Using certbot with cloud DNS for DNS-01 challenge

in SEO & Webmaster

  1. Google Cloud

    You can copy-paste the below cli commands into the Google Cloud Shell, or do each step manually if you prefer so.

    # Define the project ID
export PROJECT_ID=$(gcloud config get-value project)

# Create a role for certbot with minimum required permissions
gcloud iam roles create DNS01CERTBOT --project=$PROJECT_ID --title="Certbot DNS-01 Validator" --description="https://github.com/certbot/certbot/blob/a807240db7b8ca60bc1bd637a66282b3ca449417/certbot-dns-google/certbot_dns_google/__init__.py" --permissions="dns.changes.create,dns.changes.get,dns.changes.list,dns.managedZones.get,dns.managedZones.list,dns.resourceRecordSets.create,dns.resourceRecordSets.delete,dns.resourceRecordSets.list,dns.resourceRecordSets.update" --stage=GA

# Create a service account for certbot
gcloud iam service-accounts create certbot --project=$PROJECT_ID --display-name="Certbot" --description="Account for Certbot performing ACME DNS-01 challenge"

# Attach the newly created service account to the above role
gcloud projects add-iam-policy-binding $PROJECT_ID --member=serviceAccount:certbot@$PROJECT_ID.iam.gserviceaccount.com --role=projects/$PROJECT_ID/roles/DNS01CERTBOT

# Create a private key for the above service account
gcloud iam service-accounts keys create ~/gcp-$PROJECT_ID-key-certbot.json --iam-account=certbot@$PROJECT_ID.iam.gserviceaccount.com && cat ~/gcp-$PROJECT_ID-key-certbot.json && cloudshell download ~/gcp-$PROJECT_ID-key-certbot.json

    Or manually:

    Lastly, install certbot with the Google plugin: 

    apt-get install --no-install-recommends certbot python3-certbot-dns-google

    Use certbot with --dns-google --dns-google-credentials ~/gcp-key-certbot.json

Sources:

#ssl #certbot