Linuxserver / letsencrypt

Hello,
I am encountering a problem that despite my many attempts, I cannot find a solution.
Here is an example of my compose file (extract)

  - URL=example.be
  - SUBDOMAINS=www,jipsy,etherpad
  - VALIDATION=dns
  - DNSPLUGIN=ovh
  - EMAIL=web@example.be
  - DHLEVEL=2048 #optional
  - ONLY_SUBDOMAINS=false #optional
  - STAGING=false #optional

In the DNS configuration at ovh, I have … (extract)

          ||Domain|Type|Target||

          ||example.be|to a server (IPv4 - A)|xxx.xx.xxx.xxx||
          ||etherpad.example.be|to a server (IPv4 - A)|xxx.xx.xxx.xxx||
          ||jitsi.example.be|to a server (IPv4 - A)|xxx.xx.xxx.xxx||
          ||www.example.be|to a server (IPv4 - A)|xxx.xx.xxx.xxx||
          ||www.etherpad.example.be|to a server (IPv4 - A)|xxx.xx.xxx.xxx|

The generation of authentication keys for the OVH API also raises some questions …

         according to documentation we need full access (Get, Put, Post, Delete) but for which path ? example.be or etherpad.example.be (and jitsi ...) ?

Finally here is the error I ended up with … (extract docker log)

         Unsafe permissions on credentials configuration file: /config/dns-conf/ovh.ini
         Cleaning up challenges
         Error determining zone identifier for etherpad.iexpj-igede.be: 403 Client Error: Forbidden for url: https://eu.api.ovh.com/1.0/domain/zone/. (Are your Application Key and Consumer Key values correct?)
         ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/ovh.ini file.

After a lot of tests, I don’t see what to change ! The error may be in the generation of authentication keys (I read that there was a necessary pre-authorization …) or in the DNS declarations.

Do you have an idea ?

Thanks

did you put the full access credentials into the corresponding config file under /config/dns-conf?

you likely need to set perms to 0600 on your ovh.ini for the very first error

but it very clearly says your credentials are wrong for ovh in ovh.ini

please also share your full docker compose, you can redact any personal info

Hmmm, my gid/pid of the container is set to 0,0 …
Anyway hereby *.ini access

-rw-r–r-- 1 root root 245 Apr 22 13:09 digitalocean.ini
-rw-r–r-- 1 root root 201 Apr 22 13:09 dnsimple.ini
-rw-r–r-- 1 root root 283 Apr 22 13:09 dnsmadeeasy.ini
-rw-r–r-- 1 root root 292 Apr 22 13:09 domeneshop.ini
-rw-r–r-- 1 root root 135 Apr 22 13:09 gandi.ini
-rw-r–r-- 1 root root 208 Apr 22 13:09 google.json
-rw-r–r-- 1 root root 344 Apr 22 13:09 inwx.ini
-rw-r–r-- 1 root root 226 Apr 22 13:09 linode.ini
-rw-r–r-- 1 root root 232 Apr 22 13:09 luadns.ini
-rw-r–r-- 1 root root 182 Apr 22 13:09 nsone.ini
-rw-r–r-- 1 root root 300 Apr 22 13:44 ovh.ini
-rw-r–r-- 1 root root 429 Apr 22 13:09 rfc2136.ini
-rw-r–r-- 1 root root 258 Apr 22 13:09 route53.ini
-rw-r–r-- 1 root root 402 Apr 22 13:09 transip.ini

And the whole compose file

version: “2.1”
services:
letsencrypt:
image: linuxserver/letsencrypt
container_name: letsencrypt
cap_add:
- NET_ADMIN
environment:
- PUID=0
- PGID=0
- TZ=Europe/Brussels
- URL=example.be
- SUBDOMAINS=www,jipsy,etherpad
- VALIDATION=dns
- DNSPLUGIN=ovh
- EMAIL=web@example.be
- DHLEVEL=2048 #optional
- ONLY_SUBDOMAINS=false #optional
- STAGING=false #optional
volumes:
- /etc/letsencrypt/docker/config:/config
ports:
- 443:443
- 80:80 #optional
restart: unless-stopped

I believe that the Docker part is ok but that on the other hand the values given at the time of the generation of the keys are erroneous. In the interface filled in, the domain is asked for. But what are the expected values? The main domain or each sub-domain? I also have questions about DNS entries. At the moment, I only have one A record per domain/subdomain.

Here is hyperlink of the OVH Authentification interface : https://eu.api.ovh.com/createToken/

Thank you for your feedback!

Dear,

I found another approach that …

sudo certbot certonly --cert-name example.be -d example.be,www.example.be,jitsi.example.be,etherpad.example.be -w /var/www/_letsencrypt

Check

certbot-auto certificates or https://www.ssllabs.com/ssltest/analyze.html?d=example.be&latest

This ticker can be closed ! Thanks

in case anyone else comes here

  1. we don’t support using puid/pgid 0, it causes issues
  2. the logs clearly state the ovh key was incorrect or lacked permissions based on the requirements
  3. the unsafe permissions on the ini should likely be changed to 0600 to eliminate that error