Dns-google dns-01 GCE Authentication problems


#1

Hi guys !
First of all it was my first attempt to get a wildcard cert and I’m new to GCP as well so I’m probably doing sth wrong, could you guys have a look?

An important thing I could get the cert using the –dns-google-credentials, so my problem is that, as certbot can use the GCE metadata to generate an authentication token, I shouldn’t be using a credential file, right? I may using a wrong permission in GCP…

My config on GCP

I’ve created a new service account and assigned every permission:

I’ve tried both service accounts on my GCE:

My GCE is using the service Acc and all scopes:

Google DNS API is up running:

I can use pyton gcloud to manage my DNS records:

But certbot cannot access it without the file…

My domain is: jcsj.me

I ran this command:
sudo certbot certonly --dns-google -d “jcsj.me” -d “*.jcsj.me”

It produced this output:

Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for jcsj.me
dns-01 challenge for jcsj.me
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://www.googleapis.com/dns/v1/projects/jonasjuni-219416/managedZones?dnsName=jcsj.me.&alt=json
Cleaning up challenges
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://www.googleapis.com/dns/v1/projects/jonasjuni-219416/managedZones?dnsName=jcsj.me.&alt=json
Error finding zone. Skipping cleanup.
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://www.googleapis.com/dns/v1/projects/jonasjuni-219416/managedZones?dnsName=jcsj.me.&alt=json
Error finding zone. Skipping cleanup.
Encountered error finding managed zone: <HttpError 401 when requesting https://www.googleapis.com/dns/v1/projects/jonasjuni-219416/managedZones?dnsName=jcsj.me.&alt=json returned "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.">

My web server is (include version):
nginx/1.14.0
The operating system my web server runs on is (include version):
Ubuntu 18.04.2 LTS
My hosting provider, if applicable, is:
GCP
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0
DNS provider:
Google Cloud DNS
Registrar:
Godaddy

Intereting fact I’m having the Same issue .

Cheers!!!