I ran into a similar issue today, and the issue appears to have been that the individual certificates within my --certificate file were in reverse order.
The file I received from our certificate authority included the root certificate first, then several intermediate certs, and finally the primary cert. Loading that with gcloud resulted in a "The SSL certificate and key do not match" error.
When I reversed the order to be:
- Primary cert
- Intermediate cert(s)
- Root cert
It does not validate whether all certificates are chained in a legitimate way. It is your responsibility to provide valid certificate chains.
But maybe there is some more specific language that could be included about either what GCP expects or what a valid chain is?