Help setting up Lets Encrypt plugin

[shadowcyberdeck]

I've been trying to consolidate some services onto my router, but am running into some issues that I can't seem to find the right solutions online for.  Running OPNsense 20.1.7-amd64
, FreeBSD 11.2-RELEASE-p20-HBSD. 

I have a Google Domain, let's call it "Domain1.com" that I am trying to setup to enable me to access some of my homelab services externally.  It just seems that using Google as my domain registrar and DNS provider are proving to be an issue.

I'm trying to setup:

   
• Lets Encrypt SSL
• NGINX as my reverse-proxy

What I have setup already:

   
• Lets Encrypt ACME Plugin Installed
• NGINX Plugin Installed
• Several web services hosted via docker
• Dynamic DNS as test.domain1.com
• CNAME for dockersite1.test.domain1.com and dockersite2.test.domain1.com
• TXT for _acme-challenge.dockersite1 and _acme-challenge.dockersite2
• @ CAA "0 issue "letsencrypt.org"

I have Let's Encrypt all setup, when when I try to create any certificate for dockersite1 and dockersite2, it keeps showing up as "Pending" under "issue/renewal date" and "Validation failed" under "Last ACME Status".  The two lines in the log file that jump out at me are:

   
• _dns_gcloud_find_zone: Can't find a matching managed zone! Perhaps wrong project or gcloud credentials?
• Error add txt for domain:_acme-challenge.dockersite1.domain1.com

I'm certain that the Google API service account is correctly setup.

[Steve28]

You don't set up the TXT and CAA records manually.  When you set up th Validation Method, you did select DNS-01 as the challenge method and selected the Google Cloud DNS API as the service?  If all of that is correct, then it should create the TXT and CAA records for you when it tries to validate the cert.

You may need to increase the delay value as it has to wait long enough for cache to timeout so Google will get queried for the records.

[curioustech]

1) Are you sure you have API Key to manage DNS records for your DNS record update programmatically?
Last time, I had checked with google support for same issue and they do not offer API to populate DNS records programmatically using API key.

Work Around:
1) I created free account with http://cloudflare.com/ and listed by google domain there.
it gave me two cloudflare DNS servers.

2) After that, I registered my google domain to use custom DNS server of cloudflare.

3) from your cloudflare user profile, you will fine global API key which you can configure in validation DNS-01 validation method of let's encrypt client and try to renew cert.

Tip:

1) Enable ssh acccess temporrily to your OPNSense and tail -f /var/log/acme.sh.log to see what let's encrypt cleint is doing and where it's failing.

2) Ensure your key lengh is 2048. Anything higher doesn't work. I learned this hard way.

3) If you still have issues, post /var/log/acme.sh.log for us to understand. Don't worry this log won't have anythign confidential in it.

[curioustech]

To make your job easy.  I quickly wrote this step by step configuration guide to make use of let's encrypt client on OPNSense to obtain wild card cert (one cert for all your servers under the same domain name).

[shadowcyberdeck]

Thanks for all the suggestions, I'll try them out by this weekend and report back.

[MrJohnBBQ]

I realize this is a bit anecdotal but thought I would share:

I used to have Let's Encrypt working for internal domains using the TXT challenge method with Google Cloud Platform when I had Go Daddy as my registrar. Then I switched over to Google Domains (the registrar, not the same as Google Cloud DNS) and somewhere in the transition ACME stopped working.

I'm in the process of troubleshooting and it may as well be something I've neglected, but it makes me suspicious to see someone else with the same setup (Google as registrar and DNS provider) having the same "Can't find a matching managed zone!"

[shadowcyberdeck]

This might become a non-issue for me soon, as I have moved my domain to a different registrar.  I just need to wait for the transfer to complete and then I should know more in the coming weeks.

I'm in the process of troubleshooting and it may as well be something I've neglected, but it makes me suspicious to see someone else with the same setup (Google as registrar and DNS provider) having the same "Can't find a matching managed zone!"

That is strange.  I wonder if Google is blocking Let's Encrypt for some reason, or maybe they have a specific method for enabling Let's Encrypt that no one knows about.