Certbot-dns-google Problems

I ran this command:

 /usr/local/bin/certbot certonly --dns-google -d m.[mydomain.com] -m ${EMAIL} --dns-google-credentials ${GOOGLE_CREDS_FILE} --dns-google-propagation-seconds 180 --agree-tos -n

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-google, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for m.[mydomain.com]
Attempting refresh to obtain initial access_token
Refreshing access_token
Waiting 180 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain m.[mydomain.com]
dns-01 challenge for m.[mydomain.com]
Cleaning up challenges
Attempting refresh to obtain initial access_token
Refreshing access_token
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: m.[mydomain.com]
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up TXT for
   _acme-challenge.m.[mydomain.com] - check that a DNS record exists for this
   domain

My web server is (include version):
N/A - manual certificate only
The operating system my web server runs on is (include version):
Ubuntu 18
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

~$ certbot --version
certbot 1.8.0

I've been struggling to get certbot working for my domain again. It used to work fine, but since the last renewal a month ago it broke. I was using certbot 0.40, and upgraded to 1.8.0 during the troubleshooting process. Everything appears to work, except the dns-google plugin is not working right. While waiting the 180 seconds for things to propagate, I can fire up nslookup directly to one of Google's DNS servers that is authoritative for this domain and get the following:

> _acme-challenge.m.[mydomain.com]
Server:  ns-cloud-e1.googledomains.com
Addresses:  2001:4860:4802:32::6e
          216.239.32.110

*** ns-cloud-e1.googledomains.com can't find _acme-challenge.m.[mydomain.com]: Non-existent domain
2 Likes

Are there perhaps any errors or warnings visible in the log file? (/var/log/letsencrypt/letsencrypt.log)

2 Likes

A slightly redacted log from an attempt:


