My domain is: evtots.com
I ran this command:
sudo docker run -it --rm --name certbot -v "/etc/letsencrypt:/etc/letsencrypt" -v "/var/lib/letsencrypt:/var/lib/letsencrypt" -v "/var/log/letsencrypt:/var/log/letsencrypt" certbot/dns-google certonly --dns-google
It produced this output:
Encountered error finding managed zone:
<HttpError 401 when requesting https://dns.googleapis.com/dns/v1/projects/<project-id>/managedZones?dnsName=evtots.com.&alt=json
returned "Request is missing required authentication
credential. Expected OAuth 2 access
token, login cookie or other valid authentication
credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.">
My web server is (include version):
EnvoyProxy v1.11.2 in Docker
The operating system my web server runs on is (include version):
CentOS 8 is the host for Docker version 19.03.4, build 9013bf583a
My hosting provider, if applicable, is:
Google Cloud Platform with Google Compute Engine
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot):
Fetched latest from docker
More details:
- I ran the same command with
--verbose --force-interactive --dry-run
to see the outcome. This is what I get
Calling registered functions
Cleaning up challenges
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/<project-id>/managedZones?dnsName=evtots.com.&alt=json
Error finding zone. Skipping cleanup.
Exiting abnormally:
Traceback (most recent call last):
File "/opt/certbot/src/certbot-dns-google/certbot_dns_google/dns_google.py", line 271, in _find_managed_zone_id
response = request.execute()
File "/usr/local/lib/python3.7/site-packages/oauth2client/util.py", line 140, in positional_wrapper
return wrapped(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/googleapiclient/http.py", line 760, in execute
raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 401 when requesting https://dns.googleapis.com/dns/v1/projects/<project-id>/managedZones?dnsName=evtots.com.&alt=json returned "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.">
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 11, in <module>
load_entry_point('certbot', 'console_scripts', 'certbot')()
File "/opt/certbot/src/certbot/main.py", line 1378, in main
return config.func(config, plugins)
File "/opt/certbot/src/certbot/main.py", line 1265, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/opt/certbot/src/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/opt/certbot/src/certbot/client.py", line 405, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/opt/certbot/src/certbot/client.py", line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/certbot/src/certbot/client.py", line 384, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/opt/certbot/src/certbot/auth_handler.py", line 69, in handle_authorizations
resps = self.auth.perform(achalls)
File "/opt/certbot/src/certbot/plugins/dns_common.py", line 58, in perform
self._perform(domain, validation_domain_name, validation)
File "/opt/certbot/src/certbot-dns-google/certbot_dns_google/dns_google.py", line 70, in _perform
self._get_google_client().add_txt_record(domain, validation_name, validation, self.ttl)
File "/opt/certbot/src/certbot-dns-google/certbot_dns_google/dns_google.py", line 113, in add_txt_record
zone_id = self._find_managed_zone_id(domain)
File "/opt/certbot/src/certbot-dns-google/certbot_dns_google/dns_google.py", line 275, in _find_managed_zone_id
.format(e))
certbot.errors.PluginError: Encountered error finding managed zone: <HttpError 401 when requesting https://dns.googleapis.com/dns/v1/projects/<project-id>/managedZones?dnsName=evtots.com.&alt=json returned "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.">
Encountered error finding managed zone: <HttpError 401 when requesting https://dns.googleapis.com/dns/v1/projects/<project-id>/managedZones?dnsName=evtots.com.&alt=json returned "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.">
- A service account is linked to this Google Compute Engine instance. This service account has been tested in two variants. Both variants result in the same error. The same results were observed while using CentOS 7 to rule out issues with CentOS 8. Here are the two assigned IAM roles. These roles were tested out individually.
- DNS Administrator
- Owner
EDIT:
Using --dns-google-credentials "<path to file>"
flag helps in getting the TLS certificate. However, a service account is linked to this instance. And I would prefer not having credentials on the server.