Let's Encrypt add-on and google dns

I have a static ip and domain registered in Google domains. I have a port forwarded in my router and can access HA externally with HTTP. I installed the Let’s Encrypt add-on with this configuration:

ssl1057×844 30.2 KB

then I used google to create the credentials file, which is a completed version of the example file given in the certbot link in the add-on’s documentation. I renamed that file google.json and copied it to the share folder in HA. then I started the add-on, and got this error in the log:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[17:14:06] INFO: Selected DNS Provider: dns-google
[17:14:06] INFO: Use propagation seconds: 60
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.ko0y.org
Encountered 403 Forbidden with reason "forbidden"
Encountered 403 Forbidden with reason "forbidden"
Error finding zone. Skipping cleanup.
Encountered error finding managed zone: <HttpError 403 when requesting https://dns.googleapis.com/dns/v1/projects/verdant-petal-381321/managedZones?dnsName=ko0y.org.&alt=json returned "Forbidden". Details: "[{'message': 'Forbidden', 'domain': 'global', 'reason': 'forbidden'}]">
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

Why am I getting this 403 error? any help is appreciated.

Did you ever find a fix for this?

EDIT: Found the fix for the 403 forbidden issue. Had to enable the Cloud DNS Api and attach a billing account to it (i guess it’s no longer free to use the DNS API?).

I’m now getting issues around ‘Unable to determine managed zone’

I had both API and billing enabled. I tried out several approaches on the google cloud DNS site, to no avail. Finally, I went to the site referenced in the error, https://dns.googleapis.com/dns/v1/projects/verdant-petal-381321/managedZones?dnsName=ko0y.org.&alt=json and got a 401 error. I went to the page that error referenced, Integrazione dell’opzione Accedi con Google nell’app web  |  Authentication  |  Google Developers and learned that JavaScript is being deprecated as a sign-in method. That may explain why the add-on doesn’t work. I have reported this as a bug to the HA developers.

I changed the method for the add-on to use, and received fullchain.pem and privkey.pem through forwarded port 80. They are both in the ssl folder. After restarting HA, I tried accessing my server through https, but got the error ERR_SSL_PROTOCOL_ERROR. Is there something else that has to be done after getting the certificates, to make HA respond to https?

At the end of the long guide on using duckDNS I found I had to insert these lines in my config:

http:
  server_port: 8124
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Now https works. I would prefer to use the DNS challenge method, but will use this for now.

I have the same exact problem, did you ever figure this out?

Are you using Google Domains or Google Cloud?

I am using Google Domains and I suspect that is my issue.

If you are using the DNS challenge then you have to use google cloud. i could not make that work so I’m using the http challenge method with google domains.