lego: Google Cloud DNS not working anymore

lego --email="letsencrypt@domain.tld" \
       --accept-tos \
       --csr="/path/to/csr.csr" \
       --path="/path/to/letsencrypt/data/" \
       --server="https://acme-v02.api.letsencrypt.org/directory" \
       --dns="gcloud" \
       --dns-resolvers="8.8.4.4:53" \
       --dns-resolvers="8.8.8.8:53" \
       --dns-resolvers="1.0.0.1:53" \
       --dns-resolvers="1.1.1.1:53" \
       --dns-timeout=5 \
       run;

2018/09/20 21:42:34 [INFO] [domain.net, *.domain.net, *.staging.domain.net, domain.info, *.domain.info, *.staging.domain.info] acme: Obtaining bundled SAN certificate given a CSR
2018/09/20 21:42:35 [INFO] [*.domain.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxxx
2018/09/20 21:42:35 [INFO] [*.domain.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxxx
2018/09/20 21:42:35 [INFO] [*.staging.domain.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxxx
2018/09/20 21:42:35 [INFO] [*.staging.domain.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxxx
2018/09/20 21:42:35 [INFO] [domain.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxxx
2018/09/20 21:42:35 [INFO] [domain.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/xxxx
2018/09/20 21:42:35 [INFO] [domain.info] acme: Could not find solver for: tls-alpn-01
2018/09/20 21:42:35 [INFO] [domain.net] acme: Could not find solver for: tls-alpn-01
2018/09/20 21:42:35 [INFO] [domain.info] acme: Preparing to solve DNS-01
2018/09/20 21:42:38 [INFO] [domain.net] acme: Preparing to solve DNS-01
2018/09/20 21:42:41 [INFO] [staging.domain.info] acme: Preparing to solve DNS-01
2018/09/20 21:42:44 [INFO] [staging.domain.net] acme: Preparing to solve DNS-01
2018/09/20 21:42:47 [INFO] [domain.info] acme: Preparing to solve DNS-01
2018/09/20 21:42:49 [INFO] [domain.net] acme: Preparing to solve DNS-01
2018/09/20 21:42:51 [INFO] [domain.info] acme: Trying to solve DNS-01
2018/09/20 21:42:51 [INFO] [domain.info] Checking DNS record propagation using [8.8.4.4:53 8.8.8.8:53 1.0.0.1:53 1.1.1.1:53]
2018/09/20 21:45:54 [INFO] [domain.net] acme: Trying to solve DNS-01
2018/09/20 21:45:54 [INFO] [domain.net] Checking DNS record propagation using [8.8.4.4:53 8.8.8.8:53 1.0.0.1:53 1.1.1.1:53]
2018/09/20 21:48:55 [INFO] [staging.domain.info] acme: Trying to solve DNS-01
2018/09/20 21:48:55 [INFO] [staging.domain.info] Checking DNS record propagation using [8.8.4.4:53 8.8.8.8:53 1.0.0.1:53 1.1.1.1:53]
2018/09/20 21:49:01 [INFO] [staging.domain.info] The server validated our request
2018/09/20 21:49:01 [INFO] [staging.domain.net] acme: Trying to solve DNS-01
2018/09/20 21:49:01 [INFO] [staging.domain.net] Checking DNS record propagation using [8.8.4.4:53 8.8.8.8:53 1.0.0.1:53 1.1.1.1:53]
2018/09/20 21:49:07 [INFO] [staging.domain.net] The server validated our request
2018/09/20 21:49:09 [WARN] Error cleaning up staging.domain.info: googlecloud: <nil>
2018/09/20 21:49:11 [WARN] Error cleaning up staging.domain.net: googlecloud: <nil>
2018/09/20 21:49:11 Could not obtain certificates
	acme: Error -> One or more domains had a problem:
[domain.info] Time limit exceeded. Last error: NS ns-cloud-c1.googledomains.com. did not return the expected TXT record
[domain.net] Time limit exceeded. Last error: NS ns-cloud-c1.googledomains.com. did not return the expected TXT record

weird thing is that it validates the *.staging.domain.<tld> domains…

have also tried without --dns-resolvers

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 1
  • Comments: 31 (30 by maintainers)

Most upvoted comments

@ldez works fine!

