Google GTS SSL Certificate Application Issues and Solutions in 2025

Introduction

Since Google opened up its GTS CA (Google Trust Services) to the public, many developers have been eager to take advantage of this trusted certificate authority. However, as the service has matured and evolved in 2025, users have encountered various challenges during the application process. This article provides an updated guide addressing the most common issues and their solutions.

If you’re looking for the basic setup guide, check out my previous article: Effortless SSL Management with Google’s GTS CA Using acme.sh .

Common Issues in 2025

1. API Enablement and Project Setup Issues

Problem: Users often encounter errors when trying to enable the Public Certificate Authority API.

Error Messages:

Error: API [publicca.googleapis.com] not enabled on project
Permission denied on project or billing not enabled

Solutions:

1. Verify Billing is Enabled:

   • Navigate to the Google Cloud Console
   • Go to “Billing” in the left sidebar
   • Ensure your project has an active billing account linked
   • Even though GTS certificates are free, billing must be enabled for API access

2. Check Project Permissions:

   gcloud projects get-iam-policy YOUR_PROJECT_ID
   

   Ensure you have the roles/publicca.externalAccountKeyCreator role or roles/owner.

3. Enable API Manually:

   gcloud services enable publicca.googleapis.com --project=YOUR_PROJECT_ID
   

4. Wait for Propagation: After enabling the API, wait 2-3 minutes before attempting to create external account keys.

2. External Account Key Creation Quota Limits

Problem: Users hit quota limits when creating multiple external account keys.

Error Message:

Quota exceeded for quota metric 'External account keys' and limit 'External account keys per project per day'

Understanding the Limits:

• Default quota: 10 external account keys per project per day
• Each key can be used to issue multiple certificates
• Keys don’t expire unless deleted

Solutions:

1. Reuse Existing Keys:

   # List existing keys
   gcloud beta publicca external-account-keys list
   

2. Use Multiple Projects: Create separate Google Cloud projects for different environments (dev, staging, production).

3. Request Quota Increase:

   • Visit the Google Cloud Console Quotas page
   • Search for “Public Certificate Authority API”
   • Request an increase if needed

3. Registration Errors with acme.sh

Problem: Account registration fails with various errors.

Common Error Messages:

Register account Error: {"type":"urn:ietf:params:acme:error:malformed","detail":"..."}
Invalid EAB credentials

Solutions:

1. Ensure Correct Server URL: The current GTS ACME server URL is:

   https://dv.acme-v02.api.pki.goog/directory
   

2. Verify Key Format:

   • The keyId should be in the format: projects/PROJECT_ID/locations/global/externalAccountKeys/KEY_ID
   • The hmac_key is a base64-encoded string

3. Clean Previous Registrations:

   # Remove old account configurations
   rm -rf ~/.acme.sh/ca/acme-v02.api.pki.goog
   
   # Register again
   acme.sh --server https://dv.acme-v02.api.pki.goog/directory \
     --register-account \
     --eab-kid "YOUR_KEY_ID" \
     --eab-hmac-key "YOUR_HMAC_KEY" \
     --accountemail [email protected]
   

4. Check acme.sh Version:

   acme.sh --version
   # Upgrade if needed
   acme.sh --upgrade
   

4. DNS-01 Challenge Validation Failures

Problem: DNS validation fails even after adding TXT records.

Common Causes:

• DNS propagation delays
• Incorrect TXT record values
• Multiple TXT records causing conflicts
• DNS provider API issues

Solutions:

1. Verify DNS Propagation:

   # Check if TXT record is visible
   dig _acme-challenge.yourdomain.com TXT +short
   # Or use online tools
   nslookup -type=TXT _acme-challenge.yourdomain.com 8.8.8.8
   

2. Wait for Propagation:

   # Add a delay before renewal
   sleep 120
   acme.sh --renew -d yourdomain.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
   

3. Cloudflare-Specific Issues:

   • Ensure your Cloudflare API token has the correct permissions
   • Required permission: Zone:DNS:Edit
   • If using Global API Key, make sure it’s not expired

   # Test Cloudflare API
   curl -X GET "https://api.cloudflare.com/client/v4/user/tokens/verify" \
     -H "Authorization: Bearer YOUR_API_TOKEN" \
     -H "Content-Type: application/json"
   

4. Use Debug Mode:

   acme.sh --issue --dns dns_cf -d yourdomain.com --debug 2
   

5. Certificate Issuance Rate Limits

Problem: Hitting rate limits when issuing too many certificates.

