How to use --manual-auth-hook with Google DNS?

Problem Summary: I successfully created a certificate with the manual method, dns challenge. I want to know how to enable auto-renewal using the manual-auth hook. I have google domains as dns provider. I understand that google has a plugin that might be used. But I need help doing so.

My domain is:

I ran this command: sudo certbot --manual --preferred-challenges dns certonly -d

It produced this output: successfully produced a manual cert!

My web server is (include version): OpenVPN Access Server

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, ssh

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): latest ubuntu snap client

If you have certbot 2.1.0, it should be able to handle the Google DNS natively.
User Guide — Certbot 2.1.0 documentation (

You may still need a --deploy-hook to handle the extra steps needed to use the certificate with:


I'll read the documentation, but haven't had much luck deciphering it yet.

Have you ever automated an ACME client to obtain a certificate via DNS-01 authentication?
[the first time is always the hardest - LOL]
If you have not, then I would suggest that you take plenty of notes.
Notes on what fails and what works.
If you plan on testing a bunch, I suggest that you do so against the LE staging environment.
Just add "--dry-run" to your tests and remove that once all tests complete correctly.

Once that has been conqoured, we can focus on using a --deploy-hook to use the new cert.


well, I'm probably in over my head. Just a network engineer setting up openvpn AS and trying to get rid of the certificate errors. I first tried using certbot with http auth, but could not get it to work. I think it is an iptables problem, but could not get it working even after opening ports 80/443. anyway, I'll keep poking around looki.

Will use DNS-01 authentication [which is much more complicated than HTTP-01 authentication].
Is port 80 still open?

We are here to help...


--preferred-challenges dns.....I got this working no problem. However, since this does not auto-renew the cert, not really a long-term solution. So, am pursuing two paths:

  1. sudo certbot certonly --standalone .... get this working, think it is a firewall problem
  2. use the -manual-auth-hook to auto-renew.

I am only pursuing the second choice after being unable to figure out iptables policies to permit the first option. any suggestions?

I don't think Google domains supports an API for changes. you need to have a Google Cloud account for that support


DNS-01 authentication is much more complicated to automate than HTTP-01 authentication.

I'd focus on:

[which requires HTTP-01 authentication - and that requires port 80 access]


Ok, I fill focus on the default method , Will start by completely opening IPtables to verify if it is a port 80/443 problem.

1 Like

Not sure which method was used, but you have been able to obtain a certificate recently: |



will do

That's overkill, and unnecessarily insecure.
Only port 80 needs to be allowed through.


The last time I tried this with the the following command:
sudo certbot certonly --standalone

It failed with the following message:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Type: connection
Detail: Fetching Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Here is the iptables config:
Chain INPUT (policy DROP 3805 packets, 182K bytes)
num pkts bytes target prot opt in out source destination
1 26661 54M ACCEPT all -- * * ctstate RELATED,ESTABLISHED
2 3 292 ACCEPT all -- OPT1 * /* allow incoming from OPT1/DMZ /
3 0 0 ACCEPT all -- LAN * /
allow incoming from LAN /
4 2 219 ACCEPT all -- lo * /
allow loopback traffic /
5 0 0 ACCEPT icmp -- LAN * icmptype 8 /
allow ICMP in LAN */
6 0 0 ACCEPT tcp -- * * tcp dpt:80 ctstate NEW,ESTABLISHED
7 1 40 ACCEPT tcp -- * * tcp dpt:443 ctstate NEW,ESTABLISHED

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2386K 1494M ACCEPT all -- * * ctstate RELATED,ESTABLISHED
2 9477 5250K ACCEPT all -- LAN * /* forward traffic from LAN /
3 4241 289K ACCEPT all -- OPT1 * /
forward traffic from OPT1/DMZ */

Chain OUTPUT (policy DROP 94 packets, 5851 bytes)
num pkts bytes target prot opt in out source destination
1 19249 5036K ACCEPT all -- * * ctstate RELATED,ESTABLISHED
2 2 219 ACCEPT all -- * lo /* allow loopback traffic /
3 7171 507K ACCEPT all -- * WAN /
allow outbound to WAN */
4 0 0 ACCEPT tcp -- * * tcp spt:80 ctstate ESTABLISHED
5 0 0 ACCEPT tcp -- * * tcp spt:443 ctstate ESTABLISHED

Notice that port 80 was not hit at all. But port 443 have some hits. What am I doing wrong???

1 Like

That all looks OK.

What is at the edge/in front of your server?
Does that router NAT 80 as it does 443?


The WAN edge device is this ubuntu appliance, which is acting as FW and OpenVPN AS server. Below, are the NAT rules

root@FW6E:/var/log# sudo iptables -t nat -L -n -v --line-numbers
Chain PREROUTING (policy ACCEPT 32027 packets, 9888K bytes)
num pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 41 packets, 2404 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 8041 packets, 644K bytes)
num pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 2733 packets, 164K bytes)
num pkts bytes target prot opt in out source destination
1 28986 10M MASQUERADE all -- * WAN /* masquerade to WAN */

I'm not seeing the NATting... [if any]
Maybe that's expected.

Do you have some other Internet access?
If so, I'd start a packet capture on port 80.
[from that other device]
If no other Internet access, just start the packet capture and let me know when to hit it.

And see if you're even hearing those requests.


Thanks, will do. The last masquerade line NATs all traffic going out the WAN interface. My inside network is LAN and OPT1 interfaces. But since the host is this same box, not sure any nat is being done.

1 Like

I was looking for inbound NAT.
Seeing none seems to be the right thing there.


no inbound nat