2018/09/21 15:08:34 No key found for account letsencrypt@domain.net. Generating a curve P384 EC key.
2018/09/21 15:08:34 Saved key to /path/to/letsencrypt/data/accounts/acme-staging-v02.api.letsencrypt.org/letsencrypt@domain.net/keys/letsencrypt@domain.net.key
2018/09/21 15:08:34 [INFO] acme: Registering account for letsencrypt@domain.net
2018/09/21 15:08:35 !!!! HEADS UP !!!!
2018/09/21 15:08:35
		Your account credentials have been saved in your Let's Encrypt
		configuration directory at "/path/to/letsencrypt/data/accounts/acme-staging-v02.api.letsencrypt.org/letsencrypt@domain.net".
		You should make a secure backup	of this folder now. This
		configuration directory will also contain certificates and
		private keys obtained from Let's Encrypt so making regular
		backups of this folder is ideal.
2018/09/21 15:08:35 [INFO] [domain.com, *.domain.com, *.staging.domain.com] acme: Obtaining bundled SAN certificate given a CSR
2018/09/21 15:08:36 [INFO] [*.domain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/54gh57jPio-h5RzCDC5Arl_66s7jiBo_HjHkybhiezA
2018/09/21 15:08:36 [INFO] [*.staging.domain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/QfdbRbql999l83q8yhPouhuG9oSsJ2gMqHaT83pHmN0
2018/09/21 15:08:36 [INFO] [domain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/aBe5130BdKwIzPcxfYOFmqd5kOSw1iXaCA0rnh8gTMo
2018/09/21 15:08:36 [INFO] [domain.com] acme: Could not find solver for: tls-alpn-01
2018/09/21 15:08:36 [INFO] [domain.com] acme: Could not find solver for: http-01
2018/09/21 15:08:36 [INFO] [domain.com] acme: Preparing to solve DNS-01
2018/09/21 15:08:37 [INFO] domain: domain.com
2018/09/21 15:08:37 [INFO] new {"name":"_acme-challenge.domain.com.","rrdatas":["rE6u6DUHjWHAJGCj1oFN5yew2XC6GzgmbOSnQZ3xXlk"],"ttl":120,"type":"TXT"}
{"additions":[{"kind":"dns#resourceRecordSet","name":"_acme-challenge.domain.com.","rrdatas":["\"rE6u6DUHjWHAJGCj1oFN5yew2XC6GzgmbOSnQZ3xXlk\""],"ttl":120,"type":"TXT"}],"id":"191","kind":"dns#change","startTime":"2018-09-21T13:08:38.050Z","status":"pending"}
2018/09/21 15:08:39 [INFO] [domain.com] acme: Preparing to solve DNS-01
2018/09/21 15:08:40 [INFO] domain: domain.com
2018/09/21 15:08:40 [INFO] new {"name":"_acme-challenge.domain.com.","rrdatas":["zoKxiIv-Wq8c7JnrE8AhcAvWTvEJyyJnqX6MC0seQGs"],"ttl":120,"type":"TXT"}
2018/09/21 15:08:40 [INFO] existing {"kind":"dns#resourceRecordSet","name":"_acme-challenge.domain.com.","rrdatas":["\"rE6u6DUHjWHAJGCj1oFN5yew2XC6GzgmbOSnQZ3xXlk\""],"ttl":120,"type":"TXT"}
{"additions":[{"kind":"dns#resourceRecordSet","name":"_acme-challenge.domain.com.","rrdatas":["\"zoKxiIv-Wq8c7JnrE8AhcAvWTvEJyyJnqX6MC0seQGs\"","\"rE6u6DUHjWHAJGCj1oFN5yew2XC6GzgmbOSnQZ3xXlk\""],"ttl":120,"type":"TXT"}],"deletions":[{"kind":"dns#resourceRecordSet","name":"_acme-challenge.domain.com.","rrdatas":["\"rE6u6DUHjWHAJGCj1oFN5yew2XC6GzgmbOSnQZ3xXlk\""],"ttl":120,"type":"TXT"}],"id":"192","kind":"dns#change","startTime":"2018-09-21T13:08:40.334Z","status":"pending"}
2018/09/21 15:08:42 [INFO] [staging.domain.com] acme: Preparing to solve DNS-01
2018/09/21 15:08:43 [INFO] domain: staging.domain.com
2018/09/21 15:08:43 [INFO] new {"name":"_acme-challenge.staging.domain.com.","rrdatas":["YFzLGzRzLKTEHikXrXMQ_7jq1YnsI_wgOvDAWzU5hAo"],"ttl":120,"type":"TXT"}
{"additions":[{"kind":"dns#resourceRecordSet","name":"_acme-challenge.staging.domain.com.","rrdatas":["\"YFzLGzRzLKTEHikXrXMQ_7jq1YnsI_wgOvDAWzU5hAo\""],"ttl":120,"type":"TXT"}],"id":"193","kind":"dns#change","startTime":"2018-09-21T13:08:43.802Z","status":"pending"}
2018/09/21 15:08:45 [INFO] [domain.com] acme: Trying to solve DNS-01
2018/09/21 15:08:45 [INFO] [domain.com] Checking DNS record propagation using [8.8.4.4:53 8.8.8.8:53 1.0.0.1:53 1.1.1.1:53]
2018/09/21 15:10:02 [INFO] [domain.com] The server validated our request
2018/09/21 15:10:02 [INFO] [domain.com] acme: Trying to solve DNS-01
2018/09/21 15:10:02 [INFO] [domain.com] Checking DNS record propagation using [8.8.4.4:53 8.8.8.8:53 1.0.0.1:53 1.1.1.1:53]
2018/09/21 15:10:07 [INFO] [domain.com] The server validated our request
2018/09/21 15:10:07 [INFO] [staging.domain.com] acme: Trying to solve DNS-01
2018/09/21 15:10:07 [INFO] [staging.domain.com] Checking DNS record propagation using [8.8.4.4:53 8.8.8.8:53 1.0.0.1:53 1.1.1.1:53]
2018/09/21 15:10:13 [INFO] [staging.domain.com] The server validated our request
2018/09/21 15:10:16 [INFO] [domain.com, *.domain.com, *.staging.domain.com] acme: Validations succeeded; requesting certificates
2018/09/21 15:10:17 [INFO] [domain.com] Server responded with a certificate.
+1
lenovouser on Sep 21, 2018

