Problem with dns-01 challenge using dns-google authenticator


#1

Hey guys,

I am having some trouble getting a certificate issued due to validation failure and was hoping you could help me out…
I am trying to get this setup using a linuxserver/letsencrypt docker container in the following manner:

docker create --name letsencrypt \
  -v `pwd`:/config \
  -e PUID=1871821589 -e PGID=1258410764 \
  -e EMAIL=my-email@dimaj.net \
  -e URL=dimaj.net \
  -e SUBDOMAINS=sql,ldap,htt,oh,nr \
  -e VALIDATION=dns \
  -p 8080:80 -p 8443:443 \
  -e TZ=America/Los_Angeles \
  -e DNSPLUGIN=google \
  -e ONLY_SUBDOMAINS=true \
  -e STAGING=true \
linuxserver/letsencrypt

I have followed instructions found here to create a service account with specified permissions. However, when I run the container docker start letsencrypt && docker logs -f letsencrypt, I see the following output

Created donoteditthisfile.conf
Backwards compatibility check. . .
No compatibility action needed
NOTICE: Staging is active
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are:  -d sql.dimaj.net -d ldap.dimaj.net -d htt.dimaj.net -d oh.dimaj.net -d nr.dimaj.net
E-mail address entered: my-email@dimaj.net
dns validation via google plugin is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-google, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for sql.dimaj.net
dns-01 challenge for ldap.dimaj.net
dns-01 challenge for htt.dimaj.net
dns-01 challenge for oh.dimaj.net
dns-01 challenge for nr.dimaj.net
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=sql.dimaj.net.
Attempting refresh to obtain initial access_token
Refreshing access_token
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=dimaj.net.
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=net.
Cleaning up challenges
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=sql.dimaj.net.
Attempting refresh to obtain initial access_token
Refreshing access_token
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=dimaj.net.
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=net.
Error finding zone. Skipping cleanup.
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=ldap.dimaj.net.
Attempting refresh to obtain initial access_token
Refreshing access_token
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=dimaj.net.
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=net.
Error finding zone. Skipping cleanup.
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=htt.dimaj.net.
Attempting refresh to obtain initial access_token
Refreshing access_token
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=dimaj.net.
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=net.
Error finding zone. Skipping cleanup.
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=oh.dimaj.net.
Attempting refresh to obtain initial access_token
Refreshing access_token
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=dimaj.net.
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=net.
Error finding zone. Skipping cleanup.
URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=nr.dimaj.net.
Attempting refresh to obtain initial access_token
Refreshing access_token
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=dimaj.net.
URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=net.
Error finding zone. Skipping cleanup.
Unable to determine managed zone for sql.dimaj.net using zone names: [u'sql.dimaj.net', u'dimaj.net', u'net'].
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/google.ini file.

Do you guys know what am I doing wrong?

Thanks for the help!


Dns-01 challenge not working for wildcard cert
#2

I’d be interested in looking at:

to see if it offers any help.


#3

I can’t believe I missed that :slight_smile:

Here’s a piece of that log:

...
2018-03-01 22:48:37,827:INFO:certbot.auth_handler:Performing the following challenges:
2018-03-01 22:48:37,827:INFO:certbot.auth_handler:dns-01 challenge for sql.dimaj.net
2018-03-01 22:48:37,828:INFO:certbot.auth_handler:dns-01 challenge for ldap.dimaj.net
2018-03-01 22:48:37,828:INFO:certbot.auth_handler:dns-01 challenge for htt.dimaj.net
2018-03-01 22:48:37,828:INFO:certbot.auth_handler:dns-01 challenge for oh.dimaj.net
2018-03-01 22:48:37,828:INFO:certbot.auth_handler:dns-01 challenge for nr.dimaj.net
2018-03-01 22:48:37,841:INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/discovery/v1/apis/dns/v1/rest
2018-03-01 22:48:38,047:INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=sql.dimaj.net.
2018-03-01 22:48:38,047:INFO:oauth2client.transport:Attempting refresh to obtain initial access_token
2018-03-01 22:48:38,050:DEBUG:oauth2client.crypt:['redacted', 'redacted', 'redacted']
2018-03-01 22:48:38,050:INFO:oauth2client.client:Refreshing access_token
2018-03-01 22:48:38,575:INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=dimaj.net.
2018-03-01 22:48:38,761:INFO:googleapiclient.discovery:URL being requested: GET https://www.googleapis.com/dns/v1/projects/studied-reason-196720/managedZones?alt=json&dnsName=net.
2018-03-01 22:48:38,942:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line 115, in _solve_challenges
    resp = self.auth.perform(self.achalls)
  File "/usr/lib/python2.7/site-packages/certbot/plugins/dns_common.py", line 57, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/lib/python2.7/site-packages/certbot_dns_google/dns_google.py", line 70, in _perform
    self._get_google_client().add_txt_record(domain, validation_name, validation, self.ttl)
  File "/usr/lib/python2.7/site-packages/certbot_dns_google/dns_google.py", line 108, in add_txt_record
    zone_id = self._find_managed_zone_id(domain)
  File "/usr/lib/python2.7/site-packages/certbot_dns_google/dns_google.py", line 206, in _find_managed_zone_id
    .format(domain, zone_dns_name_guesses))
PluginError: Unable to determine managed zone for sql.dimaj.net using zone names: [u'sql.dimaj.net', u'dimaj.net', u'net'].
...

#4

The authenticator is having difficulty finding the right zone in Google Cloud DNS.

Let’s see if we can find it:

gcloud dns managed-zones list --project=studied-reason-196720

#5

Listed 0 items.

I am not understanding this… I use google as my registrar and a DDNS provider. I thought that google dns authenticator plugin is using my DNS config from domains.google.com. Based on the command you asked me to run, managed zone is part of the project. :confused:


#6

The DNS authenticator only works with Google Cloud DNS. Google Domains doesn’t offer a API that Let’s Encrypt can use. :frowning:


#7

got it. so, then my only option is to either use HTTP validation or manual DNS TXT record creation, right?

EDIT: Just created a Cloud DNS zone (dimaj.net) in my project. Will it interfere with my Google Domains or will they work together?


#8

Not by itself. You’ll need to copy the DNS servers from the Registrar Settings in Google Cloud DNS to the Custom DNS settings in Google Domains for it to have any effect.

https://cloud.google.com/dns/update-name-servers

Then the DNS entries in Google Domains will cease to work and the entries in Google Cloud DNS will take over. So make sure you export/import or manually copy over any DNS entries first before changing the nameservers.


#9

OK. I think this is little more than what I am bargaining for. I’ll drop back to http validation.

Thanks for your help with figuring this out! Really appreciate it!


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.