2020-09-20 15:07:49,050:DEBUG:certbot._internal.main:certbot version: 1.8.0
2020-09-20 15:07:49,051:DEBUG:certbot._internal.main:Arguments: ['--dns-google', '-d', 'm.[mydomain.com]', '-m', 'nlew@saturn49.dyndns.org', '--dns-google-credentials', '/etc/certbot/certbot-service-creds.json', '--dns-google-propagation-seconds', '180', '--agree-tos', '-n']
2020-09-20 15:07:49,052:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-google,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-09-20 15:07:49,083:DEBUG:certbot._internal.log:Root logging level set at 20
2020-09-20 15:07:49,084:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-09-20 15:07:49,084:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-google and installer None
2020-09-20 15:07:49,094:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-google
Description: Obtain certificates using a DNS TXT record (if you are using Google Cloud DNS for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-google = certbot_dns_google._internal.dns_google:Authenticator
Initialized: <certbot_dns_google._internal.dns_google.Authenticator object at 0x7efde8cfb470>
Prep: True
2020-09-20 15:07:49,095:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_google._internal.dns_google.Authenticator object at 0x7efde8cfb470> and installer None
2020-09-20 15:07:49,095:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-google, Installer None
2020-09-20 15:07:49,100:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/71390191', new_authzr_uri=None, terms_of_service=None), xxxx, Meta(creation_dt=datetime.datetime(2019, 11, 8, 18, 58, 21, tzinfo=<UTC>), creation_host='vault', register_to_eff=None))>
2020-09-20 15:07:49,101:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-09-20 15:07:49,103:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2020-09-20 15:07:49,250:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2020-09-20 15:07:49,251:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 20 Sep 2020 20:07:49 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "jcAnkCfeC9Y": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2020-09-20 15:07:49,267:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/archive/m.[mydomain.com]/cert5.pem
2020-09-20 15:07:49,267:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/m.[mydomain.com]/chain5.pem -cert /etc/letsencrypt/archive/m.[mydomain.com]/cert5.pem -CAfile /etc/letsencrypt/archive/m.[mydomain.com]/chain5.pem -verify_other /etc/letsencrypt/archive/m.[mydomain.com]/chain5.pem -trust_other -timeout 10 -header Host=ocsp.int-x3.letsencrypt.org -url http://ocsp.int-x3.letsencrypt.org
2020-09-20 15:07:49,323:DEBUG:certbot._internal.storage:Should renew, less than 60 days before certificate expiry 2020-11-16 04:12:22 UTC.
2020-09-20 15:07:49,323:INFO:certbot._internal.renewal:Cert is due for renewal, auto-renewing...
2020-09-20 15:07:49,324:INFO:certbot._internal.main:Renewing an existing certificate
2020-09-20 15:07:49,376:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0030_key-certbot.pem
2020-09-20 15:07:49,379:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0030_csr-certbot.pem
2020-09-20 15:07:49,379:DEBUG:acme.client:Requesting fresh nonce
2020-09-20 15:07:49,379:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-09-20 15:07:49,412:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2020-09-20 15:07:49,413:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 20 Sep 2020 20:07:49 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2020-09-20 15:07:49,413:DEBUG:acme.client:Storing nonce: xxxx
2020-09-20 15:07:49,414:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "m.[mydomain.com]"\n    }\n  ]\n}'
2020-09-20 15:07:49,420:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "xxxx",
  "signature": "xxxx",
  "payload": "xxxx"
}
2020-09-20 15:07:49,619:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 338
2020-09-20 15:07:49,620:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Sun, 20 Sep 2020 20:07:49 GMT
Content-Type: application/json
Content-Length: 338
Connection: keep-alive
Boulder-Requester: 71390191
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/71390191/5286192733
Replay-Nonce: xxxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2020-09-27T20:07:49.56851753Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "m.[mydomain.com]"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/7352661008"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/71390191/5286192733"
}
2020-09-20 15:07:49,620:DEBUG:acme.client:Storing nonce: xxxx
2020-09-20 15:07:49,620:DEBUG:acme.client:JWS payload:
b''
2020-09-20 15:07:49,624:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/7352661008:
{
  "protected": "xxxx",
  "signature": "xxxx",
  "payload": ""
}
2020-09-20 15:07:49,685:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/7352661008 HTTP/1.1" 200 787
2020-09-20 15:07:49,685:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 20 Sep 2020 20:07:49 GMT
Content-Type: application/json
Content-Length: 787
Connection: keep-alive
Boulder-Requester: 71390191
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "m.[mydomain.com]"
  },
  "status": "pending",
  "expires": "2020-09-27T20:07:49Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/7352661008/zbCZSQ",
      "token": "xxxx"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/7352661008/eJeQvA",
      "token": "xxxx"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/7352661008/vUTOmw",
      "token": "xxxx"
    }
  ]
}
2020-09-20 15:07:49,686:DEBUG:acme.client:Storing nonce: xxxx
2020-09-20 15:07:49,687:INFO:certbot._internal.auth_handler:Performing the following challenges:
2020-09-20 15:07:49,687:INFO:certbot._internal.auth_handler:dns-01 challenge for m.[mydomain.com]
2020-09-20 15:07:49,692:DEBUG:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
2020-09-20 15:07:49,790:DEBUG:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/yyyy/managedZones?dnsName=m.[mydomain.com].&alt=json
2020-09-20 15:07:49,790:INFO:oauth2client.transport:Attempting refresh to obtain initial access_token
2020-09-20 15:07:49,792:DEBUG:oauth2client.crypt:[b'xxxx', b'xxxx', b'xxxx']
2020-09-20 15:07:49,793:INFO:oauth2client.client:Refreshing access_token
2020-09-20 15:07:50,177:DEBUG:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/yyyy/managedZones?dnsName=[mydomain.com].&alt=json
2020-09-20 15:07:50,446:DEBUG:certbot_dns_google._internal.dns_google:Found id of xxxxfor m.[mydomain.com] using name [mydomain.com]
2020-09-20 15:07:50,447:DEBUG:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/yyyy/managedZones/xxxx/rrsets?alt=json
2020-09-20 15:07:50,574:DEBUG:googleapiclient.discovery:URL being requested: POST https://dns.googleapis.com/dns/v1/projects/yyyy/managedZones/xxxx/changes?alt=json
2020-09-20 15:07:50,953:DEBUG:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/yyyy/managedZones/xxxx/changes/73?alt=json
2020-09-20 15:07:51,206:DEBUG:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/yyyy/managedZones/xxxx/changes/73?alt=json
2020-09-20 15:07:51,484:INFO:certbot.plugins.dns_common:Waiting 180 seconds for DNS changes to propagate
2020-09-20 15:10:51,526:INFO:certbot._internal.auth_handler:Waiting for verification...
2020-09-20 15:10:51,527:DEBUG:acme.client:JWS payload:
b'{}'
2020-09-20 15:10:51,530:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/7352661008/eJeQvA:
{
  "protected": "xxxx",
  "signature": "xxxx",
  "payload": "e30"
}
2020-09-20 15:10:51,598:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/7352661008/eJeQvA HTTP/1.1" 400 173
2020-09-20 15:10:51,599:DEBUG:acme.client:Received response:
HTTP 400
Server: nginx
Date: Sun, 20 Sep 2020 20:10:51 GMT
Content-Type: application/problem+json
Content-Length: 173
Connection: keep-alive
Boulder-Requester: 71390191
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxxx

