Guidance needed: Setting up Google Domain with Google Cloud DNS and Lets Encrypt wildcard... possible?

Guys, as in topic... I want to manage my domain in Google Domain, there i can create a Dynamic DNS and push my IP update..., lets encrypt works with DNS challenge with Cloud DNS...

In Google cloud dns
Created a new zone called "" , that gave me some NS records like :

In Google Domains
Created a CNAME record with DATA:
Created a NS record with DATA:
For wildcard purposes:
Created a Dynamic DNS A record :
Created a CNAME record * with DATA

Now, i run Lets Encrypt, i need to pass this as domain : , since thats the zone thats needs to be validated... the certificates are being created, all is working..

BUT : the certificate is created for only , so i cant use it for the root domain or all other subdomains... What do i need to change?
My guess, the zone created in Google Cloud DNS is wrong , i need to create a zone like "" or "*" if that is even possible? but how can i do the split DNS then?

Guidance is needed :slight_smile:

I also tried creating a new zone in Google Cloud DNS with "" instead of ""
then in lets encrypt i gave "*" for creating the ssl, lets encrypt found the zone...

but in google domains, i cant make a proper NS record.
i tried creating a NS record like "*" that points to: , but thats not allowed it seems....

So i'm stuck here , probably a simple solution, but not sure how i need to configure it....


I think you need to better understand DNS.
It looks like the entire zone is being handled by "".
If so, why would you CNAME a record to then create an NS record for it that explicitly names the exact same nameserver that is already set to handle that entire zone?

I don't yet see the part where we can step in and assist with anything LE/certificate related.
The immediate problem (as I see it) is entirely DNS related.

Exactly which names are on that cert?
[certbot certificates]

How was it obtained?
[via DNS-01 auth OR via HTTP-01 auth]


Hi thnx for anwering
it was obtained with DNS-01 challenge, i dont want port forwarding
the exact name on certificate was for :

1 Like

Which ACME client are you using?

1 Like

i'm using the lets encrypt add-on from Home Assistant

I'm not familiar with that client :frowning:

I would remove as much as possible from the DNS zone [to include the CNAMEs (back to itself)].
Then try obtaining a cert with a different name (or names).
If that works, then try to get one with all the name(s) that you need and the wildcard for that domain.
It might end up just being two entries:

  • *
1 Like

When i create the zone in Google Cloud DNS, the only records created there are the SOA and NS records, nothing else, also, i cant delete those NS records there...

So i can only change/add/delete stuff on Google Cloud domain itself... not quite clear then what i need to remove or change?

You should NOT delete NS records.
Delete all the CNAMEs you created.
[and any NS records that YOU created]


on the google domain? if i do that, that when i run the encrupt, it tells me it was unable to find the acme_challenge record

Did you follow any guide for obtaining LE certs for Home Assistant?

1 Like

The guide is to use Google Cloud DNS, but i have a combination to use Google Cloud for DNS and to use Google Domains for the registrar

i followed this one , i have the exact same setup
the only problem is that i now have a certificat for , but i cant use it, since thats a cname for the NS ... so i need somekind of wildcard ...

that link i followed

no. you don't send but * (and as it's not included in wildcard) for wildcard certificate. LE will ask to add record to thought(just typed in, may have typo here)


but the domain i created in google cloud DNS, is called "" , if i then send with lets encrypt this : "*" , then it fails, and creates an error thats its unable to find that zone...

if i create the zone with instead of , then it works when i use wild card like *

but then i'm struggling with creating the records on the google domain
i need to create there an CNAME record with with DATA =>

so far so good, lets encrypt is finding that record
but then i need to add a custom NS record, because the ones on google domain are not the same as on google cloud dns
i cant create a NS record like * that points to that google NS record on google cloud dns

No. Why?

1 Like

if i dont create that record on google domain, then i receive an error, that its unable to find the TXT record :

You don't need to point that to anywhere else.

1 Like

yes, normally not if google domain and google cloud DNS is the same, but they are completely different packages?

You keep confusing the Hosting Service Provider (HSP) with the DNS Service Provider (DSP).
HSPs are for hosting web sites, etc.
DSP are for service DNS zones.

In order to get a wildcard cert, all you need is an ACME client that can update your DNS zone and a DSP that supports zone updates via API.
There is no requirement to even have an HSP - all you need is DNS (and ACME client).

So, stop confusing them together - I know they both contain the word "Google" but so does Gmail and that has nothing to do with this either.

1 Like

When you query the name servers for your zone:
nslookup -q=ns
Whatever names are show there is where LE will go look for the _acme-challenge TXT record.
The ACME client needs to update that DNS zone (via one of those DNS servers OR their unlisted primary OR you can update it manually via a web control panel).

1 Like