@ldez you pushed into your own fork at https://github.com/ldez/lego/tree/fix/gcloud-wildcard

I pulled that and it seems to work 🎉

2018/09/21 14:48:20 No key found for account letsencrypt@domain.net. Generating a curve P384 EC key.
2018/09/21 14:48:20 Saved key to /path/to/letsencrypt/data/accounts/acme-staging-v02.api.letsencrypt.org/letsencrypt@domain.net/keys/letsencrypt@domain.net.key
2018/09/21 14:48:21 [INFO] acme: Registering account for letsencrypt@domain.net
2018/09/21 14:48:21 !!!! HEADS UP !!!!
2018/09/21 14:48:21
		Your account credentials have been saved in your Let's Encrypt
		configuration directory at "/path/to/letsencrypt/data/accounts/acme-staging-v02.api.letsencrypt.org/letsencrypt@domain.net".
		You should make a secure backup	of this folder now. This
		configuration directory will also contain certificates and
		private keys obtained from Let's Encrypt so making regular
		backups of this folder is ideal.
2018/09/21 14:48:21 [INFO] [domain.com, *.domain.com, *.staging.domain.com] acme: Obtaining bundled SAN certificate given a CSR
2018/09/21 14:48:22 [INFO] [*.domain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/DB-ItrJrmP4p9SYZu45cOrWBYWD2Jkk724vpNZvfmHk
2018/09/21 14:48:22 [INFO] [*.staging.domain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/xgBBscjhPjhQec8t_pN-oocxN-nbmWMn8nNYUcoNZoI
2018/09/21 14:48:22 [INFO] [domain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/V54Zk94i04uB_-3-Az3P7CSCcuv2wcu_siszjkCYS9w
2018/09/21 14:48:22 [INFO] [domain.com] acme: Preparing to solve DNS-01
2018/09/21 14:48:23 [INFO] domain: domain.com
2018/09/21 14:48:23 [INFO] new {"name":"_acme-challenge.domain.com.","rrdatas":["n8B4o96v_P7S5SxTAhk_X8gLEawRuzmP6q2VB9k7Cgo"],"ttl":120,"type":"TXT"}
2018/09/21 14:48:23 [INFO] existing {"kind":"dns#resourceRecordSet","name":"_acme-challenge.domain.com.","rrdatas":["\"GDkmHWLhF_4ESyUblKPUTI7wNi-Fco5ekOm3YBO5NTE\""],"ttl":120,"type":"TXT"}
{"additions":[{"kind":"dns#resourceRecordSet","name":"_acme-challenge.domain.com.","rrdatas":["\"n8B4o96v_P7S5SxTAhk_X8gLEawRuzmP6q2VB9k7Cgo\"","\"GDkmHWLhF_4ESyUblKPUTI7wNi-Fco5ekOm3YBO5NTE\""],"ttl":120,"type":"TXT"}],"deletions":[{"kind":"dns#resourceRecordSet","name":"_acme-challenge.domain.com.","rrdatas":["\"GDkmHWLhF_4ESyUblKPUTI7wNi-Fco5ekOm3YBO5NTE\""],"ttl":120,"type":"TXT"}],"id":"186","kind":"dns#change","startTime":"2018-09-21T12:48:23.781Z","status":"pending"}
2018/09/21 14:48:25 [INFO] [staging.domain.com] acme: Preparing to solve DNS-01
2018/09/21 14:48:26 [INFO] domain: staging.domain.com