GTS Rate Limits (as of 2025):

• 50 certificates per registered domain per week
• 5 duplicate certificates per week
• 300 new orders per account per 3 hours

Solutions:

1. Use Wildcard Certificates: Instead of individual subdomain certificates, use wildcards:

   acme.sh --issue --dns dns_cf -d "*.yourdomain.com" -d "yourdomain.com"
   

2. Plan Certificate Issuance:

   • Avoid reissuing unnecessarily
   • Use staging environment for testing
   • Coordinate team members to prevent duplicate issuance

3. Monitor Your Usage: Keep track of issued certificates in your Google Cloud project:

   gcloud beta publicca certificates list
   

6. Renewal Issues

Problem: Automatic renewal fails after initial certificate issuance.

Common Causes:

• Cron job not properly configured
• API credentials expired or changed
• DNS provider API rate limits
• Network connectivity issues

Solutions:

1. Verify Cron Configuration:

   # Check acme.sh cron job
   crontab -l | grep acme.sh
   
   # Typical cron job should look like:
   # 0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null
   

2. Test Renewal Manually:

   acme.sh --renew -d yourdomain.com --force --debug
   

3. Check Renewal Configuration:

   cat ~/.acme.sh/yourdomain.com/yourdomain.com.conf
   

4. Verify DNS API Credentials:

   cat ~/.acme.sh/account.conf | grep CF_
   

Best Practices for 2025

1. Use API Tokens Instead of Global Keys: For Cloudflare and other DNS providers, use scoped API tokens instead of global API keys for better security .

2. Implement Monitoring: Set up alerts for certificate expiration:

   # Add this to your monitoring script
   acme.sh --list | grep "yourdomain.com"
   

3. Use ECC Certificates: ECC certificates offer better performance and security :

   acme.sh --issue --dns dns_cf -d yourdomain.com --keylength ec-256
   

4. Backup Your Certificates:

   # Create automated backup
   tar -czf acme-backup-$(date +%Y%m%d).tar.gz ~/.acme.sh/
   

5. Document Your Setup: Keep a record of:

   • Which external account keys are used for which domains
   • DNS provider API credentials location
   • Certificate installation paths

Updated Workflow for 2025

Here’s a streamlined workflow incorporating the latest best practices:

# Step 1: Enable API and create project
gcloud services enable publicca.googleapis.com

# Step 2: Create external account key (only once per project)
gcloud beta publicca external-account-keys create
# Save the output: keyId and b64MacKey

# Step 3: Install/Update acme.sh
curl https://get.acme.sh | sh -s email=[email protected]
source ~/.bashrc
acme.sh --upgrade

# Step 4: Register account (only once)
acme.sh --register-account \
  --server https://dv.acme-v02.api.pki.goog/directory \
  --eab-kid "YOUR_KEY_ID" \
  --eab-hmac-key "YOUR_HMAC_KEY" \
  --accountemail [email protected]

# Step 5: Set as default CA (optional)
acme.sh --set-default-ca --server google

# Step 6: Configure DNS provider (example for Cloudflare)
export CF_Token="YOUR_CLOUDFLARE_API_TOKEN"
export CF_Account_ID="YOUR_CLOUDFLARE_ACCOUNT_ID"
export CF_Zone_ID="YOUR_CLOUDFLARE_ZONE_ID"

# Step 7: Issue certificate
acme.sh --issue \
  --dns dns_cf \
  --keylength ec-256 \
  -d "yourdomain.com" \
  -d "*.yourdomain.com"

# Step 8: Install certificate
acme.sh --install-cert -d yourdomain.com \
  --key-file /path/to/keyfile \
  --fullchain-file /path/to/fullchain \
  --reloadcmd "systemctl reload nginx"

Checking System Time

ACME protocol requires accurate system time:

# Check system time
timedatectl status

# If time is incorrect, synchronize
sudo systemctl restart systemd-timesyncd
# Or for macOS
sudo sntp -sS time.apple.com

Conclusion

While Google GTS certificates offer excellent performance and compatibility, the application process has evolved with new challenges in 2025. By understanding these common issues and following the updated best practices, you can successfully implement and maintain GTS SSL certificates for your infrastructure.

The key is to properly set up your Google Cloud project with billing enabled, manage your external account keys wisely, keep your tools updated, and implement proper monitoring for certificate renewals.

Related Articles

• Effortless SSL Management with Google’s GTS CA Using acme.sh: A Step-by-Step Guide
• How to Secure Your Linux Server: A Comprehensive Guide
• DevOps Tutorial for Beginners
• DevOps Tips for Improved Collaboration

Further Reading:

• Google Cloud Public CA Documentation
• acme.sh Documentation
• SSL Labs Testing Tool