Help with Google Cloud DNS auth

I’m trying to setup for our windows servers to use Lets Encrypt, I’ve already been able to do this using the same method on our linux servers using certbot.

The keyfile is created against the same service account that is working currently for certbot.

I get the following when I hit test

Powershell/PoshACME DNS :: Error - RuntimeException: Unsupported RSA key size. Must be 2048-4096 in 8 bit increments.
at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
at System.Management.Automation.PowerShell.EndInvoke(IAsyncResult asyncResult)
at Certify.Management.PowerShellManager.InvokePowershell(CertificateRequestResult result, String executionPolicy, String scriptFile, Dictionary`2 parameters, String scriptContent, PowerShell shell) in C:\Work\GIT\certify_5.0.x\certify\src\Certify.Shared.Compat\PowerShellManager.cs:line 182
at Certify.Management.PowerShellManager.d__0.MoveNext() in C:\Work\GIT\certify_5.0.x\certify\src\Certify.Shared.Compat\PowerShellManager.cs:line 90

I am unable to find where I can configure this keysize option, anyone else been able to use Google Cloud DNS? Client version is 5.0.12.0.

I was able to create a cert using manual dns, naturally I don’t want to have that as the deployed option :slight_smile:

Hi,

I’ve recently been testing Google Cloud DNS for another issue and can confirm that it does work but there may be an environmental or configuration reason it’s not working for you. Can you try out this test update to see if the issue still occurs: Version 5.1.0 (Release Candidate) testing

If the problem still occurs can you confirm which version of Windows this is for (Server 2019 etc) and which version of Powershell is installed: https://adamtheautomator.com/check-powershell-version/

Note also that this method is using https://github.com/rmbolger/Posh-ACME/blob/master/Posh-ACME/DnsPlugins/GCloud-Readme.md

As part of the conversation with Google Cloud it uses a Json Web Signature and in Posh-ACME this is expected to be an RSA key. The normal generated Google key is fine but did you upload a custom key?

So the short answer would be to generate a new key for your service account and try that (your existing keys can remain active).

I’m suspecting this is the good old crlf issue between linux and windows, I created a new key in the console and it was fine.
Thanks

1 Like

Ah interesting, I don’t see anything in the Posh-ACME code that’s dependent on line endings but there could be something somewhere:

I encountered this today as well - it seems that for whatever reason, the GCP console’s JSON file can generate files which trigger this error. I had tried toggling the CRLF and it didn’t work with the invalid key. I just regenerated a key in the console and that worked fine.