2018/09/21 14:48:26 [INFO] new {"name":"_acme-challenge.staging.domain.com.","rrdatas":["6LFdjFm8iHW2ir_-rYt7gM1l-rc10zabDJCKtPeDAms"],"ttl":120,"type":"TXT"}
{"additions":[{"kind":"dns#resourceRecordSet","name":"_acme-challenge.staging.domain.com.","rrdatas":["\"6LFdjFm8iHW2ir_-rYt7gM1l-rc10zabDJCKtPeDAms\""],"ttl":120,"type":"TXT"}],"id":"187","kind":"dns#change","startTime":"2018-09-21T12:48:26.968Z","status":"pending"}
2018/09/21 14:48:28 [INFO] [domain.com] acme: Preparing to solve DNS-01
2018/09/21 14:48:29 [INFO] domain: domain.com
2018/09/21 14:48:29 [INFO] new {"name":"_acme-challenge.domain.com.","rrdatas":["ETGV8pYQ0r8ppx8V_tEzYEua1OAe0hT0gNRDAwJBz_c"],"ttl":120,"type":"TXT"}
2018/09/21 14:48:29 [INFO] existing {"kind":"dns#resourceRecordSet","name":"_acme-challenge.domain.com.","rrdatas":["\"n8B4o96v_P7S5SxTAhk_X8gLEawRuzmP6q2VB9k7Cgo\"","\"GDkmHWLhF_4ESyUblKPUTI7wNi-Fco5ekOm3YBO5NTE\""],"ttl":120,"type":"TXT"}
{"additions":[{"kind":"dns#resourceRecordSet","name":"_acme-challenge.domain.com.","rrdatas":["\"ETGV8pYQ0r8ppx8V_tEzYEua1OAe0hT0gNRDAwJBz_c\"","\"n8B4o96v_P7S5SxTAhk_X8gLEawRuzmP6q2VB9k7Cgo\"","\"GDkmHWLhF_4ESyUblKPUTI7wNi-Fco5ekOm3YBO5NTE\""],"ttl":120,"type":"TXT"}],"deletions":[{"kind":"dns#resourceRecordSet","name":"_acme-challenge.domain.com.","rrdatas":["\"n8B4o96v_P7S5SxTAhk_X8gLEawRuzmP6q2VB9k7Cgo\"","\"GDkmHWLhF_4ESyUblKPUTI7wNi-Fco5ekOm3YBO5NTE\""],"ttl":120,"type":"TXT"}],"id":"188","kind":"dns#change","startTime":"2018-09-21T12:48:29.909Z","status":"pending"}
2018/09/21 14:48:31 [INFO] [domain.com] acme: Trying to solve DNS-01
2018/09/21 14:48:31 [INFO] [domain.com] Checking DNS record propagation using [8.8.4.4:53 8.8.8.8:53 1.0.0.1:53 1.1.1.1:53]
2018/09/21 14:49:59 [INFO] [domain.com] The server validated our request
2018/09/21 14:49:59 [INFO] [staging.domain.com] acme: Trying to solve DNS-01
2018/09/21 14:49:59 [INFO] [staging.domain.com] Checking DNS record propagation using [8.8.4.4:53 8.8.8.8:53 1.0.0.1:53 1.1.1.1:53]
2018/09/21 14:50:04 [INFO] [staging.domain.com] The server validated our request
2018/09/21 14:50:04 [INFO] [domain.com] acme: Trying to solve DNS-01
2018/09/21 14:50:04 [INFO] [domain.com] Checking DNS record propagation using [8.8.4.4:53 8.8.8.8:53 1.0.0.1:53 1.1.1.1:53]
2018/09/21 14:50:10 [INFO] [domain.com] The server validated our request
2018/09/21 14:50:12 [WARN] Error cleaning up domain.com: googlecloud: <nil>
2018/09/21 14:50:14 [WARN] Error cleaning up staging.domain.com: googlecloud: <nil>
2018/09/21 14:50:14 [INFO] [domain.com, *.domain.com, *.staging.domain.com] acme: Validations succeeded; requesting certificates
2018/09/21 14:50:15 [INFO] [domain.com] Server responded with a certificate.

