-4

我正在尝试自动更新我的 Let's encrypt 证书。为此,我使用了 certbot,它将在我的 DNS 条目中写入 TXT 记录。不幸的是,此更新一直处于 PENDING 状态。如果我在 certbot 等待时手动更新 TXT 记录,一切正常。这些更新保持在 PENDING 状态的原因可能是什么?

注意:部分敏感数据已替换为 <placeholders>

{   
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {},
"authenticationInfo": {
  "principalEmail": "dns-service-account@dns-hosting-<projectnr>.iam.gserviceaccount.com",
  "serviceAccountKeyName": "//iam.googleapis.com/projects/dns-hosting-<projectnr>/serviceAccounts/dns-service-account@dns-hosting-<projectnr>.iam.gserviceaccount.com/keys/0437a910973f0bb3c13d95648ab0fc663aee9a63"
},
"requestMetadata": {
  "callerIp": "<my-ip>",
  "requestAttributes": {
    "time": "2022-01-10T06:19:39.948727Z",
    "auth": {}
  },
  "destinationAttributes": {}
},
"serviceName": "dns.googleapis.com",
"methodName": "dns.changes.create",
"authorizationInfo": [
  {
    "permission": "dns.resourceRecordSets.delete",
    "granted": true,
    "resourceAttributes": {}
  }
],
"resourceName": "managedZones/<zone-nr>",
"request": {
  "@type": "type.googleapis.com/cloud.dns.api.ChangesCreateRequest",
  "change": {
    "deletions": [
      {
        "rrdata": [
          "\"PjtQVEKDNS5158RoD_e6xZ18-U45o8SzIu9Y8E2OXpo\""
        ],
        "name": "_acme-challenge.<domain>.com.",
        "ttl": 60,
        "type": "TXT"
      }
    ]
  },
  "managedZone": "<zone-nr>",
  "project": "dns-hosting-<projectnr>"
},
"response": {
  "change": {
    "startTime": "2022-01-10T06:19:39.717Z",
    "deletions": [
      {
        "rrdata": [
          "\"PjtQVEKDNS5158RoD_e6xZ18-U45o8SzIu9Y8E2OXpo\""
        ],
        "ttl": 60,
        "name": "_acme-challenge.<domain>.com.",
        "type": "TXT"
      }
    ],
    "status": "PENDING",
    "id": "31"
  },
  "@type": "type.googleapis.com/cloud.dns.api.ChangesCreateResponse"
}   },   "insertId": "-gct1lxe6d30o",   "resource": {
"type": "dns_managed_zone",
"labels": {
  "location": "global",
  "project_id": "dns-hosting-<projectnr>",
  "zone_name": "<zone-nr>"
}   },   "timestamp": "2022-01-10T06:19:39.711566Z",   "severity": "NOTICE",   "logName": "projects/dns-hosting-<projectnr>/logs/cloudaudit.googleapis.com%2Factivity", "receiveTimestamp": "2022-01-10T06:19:40.311274041Z" }
4

1 回答 1

0

我不知道软件背后的细节,它只是一个带有适当参数的 certbot 命令来更新证书。为此,该软件会在 DNS 中创建一个 txt 记录,然后验证该 txt 记录是否存在。这证明我是拥有正确权限的所有者。之后,将发布新证书。由于 txt 记录的创建/更新仍处于挂起状态,因此 certbot 无法验证并将失败。如果我通过 Google DNS 手动更新记录,而 certbot 正在小睡进行传播,一切正常。唯一的问题是这些操作未执行,但仍处于待处理状态。

使用的命令是:

certbot certonly --dns-google --dns-google-propagation-seconds 120 --dns-google-credentials ~/bin/dns-hosting-331818-0437a910973f.json -d "*.famderidder.com"
于 2022-01-11T20:15:32.687 回答