I'm trying to automatically update my Let's encrypt certificates. For this I'm using certbot which will write a TXT record in my DNS entry. Unfortunately this update keeps in PENDING state. If I manually update the TXT record when certbot is waiting, everything works fine. What could be the cause that these updates remain in PENDING state?
Note: some sensitive data has been replaced by <placeholders>
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {},
"authenticationInfo": {
"principalEmail": "dns-service-account@dns-hosting-<projectnr>.iam.gserviceaccount.com",
"serviceAccountKeyName": "//iam.googleapis.com/projects/dns-hosting-<projectnr>/serviceAccounts/dns-service-account@dns-hosting-<projectnr>.iam.gserviceaccount.com/keys/0437a910973f0bb3c13d95648ab0fc663aee9a63"
},
"requestMetadata": {
"callerIp": "<my-ip>",
"requestAttributes": {
"time": "2022-01-10T06:19:39.948727Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "dns.googleapis.com",
"methodName": "dns.changes.create",
"authorizationInfo": [
{
"permission": "dns.resourceRecordSets.delete",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "managedZones/<zone-nr>",
"request": {
"@type": "type.googleapis.com/cloud.dns.api.ChangesCreateRequest",
"change": {
"deletions": [
{
"rrdata": [
"\"PjtQVEKDNS5158RoD_e6xZ18-U45o8SzIu9Y8E2OXpo\""
],
"name": "_acme-challenge.<domain>.com.",
"ttl": 60,
"type": "TXT"
}
]
},
"managedZone": "<zone-nr>",
"project": "dns-hosting-<projectnr>"
},
"response": {
"change": {
"startTime": "2022-01-10T06:19:39.717Z",
"deletions": [
{
"rrdata": [
"\"PjtQVEKDNS5158RoD_e6xZ18-U45o8SzIu9Y8E2OXpo\""
],
"ttl": 60,
"name": "_acme-challenge.<domain>.com.",
"type": "TXT"
}
],
"status": "PENDING",
"id": "31"
},
"@type": "type.googleapis.com/cloud.dns.api.ChangesCreateResponse"
} }, "insertId": "-gct1lxe6d30o", "resource": {
"type": "dns_managed_zone",
"labels": {
"location": "global",
"project_id": "dns-hosting-<projectnr>",
"zone_name": "<zone-nr>"
} }, "timestamp": "2022-01-10T06:19:39.711566Z", "severity": "NOTICE", "logName": "projects/dns-hosting-<projectnr>/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2022-01-10T06:19:40.311274041Z" }
I don't know the details behind the software it's just a certbot command with the proper arguments to renew the certificate. For that, the software creates a txt record in DNS and then validates if the txt record exists. This proves I'm the owner with the right permissions. After that, the new certificates are released. Since the creation/update of the txt records remains in the pending state, the certbot cannot validate and will fail. If I update the record manually via Google DNS, while certbot is taking a nap for the propagation, it all works fine. The only issue is that these actions are not executed but remain in status pending.
The command used is: