Dns-google how-to?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sudo certbot certonly --dns-google --dns-google-credentials /etc/lighttpd/certs/airpi-313822.json -d airpi.us

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-google, Installer None
Requesting a certificate for airpi.us
Performing the following challenges:
dns-01 challenge for airpi.us
Attempting refresh to obtain initial access_token
Refreshing access_token
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain airpi.us
dns-01 challenge for airpi.us
Cleaning up challenges
Attempting refresh to obtain initial access_token
Refreshing access_token
Some challenges have failed.


  • The following errors were reported by the server:

    Domain: airpi.us
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.airpi.us - check that a DNS record exists for this

My web server is (include version):

The operating system my web server runs on is (include version):
raspian 10(buster)
My hosting provider, if applicable, is:
home server
google domain hosting
google cloud dns

I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.15.0

I have a website running on a raspberry pi at home. I have a domain registered with domains.google.com, using Google Cloud DNS.
My ISP is Cox, which blocks port 80.
I CAN access my site on port 443 (or any other port I configure). I have HTTPS with a self-signed cert.

I can't use HTTP-01 challenge because Cox blocks port 80.
I have run the command above to use dns-google to use the DNS challenge, but that fails.
The documentation for dns-google plugin is... scanty.
The error message says that there was a problem looking up the TXT DNS record, and that I should check that it exists. First of all, doesn't the plugin create that record (and then remove it)? That's what the docs say.
I also tried running certbot with --manual, and I DID create a TXT DNS record with the appropriate name, but that is also not found.
Any suggestions what I should look into next?

Could you provide us the contents of /etc/lighttpd/certs/airpi-313822.json where you obfuscate all the private info such as tokens et cetera?

That could be due to:

  • The change in the DNS zone has not propogated to every authorative name server yet -> you'd need to wait longer;
  • You've made the change to the incorrect DNS zone, i.e., the wrong DNS provider.

Currently, there is no TXT record visible at _acme-challenge.airpi.us. Did you also remove your manually added TXT record?

1 Like

Currently, there is no TXT record visible at _acme-challenge.airpi.us . Did you also remove your manually added TXT record?

I suspect this is my problem. I THINK I already have a TXT DNS record created in the managed zone of Google Cloud DNS.
I also JUST created a TXT DNS custom resource record in domains.google.com with that name.

Even if you did, it's not publicly available:

Dig (DNS lookup) -> " Record not found!"

Thanks for that link. But a question about dns-google: the documentation seems to say that the plugin creates and then deletes the TXT DNS record. Is that correct? If so, then I will focus on investigating why that's not working. Otherwise I will try to understand my the TXT record(s) I have created are not visible.

Yes, that's its purpose.

I would recommend you debug the other way around, because if your manual changes to the DNS zone aren't working, why would you think those changes would work if they were automated by the dns-google plugin? In both cases the validation would fail.

I would recommend you to try to get an actual TXT record publically published first.

1 Like

Where can I find information about creating TXT DNS records such as I would need to make certbot work? I HAVE created TXT DNS records for _acme-challenge.airpi.us. via domains.google.com, and also via google cloud DNS, but they are not published, I guess. I don't see them with Dig (DNS lookup).

I assume this is basic user error, but I haven't found any documentation or reference info that helps.


Well, if you can't manually update DNS records and have it show up in the public DNS, it sounds like you're editing them in the wrong place. I'm not sure anybody here will be able to help you much with it, as from here all we can see is just agreeing that the DNS records aren't there. If you're paying Google to host your DNS, and can't update it through Google's interface, you may want to contact their support.

1 Like

I can confirm that whatever you did to create _acme-challenge.airpi.us with value sample hash is working fine and is visible. I've only used Google Cloud DNS but that where I would expect you to do everything and that's likely what your .json credentials are for. I'd say it has very little to do with domains.google.com and your nameservers are all in Google Cloud DNS.

Note that with Google Cloud DNS you need to wait at least 60 seconds for the TXT records to anycast to the nameservers.

The "sample hash" I can see now too. Might be as simple as a longer propogation time indeed.

Are "domains.google.com" and "Google Cloud DNS" two completely different DNS services provided by Google? That sounds… confusing. Or am I misunderstanding you?

I haven't really used domain.google.com much so I don't know what the DNS functionality of it is, but it's the consumer side of their domain registration business.

Google Cloud DNS on the other hand is their full on DNS zone hosting (like AWS Route 53), it has APIs and IAM controlled service accounts etc and is an integrated part of all their cloud stuff. As far as I know any API that talks about Google DNS is talking Google Cloud DNS, and this one definitely is.

Here's how I resolved this. First of all, Google Domains and Google DNS are seprate and distinct. I read this several times, but no one explained how that matters.
domains.google.com provides a convenient way to use their DNS servers, and then take advantage of a variety of convenient features, such as DynamicDNS, which is why I was interested in the service in the first place. But... that Google DNS service isn't the same as Google Cloud DNS, the service that provides the API that certbot uses.
So, I was sad to discover, I can't use Google's Dynamic DNS service (to use a server at home) and also use the certbot dns-google plugin (to use HTTPS with a CA cert).
The solution, finally, was to change my Google Domains configuration to use "custom name servers" (in my case, Google Cloud DNS servers that my account is using) instead of the option to "Use the Google Domains name servers". This means no more DynamicDNS.

I don't know why that wasn't immediately obvious. :slight_smile:


Perhaps it means no more 1-click DynamicDNS automatically through your router or whatever you had that knew how to update Google Domains. But there's nothing stopping you from writing (or finding something that already exists) and using a script to update your now Google Cloud DNS zone with your current IP address.


Check https://si.w5gfe.org/ for some ideas. (edited - original said "solution", which was not correct)

1 Like

Cool. This is interesting, and along the lines of where I hope to end up. Thanks.

1 Like

You are not misunderstanding me. It is confusing.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.