{
  "type": "urn:ietf:params:acme:error:badNonce",
  "detail": "JWS has an invalid anti-replay nonce: \"xxxx\"",
  "status": 400
}
2020-09-20 15:10:51,599:DEBUG:acme.client:Retrying request after error:
urn:ietf:params:acme:error:badNonce :: The client sent an unacceptable anti-replay nonce :: JWS has an invalid anti-replay nonce: "xxxx"
2020-09-20 15:10:51,600:DEBUG:acme.client:Requesting fresh nonce
2020-09-20 15:10:51,600:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-09-20 15:10:51,634:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2020-09-20 15:10:51,634:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 20 Sep 2020 20:10:51 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2020-09-20 15:10:51,635:DEBUG:acme.client:Storing nonce: xxxx
2020-09-20 15:10:51,635:DEBUG:acme.client:JWS payload:
b'{}'
2020-09-20 15:10:51,638:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/7352661008/eJeQvA:
{
  "protected": "xxxx",
  "signature": "xxxx",
  "payload": "e30"
}
2020-09-20 15:10:51,727:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/7352661008/eJeQvA HTTP/1.1" 200 184
2020-09-20 15:10:51,727:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 20 Sep 2020 20:10:51 GMT
Content-Type: application/json
Content-Length: 184
Connection: keep-alive
Boulder-Requester: 71390191
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/7352661008>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/7352661008/eJeQvA
Replay-Nonce: xxxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "dns-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/7352661008/eJeQvA",
  "token": "xxxx"
}
2020-09-20 15:10:51,728:DEBUG:acme.client:Storing nonce: xxxx
2020-09-20 15:10:52,729:DEBUG:acme.client:JWS payload:
b''
2020-09-20 15:10:52,733:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/7352661008:
{
  "protected": "xxxx",
  "signature": "xxxx",
  "payload": ""
}
2020-09-20 15:10:52,797:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/7352661008 HTTP/1.1" 200 596
2020-09-20 15:10:52,798:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 20 Sep 2020 20:10:52 GMT
Content-Type: application/json
Content-Length: 596
Connection: keep-alive
Boulder-Requester: 71390191
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: xxxx
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "m.[mydomain.com]"
  },
  "status": "invalid",
  "expires": "2020-09-27T20:07:49Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: NXDOMAIN looking up TXT for _acme-challenge.m.[mydomain.com] - check that a DNS record exists for this domain",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/7352661008/eJeQvA",
      "token": "xxxx"
    }
  ]
}
2020-09-20 15:10:52,798:DEBUG:acme.client:Storing nonce: xxxx
2020-09-20 15:10:52,799:WARNING:certbot._internal.auth_handler:Challenge failed for domain m.[mydomain.com]
2020-09-20 15:10:52,799:INFO:certbot._internal.auth_handler:dns-01 challenge for m.[mydomain.com]
2020-09-20 15:10:52,799:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: m.[mydomain.com]
Type:   dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.m.[mydomain.com] - check that a DNS record exists for this domain
2020-09-20 15:10:52,800:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2020-09-20 15:10:52,800:DEBUG:certbot._internal.error_handler:Calling registered functions
2020-09-20 15:10:52,800:INFO:certbot._internal.auth_handler:Cleaning up challenges
2020-09-20 15:10:52,803:DEBUG:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
2020-09-20 15:10:52,905:DEBUG:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/yyyy/managedZones?dnsName=m.[mydomain.com].&alt=json
2020-09-20 15:10:52,906:INFO:oauth2client.transport:Attempting refresh to obtain initial access_token
2020-09-20 15:10:52,909:DEBUG:oauth2client.crypt:[b'xxxx', b'xxxx', b'xxxx']
2020-09-20 15:10:52,909:INFO:oauth2client.client:Refreshing access_token
2020-09-20 15:10:53,128:DEBUG:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/yyyy/managedZones?dnsName=[mydomain.com].&alt=json
2020-09-20 15:10:53,229:DEBUG:certbot_dns_google._internal.dns_google:Found id of xxxx for m.[mydomain.com] using name [mydomain.com]
2020-09-20 15:10:53,229:DEBUG:googleapiclient.discovery:URL being requested: GET https://dns.googleapis.com/dns/v1/projects/yyyy/managedZones/xxxx/rrsets?alt=json
2020-09-20 15:10:53,310:DEBUG:googleapiclient.discovery:URL being requested: POST https://dns.googleapis.com/dns/v1/projects/yyyy/managedZones/xxxx/changes?alt=json
2020-09-20 15:10:53,553:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.6/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/main.py", line 1358, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/main.py", line 1242, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/renewal.py", line 320, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/client.py", line 351, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/client.py", line 398, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/local/lib/python3.6/dist-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2020-09-20 15:10:53,554:ERROR:certbot._internal.log:Some challenges have failed.

