Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Acme/DNS-ovh

    Scheduled Pinned Locked Moved ACME
    5 Posts 2 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ccaron
      last edited by

      I am trying tu use the acme plugin with the DNS-ovh method.

      At the first renew the server ask me to connect to a web page to authenticate and I am supposed to get the Consumer Key from at this point.

      I expected the first renew to save the Consumer Key in the config but the field stay empty.

      How can I obtain this key ?

      Thanks for your help

      1 Reply Last reply Reply Quote 0
      • U
        Undefined_ID
        last edited by

        Have you tried this HowTo: https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api ?

        1 Reply Last reply Reply Quote 0
        • C
          ccaron
          last edited by

          I tryed.

          The consumer key is generates but not displayed or saved

          Each time I receive the same same message: "OVH consumer key is empty, Let's get one"

          With a new url to authenticate

          1 Reply Last reply Reply Quote 0
          • U
            Undefined_ID
            last edited by

            Sorry for the late answer. I created a new subdomain and I had the same problem indeed:

            [Mon Nov 13 23:21:12 CET 2017] Single domain='mydomain.com'
[Mon Nov 13 23:21:12 CET 2017] Getting domain auth token for each domain
[Mon Nov 13 23:21:12 CET 2017] Getting webroot for domain='mydomain.com'
[Mon Nov 13 23:21:12 CET 2017] Getting new-authz for domain='mydomain.com'
[Mon Nov 13 23:21:17 CET 2017] The new-authz request is ok.
[Mon Nov 13 23:21:17 CET 2017] Found domain api file: /usr/local/pkg/acme/dnsapi/dns_ovh.sh
[Mon Nov 13 23:21:18 CET 2017] Using OVH endpoint: ovh-eu
[Mon Nov 13 23:21:18 CET 2017] OVH consumer key is empty, Let's get one:
[Mon Nov 13 23:21:18 CET 2017] Please open this link to do authentication: https://eu.api.ovh.com/auth/?credentialToken=G3uWWvv2WtWC9daQOYQa8ol8Exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[Mon Nov 13 23:21:18 CET 2017] Here is a guide for you: https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api
[Mon Nov 13 23:21:18 CET 2017] Please retry after the authentication is done.
[Mon Nov 13 23:21:18 CET 2017] Error add txt for domain:_acme-challenge.mydomain.com
[Mon Nov 13 23:21:18 CET 2017] Please check log file for more details: /tmp/acme/mydomain.com/acme_issuecert.log

            And happened what had to happen, I got blocked:

            [Mon Nov 13 23:36:40 CET 2017] Single domain='mydomain.com'
[Mon Nov 13 23:36:40 CET 2017] Getting domain auth token for each domain
[Mon Nov 13 23:36:40 CET 2017] Getting webroot for domain='mydomain.com'
[Mon Nov 13 23:36:40 CET 2017] Getting new-authz for domain='mydomain.com'
[Mon Nov 13 23:36:47 CET 2017] The new-authz request is ok.
[Mon Nov 13 23:36:47 CET 2017] new-authz error: {"type":"urn:acme:error:rateLimited","detail":"Error creating new authz :: Too many failed authorizations recently.","status": 429}
[Mon Nov 13 23:36:47 CET 2017] Please check log file for more details: /tmp/acme/mydomain.com/acme_issuecert.log

            So I retry today (24h seems to be enough) but with the tutorial part "Advanced Usage", in which you can obtain the precious Client Key!
            https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api#user-content-advanced-usage

            To obtain both API Key and Client Key, you just have to set accesses on the domain zone:
            https://api.ovh.com/createToken/?GET=/domain/zone/&POST=/domain/zone/&PUT=/domain/zone/*

            For security reasons, this one is even better, just replace "mydomain.com" with your domain name:
            https://api.ovh.com/createToken/?GET=/domain/zone/mydomain.com/&POST=/domain/zone/mydomain.com/&PUT=/domain/zone/mydomain.com/*&GET=/domain/zone/mydomain.com

            I will make more tests on the accesses when I will renew all my OVH "DNS-manual" certificates and post my results but Neilpang tutorial seems to be serious concerning  security.

            Then, clic on "Create keys", as usual. This should works after "Issue/Renew" the certificate in pfSense:

            [Wed Nov 15 20:07:22 CET 2017] Single domain='mydomain.com'
[Wed Nov 15 20:07:22 CET 2017] Getting domain auth token for each domain
[Wed Nov 15 20:07:22 CET 2017] Getting webroot for domain='mydomain.com'
[Wed Nov 15 20:07:22 CET 2017] Getting new-authz for domain='mydomain.com'
[Wed Nov 15 20:07:29 CET 2017] The new-authz request is ok.
[Wed Nov 15 20:07:29 CET 2017] mydomain.com is already verified, skip dns-01.
[Wed Nov 15 20:07:29 CET 2017] Verify finished, start to sign.
[Wed Nov 15 20:07:31 CET 2017] Cert success.
            1 Reply Last reply Reply Quote 0
            • C
              ccaron
              last edited by

              problem solved

              You can locate the in the acme_issuecert.log

              [Wed Feb 28 18:46:02 CET 2018] consumerKey='[hidden](please add '--output-insecure' to see this value)'
[Wed Feb 28 18:46:02 CET 2018] APP
[Wed Feb 28 18:46:02 CET 2018] 6:OVH_CK='XXXXXXXXXXXXXXXXXXX'
              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.