It would be nice if multiple zone credentials could be put into one call so that a certificate with multiple zones in it could be created or renewed.

I have certificates that include domains from more than one zone.

Thanks!

This API will likely stop working once that's done.

I plan to do one final release and then put the repo into archive mode.

This is a enhancement request.
Most other Authenticators usually have this added to the credentials file.
There is no means of adding --dns-google-domains-zone to nginx proxy manager for example.
https://github.com/NginxProxyManager/nginx-proxy-manager/blob/develop/global/certbot-dns-plugins.js

Please submit this as a merge into the official certbot/certbot repo.

Hello,

The repository includes a copy of the Apache 2.0 license document, but it doesn't seem to contain a copyright notice. It might still be proprietary. (Also, it is not clear if this software is licensed by you as an individual or by Google or a subsidiary.)

You can read the APPENDIX: How to apply the Apache License to your work. of the license document to provide such copyright notice. It can be included in the source code file and the README. (Also, the Apache 2.0 license supports NOTICE files that can be used to provide such a copyright notice and a list of authors - but this file needs to be distributed along any copy made).

NB: I think the poetry's [tool.poetry] section in pyproject.toml should contain the license name in SPDX format, which is Apache-2.0 rather than Apache 2.0, but those things are not standard anyway.

Thank you.

I've tried everything I can think of to get this working. This included modifying dns_google_domains.py to dump the contents of the ConfigObj, where I can see that there is a value for "access_token", and it still did not find it.

Command I'm running

certbot certonly --authenticator 'dns-google-domains' --dns-google-domains-credentials '/var/lib/letsencrypt/dns_google_domains_credentials.ini' -d "diablo-ii.zip"

Output

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-google-domains, Installer None
Requesting a certificate for diablo-ii.zip
Performing the following challenges:
dns-01 challenge for diablo-ii.zip
Cleaning up challenges
/var/lib/letsencrypt/dns_google_domains_credentials.ini: access_token was not found in the configuration for Google Domains.

Versions

This is on Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux and Python 3.9.2

$ pip3 show certbot certbot-dns-google-domains
Name: certbot
Version: 2.6.0
Summary: ACME client
Home-page: https://github.com/letsencrypt/letsencrypt
Author: Certbot Project
Author-email: [email protected]
License: Apache License 2.0
Location: /usr/local/lib/python3.9/dist-packages
Requires: josepy, parsedatetime, distro, pyrfc3339, acme, configobj, pytz, cryptography, setuptools, ConfigArgParse
Required-by: certbot-dns-google-domains
---
Name: certbot-dns-google-domains
Version: 0.1.11
Summary: Certbot DNS authenticator for Google Domains
Home-page: None
Author: Amir Omidi
Author-email: [email protected]
License: Apache 2.0
Location: /usr/local/lib/python3.9/dist-packages
Requires: dataclasses-json, publicsuffixlist, certbot, zope.interface

Config file

My config file is at the location shown in the command, and has the following contents, per this repo's README. I have the two lines there to see if that would fix the issue, but it did not.

$ cat /var/lib/letsencrypt/dns_google_domains_credentials.ini
access_token = <api token>
dns_google_domain_access_token = <same api token>
dns_google_domains_zone = diablo-ii.zip

letsencrypt.log

The log file in total is 12kb, let me know if you want it, and which parts.

Dumping ConfigObj

$ certbot certonly  --authenticator 'dns-google-domains' --dns-google-domains-credentials '/var/lib/letsencrypt/dns_google_domains_credentials.ini' -d "diablo-ii.zip" -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-google-domains, Installer None
Requesting a certificate for diablo-ii.zip
Performing the following challenges:
dns-01 challenge for diablo-ii.zip
{'confobj': ConfigObj({'access_token': '<api token>', 'dns_google_domain_access_token': '<same api token>', 'dns_google_domains_zone': 'diablo-ii.zip'}), 'mapper': <bound method Plugin.dest of <certbot_dns_google_domains.dns_google_domains.Authenticator object at 0x7f7b96637d30>>}
Cleaning up challenges
An unexpected error occurred:
Exception: Intentionally killed here

sorry to say that but the documentation is very poor on the usage. doesen´t work out of the box with those certbot arguments...

I can issue a cert for my root domain with out any issue, but sub-domains result in an error. Thanks for any guidance!

➜  ~ sudo certbot certonly -d xxx.com,gitlab.xxx.com --server "https://dv.acme-v02.api.pki.goog/directory" --authenticator 'dns-google-domains' --dns-google-domains-credentials '/var/lib/letsencrypt/dns_google_domains_credentials.ini'
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/xxx.com.conf)

It contains these names: xxx.com

You requested these names for the new certificate: xxx.com,
gitlab.xxx.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate for xxx.com and gitlab.xxx.com
Encountered exception during recovery: certbot.errors.PluginError: Unable to rotate DNS challenges: 400 Client Error: Bad Request for url: https://acmedns.googleapis.com/v1/acmeChallengeSets/gitlab.xxx.com:rotateChallenges
Unable to rotate DNS challenges: 400 Client Error: Bad Request for url: https://acmedns.googleapis.com/v1/acmeChallengeSets/gitlab.xxx.com:rotateChallenges

Hi there,

I'm not sure what I'm doing wrong but keep getting this error,

Error parsing credentials configuration '/Users/garystringham/.ssh/certbot-dns-google.json': Parsing failed with several errors.
First error at line 1.

The command I'm using is

sudo certbot certonly \
--authenticator 'dns-google-domains'
--dns-google-domains-credentials ~/creds/certbot-dns-google.ini
--server 'https://acme-v02.api.letsencrypt.org/directory'
--dns-google-domains-zone 'rebel.camp'
-d "rebel.camp"
-d "*.rebel.camp"

System Info

% python -V
Python 3.7.9

% brew info certbot
==> certbot: stable 2.5.0 (bottled), HEAD
Tool to obtain certs from Let's Encrypt and autoenable HTTPS
https://certbot.eff.org/
/usr/local/Cellar/certbot/2.5.0 (3,170 files, 34MB) *
Poured from bottle using the formulae.brew.sh API on 2023-04-28 at 21:51:54
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/certbot.rb
License: Apache-2.0
==> Dependencies
Build: pkg-config ✘, rust ✘
Required: augeas ✔, cffi ✔, dialog ✔, [email protected] ✔, pycparser ✔, [email protected] ✔, six ✔
==> Options
--HEAD
Install HEAD version
==> Analytics
install: 142 (30 days), 9,007 (90 days), 109,417 (365 days)
install-on-request: 143 (30 days), 8,995 (90 days), 109,326 (365 days)
build-error: 1 (30 days)

Hi, even though this works, and I do get a certificate, I am also getting an error "Unable to rotate DNS challenges: 'record'"

However, there does not seem to be a residual record "_acme-challenge.domain.com" left.

What does this mean?

I am including a partial shell output/log file

certbot error.txt

I'm getting the error listed below when I attempt to renew or issue a new certificate. The error does not prevent the renewal or issuance of the certificate, however.

ERROR:
Encountered exception during recovery: certbot.errors.PluginError: Unable to rotate DNS challenges: 'record'

This is running certbot 2.4.0 on Ubuntu 20.04.4 after installing certbot and the plugin using the pip3 install method.