I created my certificates using dns-google for a compute engine VM instance.
Here's the documentation I followed: DNS-Google
The certificates were created perfectly, they all work.
The problem lies in the renewal.
I've been doing:
sudo certbot renew --dry-run
I keep getting errors:
sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/DOMAINs.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-google, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for DOMAIN.co
dns-01 challenge for DOMAIN.com
dns-01 challenge for DOMAIN.co
dns-01 challenge for DOMAIN.com
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/DOMAINs/managedZones?alt=json&dnsName=DOMAIN.co.
Encountered 403 Forbidden with reason "forbidden"
Cleaning up challenges
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/DOMAINs/managedZones?alt=json&dnsName=DOMAIN.co.
Encountered 403 Forbidden with reason "forbidden"
Error finding zone. Skipping cleanup.
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/DOMAINs/managedZones?alt=json&dnsName=DOMAIN.com.
Encountered 403 Forbidden with reason "forbidden"
Error finding zone. Skipping cleanup.
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/DOMAINs/managedZones?alt=json&dnsName=DOMAIN.co.
Encountered 403 Forbidden with reason "forbidden"
Error finding zone. Skipping cleanup.
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://dns.googleapis.com/dns/v1/projects/DOMAINs/managedZones?alt=json&dnsName=DOMAIN.com.
Encountered 403 Forbidden with reason "forbidden"
Error finding zone. Skipping cleanup.
Attempting to renew cert (DOMAINs) from /etc/letsencrypt/renewal/DOMAINs.conf produced an unexpected error: Encountered error finding managed zone: <HttpError 403 when requesting https://dns.googleapis.com/dns/v1/projects/investize
ns/managedZones?alt=json&dnsName=DOMAIN.co. returned "Request had insufficient authentication scopes.">. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/DOMAINs/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/DOMAINs/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
Is there something I need to add to my /etc/letsencrypt/renewal/DOMAINs.conf
?
I also gave DNS administrator permissions to the service account. What else can I do?