Guys, as in topic... I want to manage my domain in Google Domain, there i can create a Dynamic DNS and push my IP update..., lets encrypt works with DNS challenge with Cloud DNS...
Now, i run Lets Encrypt, i need to pass this as domain : acme.abc.com , since thats the zone thats needs to be validated... the certificates are being created, all is working..
BUT : the certificate is created for only acme.abc.com , so i cant use it for the root domain abc.com or all other subdomains... What do i need to change?
My guess, the zone created in Google Cloud DNS is wrong , i need to create a zone like "abc.com" or "*.abc.com" if that is even possible? but how can i do the split DNS then?
I also tried creating a new zone in Google Cloud DNS with "abc.com" instead of "acme.abc.com"
then in lets encrypt i gave "*.abc.com" for creating the ssl, lets encrypt found the zone...
but in google domains, i cant make a proper NS record.
i tried creating a NS record like "*.abc.com" that points to: ns-cloud-c1.googledomains.com , but thats not allowed it seems....
So i'm stuck here , probably a simple solution, but not sure how i need to configure it....
I think you need to better understand DNS.
It looks like the entire zone is being handled by "ns-cloud-c1.googledomains.com".
If so, why would you CNAME a record to then create an NS record for it that explicitly names the exact same nameserver that is already set to handle that entire zone?
I don't yet see the part where we can step in and assist with anything LE/certificate related.
The immediate problem (as I see it) is entirely DNS related.
Exactly which names are on that cert?
[certbot certificates]
How was it obtained?
[via DNS-01 auth OR via HTTP-01 auth]
I would remove as much as possible from the DNS zone [to include the CNAMEs (back to itself)].
Then try obtaining a cert with a different name (or names).
If that works, then try to get one with all the name(s) that you need and the wildcard for that domain.
It might end up just being two entries:
When i create the zone in Google Cloud DNS, the only records created there are the SOA and NS records, nothing else, also, i cant delete those NS records there...
So i can only change/add/delete stuff on Google Cloud domain itself... not quite clear then what i need to remove or change?
The guide is to use Google Cloud DNS, but i have a combination to use Google Cloud for DNS and to use Google Domains for the registrar
i followed this one , i have the exact same setup
the only problem is that i now have a certificat for acme.abc.com , but i cant use it, since thats a cname for the NS ... so i need somekind of wildcard ...
no. you don't send acme.abc.com but *.abc.com (and abc.com as it's not included in wildcard) for wildcard certificate. LE will ask to add record to _acme-challange.abc.com thought(just typed in, may have typo here)
but the domain i created in google cloud DNS, is called "acme.abc.com" , if i then send with lets encrypt this : "*.abc.com" , then it fails, and creates an error thats its unable to find that zone...
if i create the zone with abc.com instead of acme.abc.com , then it works when i use wild card like *.abc.com
but then i'm struggling with creating the records on the google domain
i need to create there an CNAME record with _acme-challenge.abc.com with DATA => abc.com
so far so good, lets encrypt is finding that record
but then i need to add a custom NS record, because the ones on google domain are not the same as on google cloud dns
i cant create a NS record like *.abc.com that points to that google NS record on google cloud dns
You keep confusing the Hosting Service Provider (HSP) with the DNS Service Provider (DSP).
HSPs are for hosting web sites, etc.
DSP are for service DNS zones.
In order to get a wildcard cert, all you need is an ACME client that can update your DNS zone and a DSP that supports zone updates via API.
There is no requirement to even have an HSP - all you need is DNS (and ACME client).
So, stop confusing them together - I know they both contain the word "Google" but so does Gmail and that has nothing to do with this either.
When you query the name servers for your zone: nslookup -q=ns abc.com
Whatever names are show there is where LE will go look for the _acme-challenge TXT record.
The ACME client needs to update that DNS zone (via one of those DNS servers OR their unlisted primary OR you can update it manually via a web control panel).
