Good day!
I am trying to get a wildcard certificate for the domain I serve with swag using dns validation. Now, for security reasons, I do not want to save API credentials that would give full control over my domain apex DNS records onto an internet-facing web server.
One interesting approach I came upon is to delegate the acme challenge to a separate dns zone or subdomain, and use API keys that can only alter records in that specific zone/subdomain.
I use OVH and their API does not seem to support restricting API credentials to a subdomain; however, I could register a $3 .ovh domain to segregate keys into another domain.
I am trying to issue a certificate for test.example.com by delegating the challenge to acme.ovh, as follows:
test IN CNAME example.com.
_acme-challenge.test IN CNAME acme.ovh.
I also have API keys under /config/dns-conf/ovh.ini with the following permissions:
GET /domain/zone/
GET /domain/zone/acme.oh/*
PUT /domain/zone/acme.ovh/*
POST /domain/zone/acme.ovh/*
DELETE /domain/zone/acme.ovh/*
My compose file is such as:
environment:
- URL=test.example.com
- VALIDATION=dns
- SUBDOMAINS=wildcard
- DNSPLUGIN=ovh
- PROPAGATION=300
Unfortunately, no luck so far. This is what I am getting in the logs:
swag-test | Generating new certificate
swag-test | Saving debug log to /var/log/letsencrypt/letsencrypt.log
swag-test | Requesting a certificate for test.example.com and *.test.example.com
swag-test | Error determining zone identifier for example.com: 403 Client Error: Forbidden for url: https://eu.api.ovh.com/1.0/domain/zone/example.com/status. (Are your Application Key and Consumer Key values correct?)
It seems like certbot is trying to update the wrong dns zone. Anyone has a similar setup working?
Thanks!