I have come across many incomplete or misleading guides on configuring Let's Encrypt using the cloud DNS challenge. Please keep in mind that this guide is intentionally concise and minimalist.
[Configure NTP] (optional)
[Install gcloud CLI] (Please always follow a guide directly from the provider itself if possible. The link is here)
[Configure nobody namespace] (We need to configure the namespace that nobody is using by the ACME plugin. Google article on how to retrieve the api key here)
[Configure ACME DNS Plugin] (Datacenter -> ACME -> Challenge Plugins -> Add) (API Data field is very sensitive, avoid spaces before and after the line, furthermore, avoid newlines before and after the block)
[Register Account]
[Add Domain] (node -> system -> certificates -> ACME -> Add)
[Request Certificate] (node -> system -> certificates -> ACME -> Order Certificates Now)
[Configure NTP] (optional)
Bash:
ntp=<ntp-server-addr> #I recommend replacing <ntp-server-addr> with time.nist.gov
echo "server $ntp iburst" > /etc/chrony/sources.d/$ntp
systemctl restart chronyd[Install gcloud CLI] (Please always follow a guide directly from the provider itself if possible. The link is here)
Bash:
apt update -y
apt install apt-transport-https ca-certificates gnupg curl
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
apt update -y && apt install google-cloud-cli -y[Configure nobody namespace] (We need to configure the namespace that nobody is using by the ACME plugin. Google article on how to retrieve the api key here)
Code:
mkdir -p /home/nobody/gcloud
nano /home/nobody/gcloud/apikey.json #paste API Key
chown -R nobody:nogroup /home/nobody/[Configure ACME DNS Plugin] (Datacenter -> ACME -> Challenge Plugins -> Add) (API Data field is very sensitive, avoid spaces before and after the line, furthermore, avoid newlines before and after the block)
Bash:
Plugin ID: <plugin_name>
Validation Delay: <30>
DNS API: gcloud
API Data:
HOME=/home/nobody
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=/home/nobody/gcloud/apikey.json
CLOUDSDK_CORE_PROJECT=<project_id> #look in the apikey.json file[Register Account]
Bash:
Account Name: <name>
E-Mail: <your email>
ACME Directory: Let's Encrypt V2
Accept TOS[Add Domain] (node -> system -> certificates -> ACME -> Add)
Code:
Challenge Type: DNS
Plugin: <plugin_name>
Domain: <your domain>[Request Certificate] (node -> system -> certificates -> ACME -> Order Certificates Now)