Simulating a certificate request for valhalla-ro.app and *.valhalla-ro.app
Waiting 60 seconds for DNS changes to propagate
Certbot failed to authenticate some domains (authenticator: dns-google). The Certificate Authority reported these problems:
Domain: valhalla-ro.app
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.valhalla-ro.app - check that a DNS record exists for this domain
Domain: valhalla-ro.app
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.valhalla-ro.app - check that a DNS record exists for this domain
Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-google. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-google-propagation-seconds (currently 60 seconds).
Some challenges have failed.
My web server is:Apache/2.4.41 (Ubuntu)
The operating system my web server runs on is:Ubuntu 20.04.2 LTS
My hosting provider, if applicable, is:gcloud
I can login to a root shell on my machine:Yes.
I'm using a control panel to manage my site:No, just via the compute instance page.
The version of my client is:certbot 1.18.0
Extra info:Both HTTP-01 and DNS-01 challenges pass on let's debug. A few days ago, I had a different VM and IP connected to this domain, but I waited a few days (to run a cert simulation) for the IP to update after I applied changes on my domain's control panel. Google is still showing old certifications (on my domain's security tab) I used for that VM and IP, if that helps.
I'll be able to test this in a few hours, I'm currently attending a function. This is the only cloud account I own, and I set the service account through gcloud init on my SSH. I haven't tried to update the --dns-google-propagation-seconds yet, I'll try it when I come back. Thanks for your reply!
Sorry for the double post. I tried increasing the propagation seconds by both 300 and 600 via sudo certbot certonly --dns-google --dns-google-propagation-seconds 600 -d valhalla-ro.app -d *.valhalla-ro.app -i apache --dry-run, to the same problem.
Do I need to also create A name records on the cloud DNS zones as I already do in my Google domain DNS page? Sorry for the lack of information, I'm completely new at this.
I think what is happening is that you have somehow set up two different DNS Zones on Google, for the same domain (valhalla-ro.app).
That's why I asked you whether you have multiple Google accounts (or maybe different Projects on one Google Account? I'm really not sure how it works over there).
The evidence for this is the fact that if we look at two sets of nameservers on Google Cloud (A:ns-cloud-a1.googledomains.com and B:ns-cloud-b1.googledomains.com), your domain exists on both of them, but with different records.
When Let's Encrypt is looking for the TXT records, it asks the "B" nameservers, because those are the ones configured in your domain's registration.
What I think is happening, is that Certbot is adding the TXT records to the "A" nameservers, which is pointless because nobody is going to query the "A" nameservers about your domain.
You need to get the service account used by Certbot, to be updating the DNS Zone connected to the "B" nameservers, not to the "A" nameservers. (Or if we flip this around, change your domain registration to use the "A" nameservers rather than the "B" nameservers, and leave Certbot as it is).
This explanation is pretty crappy but because I don't know how you ended up with two separate DNS Zones for the same domain in the first place, I don't know what concrete advice to give you to fix it.
Makes sense, thank you. I think I messed it up when I also set the IPs through the Cloud DNS dashboard (when it's already setup through Google Domains). I just removed those, and I'll try again later. Thank you kindly!