OVH Consumer Key

[Darkbeldin]

Hi guys

Small issue but i need some help.
i use OVh DNS plugin to setup certif on my webserver but when i have pushed the powershell request for my Consumer Key the powershell box as close immediatly.
Is there anyway i can see my consumer key or do i have to redo the API setup again?

[rmbolger]

I don't think there's any way to retrieve the generated consumer key. But I'm pretty sure you can just run the consumer key setup process again to generate a new one. Worst case, you could also create a new App Key/Secret as well.

[Darkbeldin]

Ok i have tried the two options but the powershell command close as soon as i press enter.
Perhaps a trouble whit my server i will try from another device and update you.

[Darkbeldin]

Ok i have solve the issue whit the customer key but i can't get the plugin working to write to the DNS server and i dont understand why.

$appSecret = Read-Host -Prompt "App Secret" -AsSecureString
$consumerKey = Read-Host -Prompt "Consumer Key" -AsSecureString
$pArgs = @{
    OVHAppKey = 'xxxxxxxxxxxxx'
    OVHAppSecret = $appSecret
    OVHConsumerKey = $consumerKey
    OVHRegion = 'ovh-eu'
}

$acct = Get-PAAccount

Publish-DnsChallenge *.prineo7.fr -Account $acct -Token faketoken -Plugin OVH `
    -PluginArgs $pARGS -Verbose

i'm using this commande to try to publish my dns challenge but apparently it's not working

apparently the plugin didn't find the DNS zone

the URL in the batch return a login error apparently but i should be authenticated

I have the same error if i use insecure PS script whit the keys hard coded

If someone can help me i will be very grateful

[rmbolger]

When using Publish-DnsChallenge for a wildcard domain, don't include the *. portion of the name. The wildcard challenges use the root domain for the value in the same way as without a wildcard. So like this:

Publish-DnsChallenge prineo7.fr -Account $acct -Token faketoken -Plugin OVH `
    -PluginArgs $pARGS -Verbose

[rmbolger]

The other thing you can do to make sure the plugin should be able to find your zone is to verify it with the web-based API explorer. The EU region one can be found here:

https://eu.api.ovh.com/console/#/domain/zone#GET

Login and then click the Execute button under GET /domain/zone. If the zone you're trying to modify isn't listed there, Posh-ACME won't be able to find it either.

[Darkbeldin]

Ok i have tried the 2 options you where pointing me at.
whitout the *. i have the same result

and for the DNS Zone she is here

I really think it's a login issue, do i have a way to test the login part alone?

[rmbolger]

The way OVH's API works, there's not really an explicit login. Each request you make has a bunch of header values that are hashed and signed based on the contents of the request and the values of your various keys/secrets. Here's the best way to test the plugin's internal functions individually though.

# dot source the plugin and some supporting files
. (Join-Path (gmo Posh-ACME).ModuleBase 'DnsPlugins\OVH.ps1')
. (Join-Path (gmo Posh-ACME).ModuleBase 'Private\MockWrappers.ps1')

# explicitly set a script-scoped variable that the plugin assumes the module has already set
$script:UseBasic = @{UseBasicParsing=$true}

# run the Connect-OVH function which really just prepares a few more script-scoped variables
# specific to OVH based on your existing `$pArgs`
# (remember to use @pArgs to splat and not $pArgs)
Connect-OVH @pArgs

# now you can run arbitrary rest queries against the OVH API like this
Invoke-OVHRest GET https://eu.api.ovh.com/1.0/domain/zone/
Invoke-OVHRest GET https://eu.api.ovh.com/1.0/domain/zone/prineo7.fr

If it does turn out to be an issue with the credentials, I think I see in the code why it's not being more helpful about surfacing that error. I'm gonna see if I can make that work better while you test the above on your end.

[rmbolger]

Ok, I've fixed the error handling so that auth errors (and anything else abnormal) should show up now. If you want to test it, you can either download just the OVH.ps1 file and overwrite your installed copy, or you can install the entire dev/master version using the instructions from the readme.

Here's the output I now see when I purposefully use a bad credential with Publish-DnsChallenge:

VERBOSE: GET https://eu.api.ovh.com/1.0/domain/zone/poshacme.tk with 0-byte payload
Invoke-RestMethod : {"httpCode":"403 Forbidden","message":"This credential does not
exist","errorCode":"NOT_CREDENTIAL"}
At C:\Users\rmbolger\Documents\WindowsPowerShell\Modules\Posh-ACME\DnsPlugins\OVH.ps1:311 char:5
+     Invoke-RestMethod @restArgs @script:UseBasic -EA Stop
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebExc
   eption
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

[Darkbeldin]

I have tested whit the new OVH.ps1 but i have an error i have tested whit the 2 credentials method secure and insecure samme issue

[rmbolger]

Now we're getting somewhere. I think that error means something is wrong with the time calculations that the code has to do in order to sign the authentication headers. There are two possibilities I can think of:

1. The system time on your system is wrong. This should be easy enough to check on your end. But I was able to get the same error by putting my own system clock 1 hour ahead.

2. Something in my code that is doing the time calculation is getting screwed up because of the non-US locale your system is running in. I'll see if I can verify whether this is the case or not on my end.

Can you post the output of the following commands from your system?

[DateTimeOffset]::Now
[DateTimeOffset]::Now.ToUnixTimeSeconds()

[Darkbeldin]

FU....G microsoft NTP, time was of by 8 minutes on the server.
I have to redo some test tomorrow whit certificat but the dns challenge seem to be published.
So thank you very much man for all your work.

[rmbolger]

Hooray! F'in time, though. Weird issues are always either DNS or time related.

Even though the issue ended up being specific to your system, we still managed to improve the plugin because of it. So thanks for sticking through regardless!