I am struggling with exact same error.
I am on google cloud and deployed ssl certificate on google compute engine but I am not able to renew it now.
Unfortunately it expired last night and I am still struggling with renewal.
I tried standalone and webroot , both approaches but end up hitting the same error.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
I split this into a new topic. "The client lacks sufficient authorization" is a generic error that results from many kinds of validation failures, so it's probably not the same underlying cause as the thread that you originally posted in.
Currently http://gruhaps.in/ and http://www.gruhaps.in/ show a Google error, rather than any content for your site. This is the underlying problem—something is not configured properly in order to allow your site content to be seen at this address in HTTP. This is different from the behavior of https://gruhaps.in/ and https://www.gruhaps.in/, which show an error that is probably from your site (although with an expired certificate warning).
You need to do whatever configuration is necessary in Google Cloud in order to be sure that your site content is available via HTTP on port 80 on this server before requesting the certificate.
Note that it's possible that that wasn't necessary when you originally obtained the certificate, due to this change that's happened last month
Previously it was possible to do the Let's Encrypt validation on port 443, but now except in certain cases it's only possible on port 80, or via the DNS-based validation method.
Thanks for your help.
I manage to get certificate with dsn method using certtbot-auto tool.
I would like to definitely setup auto renewal of certificate to avoid such situation in future. Is it possible ?
Certbot’s autorenewal is somewhat limited with DNS authentication, especially for people running certbot-auto. How is your DNS hosted? Do you know if you have an interface to make changes from software, or did you have to log into a DNS control panel or edit a zone file yourself in order to add the TXT record?
DSN are with google domains. This time I had to add a TXT record manually not sure it’s possible through some utility like dsnpython. I will need to explore on that, definitely don’t want to rely on manual renewal. Let me know if there are any tools available for this. Appreciate your help and time on this.
Unfortunately, a recent thread suggested that there isn't a suitable API in Google Domains to allow you to add TXT records programmatically:
I know Google doesn't have a lot of user support for free services, but maybe there is somewhere that you could ask Google or a community of Google Domains users about this.