Problem with NXDOMAIN being able to verify my DNS records on Google domain and cloud

My domain is:

I ran this command: (I'm using a service account with my VM instance. Checking the log file, credentials went through.)

sudo certbot certonly --dns-google -d -d * -i apache --dry-run

It produced this output:

Simulating a certificate request for and *
Waiting 60 seconds for DNS changes to propagate

Certbot failed to authenticate some domains (authenticator: dns-google). The Certificate Authority reported these problems:
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for this domain

  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-google. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-google-propagation-seconds (currently 60 seconds).

Some challenges have failed.

My web server is: Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is: Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is: gcloud

I can login to a root shell on my machine: Yes.

I'm using a control panel to manage my site: No, just via the compute instance page.

The version of my client is: certbot 1.18.0

Extra info: Both HTTP-01 and DNS-01 challenges pass on let's debug. A few days ago, I had a different VM and IP connected to this domain, but I waited a few days (to run a cert simulation) for the IP to update after I applied changes on my domain's control panel. Google is still showing old certifications (on my domain's security tab) I used for that VM and IP, if that helps.

1 Like
  1. Have you tried the suggestion to increase --dns-google-propagation-seconds to something higher (like 300)?
  2. Is there any chance you have multiple Google Cloud accounts?

I'll be able to test this in a few hours, I'm currently attending a function. This is the only cloud account I own, and I set the service account through gcloud init on my SSH. I haven't tried to update the --dns-google-propagation-seconds yet, I'll try it when I come back. Thanks for your reply!

1 Like

Sorry for the double post. I tried increasing the propagation seconds by both 300 and 600 via sudo certbot certonly --dns-google --dns-google-propagation-seconds 600 -d -d * -i apache --dry-run, to the same problem.

Do I need to also create A name records on the cloud DNS zones as I already do in my Google domain DNS page? Sorry for the lack of information, I'm completely new at this.

1 Like

I think what is happening is that you have somehow set up two different DNS Zones on Google, for the same domain (

That's why I asked you whether you have multiple Google accounts (or maybe different Projects on one Google Account? I'm really not sure how it works over there).

The evidence for this is the fact that if we look at two sets of nameservers on Google Cloud ( and, your domain exists on both of them, but with different records.

When Let's Encrypt is looking for the TXT records, it asks the "B" nameservers, because those are the ones configured in your domain's registration.

What I think is happening, is that Certbot is adding the TXT records to the "A" nameservers, which is pointless because nobody is going to query the "A" nameservers about your domain.

You need to get the service account used by Certbot, to be updating the DNS Zone connected to the "B" nameservers, not to the "A" nameservers. (Or if we flip this around, change your domain registration to use the "A" nameservers rather than the "B" nameservers, and leave Certbot as it is).

This explanation is pretty crappy but because I don't know how you ended up with two separate DNS Zones for the same domain in the first place, I don't know what concrete advice to give you to fix it.


Makes sense, thank you. I think I messed it up when I also set the IPs through the Cloud DNS dashboard (when it's already setup through Google Domains). I just removed those, and I'll try again later. Thank you kindly!

1 Like

One important thing to note here: Certbot's Google DNS plugin will only work with Google Cloud DNS.

It will not work with just Google Domains on its own. This is because Google Domains lacks the API functionality Certbot needs.

What this means is:

  1. You register your domain with Google Domains
  2. You create a DNS Zone on Google Cloud DNS for your domain
  3. Google Cloud DNS gives you a list of nameservers. You take this list, login to Google Domains, and change your nameservers to the ones from Google Cloud DNS.
  4. From then on, you manage your DNS records from Google Cloud DNS, not from Google Domains.

_az, thank you so much! The dry run was finally successful, and I was able to issue both a default and wildcard certificate.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.