managedcertificates/root-nesta-se-cert
  UID:                 434f78d9-1a6e-11ea-816a-42010aa6014e
Spec:
  Domains:
    www.domain.om
Status:
  Certificate Name:    mcrt-55d0485c-dc0c-4796-8ec7-1af1d5aba472
  Certificate Status:  Provisioning
  Domain Status:
    Domain:  www.domain.com
    Status:  FailedNotVisible
Events:      <none>

the problem here is that your cert and the ingress (because it's an nginx ingress) are in a different namespace. I'm not sure yet how to fix this.

For past few days I have been trying to resolve this issue. My config looks very similar. I found that supposedly dnssec should be enabled on domain as this can impact creation of managedCertificate. I enabled that and now I am getting FailedNotVisible after approx 20 minutes (before it was changing to that status almost instantly)

On my setup both - the ingress and the certificate are in the same namespace.

This looks like a standard setup so I am not sure what else can be wrong here.

I will give it another day. Perhaps something wrong with domain configuration still?

According to the prerequisite https://github.com/GoogleCloudPlatform/gke-managed-certs/blob/master/README.md#prerequisites, this is only supported by the Ingress GKE ingress controller: https://github.com/kubernetes/ingress-gce.

@adamgajzlerowicz I found that Dohbedoh is correct. If you want to use an nginx ingress, for instance to force https, then you cannot used Google Managed Certs. Try using cert manager instead.

@rchurch4 Only yesterday I managed to get it working.
I configured cert manager by following this tutorial
link

To confirm @Dohbedoh links - I exchanged some emails with google cloud support and they also confirmed, quote:
"Nginx ingress controller type is not compatible with Google Managed certificates, Although, non-nginx-ingress controller is compatible."

For gcp managed certificates I first followed this doc. Feels like it really should mention it's ingress compatibility issue.

Thanks guys!

What worked for me on 1.15.x (which was failing but worked on rapid channel 1.16.x) is to enable compute-rw scope on node pool and use https://dnssec-analyzer.verisignlabs.com to resolve DNSSEC issues with the domain. Deleted cert and ingress and retried and after about 10-15 minutes it all worked.

Hope that helps!