Google DNS integration and cross-project issuance

Hi,

Is it possible to have certbot+dns-google issue a certificate where there are two SANs, each in a different subdomain delegation and GCP project?

The problem I am seeing is that certbot cannot run API calls against two GCP projects in the same certificate generation.

Thank you

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

example.com

I ran this command:

certbot certonly --dns-google --dns-google-credentials=/creds/.credentials --non-interactive -m redacted@example.com --agree-tos --expand -d example.com.

It produced this output:

(Issuance is correct)

My web server is (include version):

n/a

The operating system my web server runs on is (include version):

Container-Optimized OS

My hosting provider, if applicable, is:

GCP

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot/dns-google:latest

I’m guessing this is because Google Cloud DNS API queries are project specific. For instance, there’s no generic “Get All DNS Zones” call. It’s “Get All Zones for this project ID”. And the project ID is embedded in the credential JSON file you use as a parameter for the plugin.

In order for the plugin to support making changes across projects, it would either have to accept multiple credential files or at least another parameter that you could specify a list of project IDs. And in the latter case, you’d then have to educate users on how to apply IAM permissions across projects which is not terribly intuitive but does appear to be possible: Cross project management using service account.

So ultimately, it’s possible if someone wanted to put in the work to make the plugin capable of it and submit a pull request. But I’m guessing the audience who’d make use of this change is rather small.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.