The Solution in a Nutshell

• First we need a valid wildcard certificate from LetsEncrypt. The shell script “acme.sh” can help with this task. The certificate will be good for 90 days.

• When the time comes to renew the certificate we can use the shell script “acme.sh” to issue the renewal request.

  LetsEncrypt will issue a response to the renewal request, but that response will be directed at the Google Domain DNS server, which cannot handle the challenge.

• Therefore I must arrange that the “challenge” which LetsEncrypt sends to the Google servers be then referred to my own BIND server's external view for resolution.

• The challenge will then be answered by the “acme.sh” script (on my machine) which is able to programatically adjust my local BIND server to answer the challenge correctly (by adjusting only the external view) and thus allow the renewal to proceed.