Acme/DNS-ovh



  • I am trying tu use the acme plugin with the DNS-ovh method.

    At the first renew the server ask me to connect to a web page to authenticate and I am supposed to get the Consumer Key from at this point.

    I expected the first renew to save the Consumer Key in the config but the field stay empty.

    How can I obtain this key ?

    Thanks for your help





  • I tryed.

    The consumer key is generates but not displayed or saved

    Each time I receive the same same message: "OVH consumer key is empty, Let's get one"

    With a new url to authenticate



  • Sorry for the late answer. I created a new subdomain and I had the same problem indeed:

    [Mon Nov 13 23:21:12 CET 2017] Single domain='mydomain.com'
    [Mon Nov 13 23:21:12 CET 2017] Getting domain auth token for each domain
    [Mon Nov 13 23:21:12 CET 2017] Getting webroot for domain='mydomain.com'
    [Mon Nov 13 23:21:12 CET 2017] Getting new-authz for domain='mydomain.com'
    [Mon Nov 13 23:21:17 CET 2017] The new-authz request is ok.
    [Mon Nov 13 23:21:17 CET 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_ovh.sh
    [Mon Nov 13 23:21:18 CET 2017] Using OVH endpoint: ovh-eu
    [Mon Nov 13 23:21:18 CET 2017] OVH consumer key is empty, Let's get one:
    [Mon Nov 13 23:21:18 CET 2017] Please open this link to do authentication: https://eu.api.ovh.com/auth/?credentialToken=G3uWWvv2WtWC9daQOYQa8ol8Exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    [Mon Nov 13 23:21:18 CET 2017] Here is a guide for you: https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api
    [Mon Nov 13 23:21:18 CET 2017] Please retry after the authentication is done.
    [Mon Nov 13 23:21:18 CET 2017] Error add txt for domain:_acme-challenge.mydomain.com
    [Mon Nov 13 23:21:18 CET 2017] Please check log file for more details: /tmp/acme/mydomain.com/acme_issuecert.log
    

    And happened what had to happen, I got blocked:

    [Mon Nov 13 23:36:40 CET 2017] Single domain='mydomain.com'
    [Mon Nov 13 23:36:40 CET 2017] Getting domain auth token for each domain
    [Mon Nov 13 23:36:40 CET 2017] Getting webroot for domain='mydomain.com'
    [Mon Nov 13 23:36:40 CET 2017] Getting new-authz for domain='mydomain.com'
    [Mon Nov 13 23:36:47 CET 2017] The new-authz request is ok.
    [Mon Nov 13 23:36:47 CET 2017] new-authz error: {"type":"urn:acme:error:rateLimited","detail":"Error creating new authz :: Too many failed authorizations recently.","status": 429}
    [Mon Nov 13 23:36:47 CET 2017] Please check log file for more details: /tmp/acme/mydomain.com/acme_issuecert.log
    

    So I retry today (24h seems to be enough) but with the tutorial part "Advanced Usage", in which you can obtain the precious Client Key!
    https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api#user-content-advanced-usage

    To obtain both API Key and Client Key, you just have to set accesses on the domain zone:
    https://api.ovh.com/createToken/?GET=/domain/zone/&POST=/domain/zone/&PUT=/domain/zone/*

    For security reasons, this one is even better, just replace "mydomain.com" with your domain name:
    https://api.ovh.com/createToken/?GET=/domain/zone/mydomain.com/&POST=/domain/zone/mydomain.com/&PUT=/domain/zone/mydomain.com/*&GET=/domain/zone/mydomain.com

    I will make more tests on the accesses when I will renew all my OVH "DNS-manual" certificates and post my results but Neilpang tutorial seems to be serious concerning  security.

    Then, clic on "Create keys", as usual. This should works after "Issue/Renew" the certificate in pfSense:

    [Wed Nov 15 20:07:22 CET 2017] Single domain='mydomain.com'
    [Wed Nov 15 20:07:22 CET 2017] Getting domain auth token for each domain
    [Wed Nov 15 20:07:22 CET 2017] Getting webroot for domain='mydomain.com'
    [Wed Nov 15 20:07:22 CET 2017] Getting new-authz for domain='mydomain.com'
    [Wed Nov 15 20:07:29 CET 2017] The new-authz request is ok.
    [Wed Nov 15 20:07:29 CET 2017] mydomain.com is already verified, skip dns-01.
    [Wed Nov 15 20:07:29 CET 2017] Verify finished, start to sign.
    [Wed Nov 15 20:07:31 CET 2017] Cert success.
    


  • problem solved

    You can locate the in the acme_issuecert.log

    [Wed Feb 28 18:46:02 CET 2018] consumerKey='[hidden](please add '--output-insecure' to see this value)'
    [Wed Feb 28 18:46:02 CET 2018] APP
    [Wed Feb 28 18:46:02 CET 2018] 6:OVH_CK='XXXXXXXXXXXXXXXXXXX'
    

Log in to reply