`dns-google` cannot access service account IAM roles

Help
1

My domain is: evtots.com

I ran this command:

sudo docker run -it --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" certbot/dns-google certonly --dns-google

It produced this output:

Encountered error finding managed zone: 
<HttpError 401 when requesting https://dns.googleapis.com/dns/v1/projects/<project-id>/managedZones?dnsName=evtots.com.&alt=json 
returned "Request is missing required authentication 
credential. Expected OAuth 2 access 
token, login cookie or other valid authentication 
credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.">

My web server is (include version):
EnvoyProxy v1.11.2 in Docker

The operating system my web server runs on is (include version):
CentOS 8 is the host for Docker version 19.03.4, build 9013bf583a

My hosting provider, if applicable, is:
Google Cloud Platform with Google Compute Engine

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Fetched latest from docker

More details:

  • I ran the same command with --verbose --force-interactive --dry-run to see the outcome. This is what I get
Calling registered functions
Cleaning up challenges
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/<project-id>/managedZones?dnsName=evtots.com.&alt=json
Error finding zone. Skipping cleanup.
Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/src/certbot-dns-google/certbot_dns_google/dns_google.py", line 271, in _find_managed_zone_id
    response = request.execute()
  File "/usr/local/lib/python3.7/site-packages/oauth2client/util.py", line 140, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/local/lib/python3.7/site-packages/googleapiclient/http.py", line 760, in execute
    raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 401 when requesting https://dns.googleapis.com/dns/v1/projects/<project-id>/managedZones?dnsName=evtots.com.&alt=json returned "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.">

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot', 'console_scripts', 'certbot')()
  File "/opt/certbot/src/certbot/main.py", line 1378, in main
    return config.func(config, plugins)
  File "/opt/certbot/src/certbot/main.py", line 1265, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/certbot/src/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/certbot/src/certbot/client.py", line 405, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/certbot/src/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/certbot/src/certbot/client.py", line 384, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/certbot/src/certbot/auth_handler.py", line 69, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/opt/certbot/src/certbot/plugins/dns_common.py", line 58, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/opt/certbot/src/certbot-dns-google/certbot_dns_google/dns_google.py", line 70, in _perform
    self._get_google_client().add_txt_record(domain, validation_name, validation, self.ttl)
  File "/opt/certbot/src/certbot-dns-google/certbot_dns_google/dns_google.py", line 113, in add_txt_record
    zone_id = self._find_managed_zone_id(domain)
  File "/opt/certbot/src/certbot-dns-google/certbot_dns_google/dns_google.py", line 275, in _find_managed_zone_id
    .format(e))
certbot.errors.PluginError: Encountered error finding managed zone: <HttpError 401 when requesting https://dns.googleapis.com/dns/v1/projects/<project-id>/managedZones?dnsName=evtots.com.&alt=json returned "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.">
Encountered error finding managed zone: <HttpError 401 when requesting https://dns.googleapis.com/dns/v1/projects/<project-id>/managedZones?dnsName=evtots.com.&alt=json returned "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.">
  • A service account is linked to this Google Compute Engine instance. This service account has been tested in two variants. Both variants result in the same error. The same results were observed while using CentOS 7 to rule out issues with CentOS 8. Here are the two assigned IAM roles. These roles were tested out individually.
    • DNS Administrator
    • Owner

EDIT:
Using --dns-google-credentials "<path to file>" flag helps in getting the TLS certificate. However, a service account is linked to this instance. And I would prefer not having credentials on the server.

1 Like
2

Service account works fine with sample examples provided in the GCP API SDK for NodeJS

1 Like
3

Should you be also using?:
--dns-google-credentials

4

It is not required for cases where we have a service account linked with GCP’s Compute Engine. In this case there is a service account linked.

1 Like
5

Did it work previously?
If so, what changed?

1 Like
6

This is the first time I am trying to get a TLS for this domain. A few months ago in a similar setting and different domain, this command worked like a charm.

1 Like
7

Sorry I don't have first hand experience with this...
But looking around and comparing, I don't see where you specified the domain(s) being requested.
Is that required?

1 Like
8

We can pass domain as an argument using -d "<domain name>", replace the <domain name> with the actual domain name.

I prefer running interactively. I input it when the certbot application is running inside the container.

This is where the domain name is provided

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): evtots.com
1 Like
9

Is there more detail in the LE log file that may shed some light?
Otherwise, we may need to wait for someone with specific knowledge to respond.

10

Give me some time to find any useful information. Appreciate all the effort you are putting in.:smiley:

1 Like
11

As a test, can you try with:
--dns-google-credentials
[just to be sure it works - i.e. the “Expected OAuth 2 access” is met]

1 Like
12

As filled with information the web is…
I can’t find any related information specific to all three: certbot docker google-dns
In this case, all variants with “two out of three” were bad :frowning:

2 Likes
13

Providing credentials helped get TLS certificates. However, the service account is linked with the instance. Our team’s tech standard disallow storing credentials on the server instance with an active service account linked to the instance.

1 Like
14

At least we’re making some progress.
baby steps… but in the right direction :slight_smile:

2 Likes
15

This is a smart and sensible precaution. You have a couple options:

3 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.