Google Cloud DNS is Authoritative, but validates in Azure DNS

[jmpenalosa]

Hi,

I currently have a subdomain in Azure "subdomain.mydomaininazure.com" which I configured to use Google Cloud DNS' name servers as authoritative. So Google Cloud DNS is now serving the public records.

When I want to automate renewal in Google Cloud DNS, testing works. But actual execution (automated or manual) fails because it wants me to update "_acme-challenge" in Azure rather than in GCP.

I thought that once you configure GCP as authoritative, it would validate there instead of validating in Azure.

Please let me know if I am missing something.

Thanks

[webprofusion-chrisc]

Hi Josh, I'm not sure I totally follow but if you can give me a real domain example I can possibly help, you can email support at certifytheweb.com if you don't want to name it here.

Let's Encrypt DNS validation works by checking for a TXT record called _acme-challenge in your DNS zone (or subdomain), e.g. _acme-challenge.www.mydomain.com must resolve as a TXT record or be a CNAME that eventually resolves to a TXT record and that TXT record must have the latest value that Lets Encrypt (or whatever acme CA) have asked for. This proves you control that domain/subdomain. Let's Encrypt check only your primary nameservers and the TXT record must have propagated to all of your nameserver. If your domain has nameservers spread across two DNS providers then you'll need to use custom scripting to update both, or set a very long propagation delay while the changes replicate (assuming they do?).

Common mistakes when using Manual DNS include defining your TXT record as _acme-challenge.mydomain.com.mydomain.com or adding an A record instead of a TXT record.

Don't use the manual DNS option if you can avoid it, it's not automated so you have to repeat it when the renewal comes up, and if you're using it for wildcards and domains (e.g. you want a cert for *.mydomain.com and just mydomain.com) then you need to be able to supply to different values for the same TXT record (I know, it's dumb, that's the standard).

Basically if you can fire up dig and it shows the _acme-challenge.whatever.mydomain.com TXT record value in all of your nameservers, it should be good.

[jmpenalosa]

Hi Chris,

Thank you for your reply. I meant to follow up on this as I realized Azure actually is the authoritative name server.

So the "mydomain.com" is registered with Google Domains. Then a public zone was created in Azure DNS for "mydomain.com" - which the Azure name servers were configured in the registrar as the authoritative NS.

Then a subdomain "subdomain.mydomain.com" was created in Azure DNS, with Name servers for Google Cloud DNS this time where we wanted the public records served.

But when I do the validation, it wants me to validate the _acme TXT records in Azure, instead of Google Cloud DNS. Which makes sense as Azure is the authoritative name server for the apex.

As to why it was even configured that way in the first place, I am not really sure. It was just that way when I got the job.

I have used your solution in the past and it works great, automating through Google Cloud DNS. I just didn't realize when I opened this ticket that I did not get the full picture in the first place.

Thanks for your time, though. Have a good one!

[webprofusion-chrisc]

Thanks Josh, ultimately it just matters which nameservers are serving your public DNS (which Let's Encrypt sees), so the registrar isn't important but the nameservers are. We have providers for both google cloud and azure, so just go with whichever is serving your public DNS for that subdomain.

If you need one combined cert with mixed domains and those domains all get managed by different DNS providers then you need to add more than one Authorization configuration under the Authorization tab (one for each set of domains), but if that's the case I'd figure out each one individually before trying to combine them on one cert.

[jmpenalosa]

Hi Chris,

This is resolved now. Apparently there was an old _acme-challenge record in Azure (where it was initially configured) and it was seeing that instead of the one in Google Cloud DNS. I removed that old record from Azure, and it now reads records from Cloud DNS.

This was never an issue with your app, but I really appreciate you taking the time to respond to me.

Have a good one!

[webprofusion-chrisc]

Great! Glad you got it resolved :)