there cleanup error re-appeared though.

+1
lenovouser on Sep 21, 2018

in this branch: https://github.com/xenolf/lego/tree/fix/gcloud-wildcard

+1
ldez on Sep 21, 2018

So it’s de3accf531a7dd4eff65ae20e9787fc62045b674 like we thought.

I think it is the fact that I request domain.tld and *.domain.tld. For LE these are two different validations but they run under the same DNS record. (_acme-challenge.domain.tld) - I suppose for staging.domain.tld it will be _acme-challenge.staging.domain.tld

So domain.tld and *.domain.tld seem to be overwriting each other when being submitted serially

+1
lenovouser on Sep 20, 2018

@ldez de3accf531a7dd4eff65ae20e9787fc62045b674

2018/09/21 00:16:47 No key found for account letsencrypt@domain.net. Generating a curve P384 EC key.
2018/09/21 00:16:47 Saved key to /path/to/letsencrypt/data/accounts/acme-staging-v02.api.letsencrypt.org/letsencrypt@domain.net/keys/letsencrypt@domain.net.key
2018/09/21 00:16:47 [INFO] acme: Registering account for letsencrypt@domain.net
2018/09/21 00:16:48 !!!! HEADS UP !!!!
2018/09/21 00:16:48
		Your account credentials have been saved in your Let's Encrypt
		configuration directory at "/path/to/letsencrypt/data/accounts/acme-staging-v02.api.letsencrypt.org/letsencrypt@domain.net".
		You should make a secure backup	of this folder now. This
		configuration directory will also contain certificates and
		private keys obtained from Let's Encrypt so making regular
		backups of this folder is ideal.
2018/09/21 00:16:48 [INFO] [domain.com, *.domain.com, *.staging.domain.com] acme: Obtaining bundled SAN certificate given a CSR
2018/09/21 00:16:48 [INFO] [*.domain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/v1iF8ILaF1vFCImWuuucLVJiUCM9-Id_juEwny4MZuo
2018/09/21 00:16:48 [INFO] [*.staging.domain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/zVC0my2nRfRyb_EIGgXcmvzevYH-7D6LgmwwleJm5OU
2018/09/21 00:16:48 [INFO] [domain.com] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/qmuB0CrFJi5VCx1zNR1HaWrFM4bml_PerecP16wKFRQ
2018/09/21 00:16:48 [INFO] [domain.com] acme: Preparing to solve DNS-01
2018/09/21 00:16:53 [INFO] [staging.domain.com] acme: Preparing to solve DNS-01
2018/09/21 00:16:57 [INFO] [domain.com] acme: Preparing to solve DNS-01
2018/09/21 00:17:00 [INFO] [domain.com] acme: Trying to solve DNS-01
2018/09/21 00:17:00 [INFO] [domain.com] Checking DNS record propagation using [127.0.0.1:53 213.186.33.99:53]
2018/09/21 00:20:01 [INFO] [staging.domain.com] acme: Trying to solve DNS-01
2018/09/21 00:20:01 [INFO] [staging.domain.com] Checking DNS record propagation using [127.0.0.1:53 213.186.33.99:53]
2018/09/21 00:20:06 [INFO] [staging.domain.com] The server validated our request
2018/09/21 00:20:09 Could not obtain certificates
	acme: Error -> One or more domains had a problem:
[domain.com] Time limit exceeded. Last error: NS ns-cloud-a1.googledomains.com. did not return the expected TXT record
+1
lenovouser on Sep 20, 2018
Read more comments on GitHub
← lego: export resolver.obtainError?
lego: JWS verification error →