Powershell/PoshACME DNS :: Error - CmdletInvocationException: The remote server returned an error: (403) Forbidden


I’ve been trying to issue a wildcard certificate with LetsEncrypt using CTW and keep running into an issue.

The following shows up twice in the logs when I go to generate the certificate. (I assume twice because of the * certificate and the root certificate?)

Powershell/PoshACME DNS :: Error - CmdletInvocationException: The remote server returned an error: (403) Forbidden.
   at System.Management.Automation.Runspaces.AsyncResult.EndInvoke()
   at System.Management.Automation.PowerShell.EndInvoke(IAsyncResult asyncResult)
   at Certify.Management.PowerShellManager.InvokePowershell(CertificateRequestResult result, String executionPolicy, String scriptFile, Dictionary`2 parameters, String scriptContent, PowerShell shell, Boolean autoConvertBoolean) in C:\Work\GIT\certify_dev\certify\src\Certify.Shared.Compat\PowerShellManager.cs:line 232
   at Certify.Management.PowerShellManager.<RunScript>d__0.MoveNext() in C:\Work\GIT\certify_dev\certify\src\Certify.Shared.Compat\PowerShellManager.cs:line 125

I have setup the API with Google so it can create the TXT records and everything appears to be correct but I can’t exactly make out what the log is trying to tell me despite searching various forms of it.

Would anybody have a suggestion of where to go from here? Or has anybody experienced this before?

Hi, so with the Google DNS provider we have uses a script provided by the Posh-ACME project, and the main part of using that is that you need to setup a service account and give it access to perform the DNS changes, then download a json key file which you then point to.

The instructions for the Google Cloud Posh-ACME provider are here: https://github.com/rmbolger/Posh-ACME/blob/master/Posh-ACME/DnsPlugins/GCloud-Readme.md and everything up to ‘Using the Plugin’ is relevant. Unfortunately google doesn’t provide any other information when a request fails, other than it’s clear the credentials you are using don’t have enough permission.

Thanks for the reply!

I setup the service account as a DNS Administrator and have done it before with no issues.

So it is definitely a permissions issue then? I was worried I formatted pointing to the .json file in the wrong format. Is there anything else I need to do beyond listing the director the file in is ( C:/folder/folder/file.json)

I can keep poking around and see if I’m missing any other permissions.

Yes, I can confirm that updating Google Cloud DNS via the app works for me, my json key file looks like this:

  "type": "service_account",
  "project_id": "certify-123",
  "private_key_id": "a2270d6d9a16841d0b2e5fc6d2bb4e68082c208d",
  "private_key": "-----BEGIN PRIVATE KEY-----ABCD123-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "123493805506756935123",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/certify-test2%40certify-123.iam.gserviceaccount.com"

Watching out for having the same DNS zone declared under 2 different projects as the google UI will allow that. I was wondering why the UI didn’t show my test record for a second there…

Also, if you’re not using the key for anything try deleting the key and creating a new one. During previous testing I had a similar issue and generating a new google key file worked for some reason.