2 Likes

I don't have experience with the Google DNS plugin, but this is something that stands out for me.

Could it be the plugin generates a TXT record for _acme-challenge.nlew.us? I.e., without the .m. label?

2 Likes

You could try:

certbot certonly --dry-run --debug-challenges --dns-google \
--dns-google-credentials /etc/certbot/certbot-service-creds.json \
-d m.nlew.us

Certbot will eventually pause with a message like:

Challenges loaded. Press continue to submit to CA

At that point, you can check the record in the Google Cloud user interface, and also try to query it manually with nslookup, as you did before.

This should narrow down what the nature of the problem is - wrong record data, too long propagation, wrong zone ID, etc.

2 Likes

Have you tried with a much longer wait?

2 Likes

Thanks all, I think I figured it out. I apparently forgotten the difference between Google Domains and Google Cloud DNS, and had standard (mx, @) records configured in both so it was not obvious from the UI. I had wrongly reset my domain's DNS servers to Google Domains rather than Google Cloud, so while the plugin was altering the Google Cloud DNS records, they were no longer authoritative.

Even more confusingly, the Google Cloud DNS servers are:
ns-cloud-d[1-4].googledomains.com
whereas the Google Domains DNS servers are:
ns-cloud-e[1-4].googledomains.com

Spot the difference? Yea, I didn't either at first.

I've restored things back to where they should be but it may take a few hours to propagate the primary name server change.

Before all this I was having an intermittent certificate renewal issue, but I clearly made things worse trying to troubleshoot it.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.