Comments (8)
Hi @mirkoglisenti. Can you rerun the command that is failing with the -Verbose
parameter and post the output here?
from posh-acme.
New-PACertificate -Domain *.blnservice.it, *.portal.blnservice.it, blnservice.it -Plugin OVH, OVH, OVH -PluginArgs $pArgs -Verbose
DETTAGLIATO: Updating directory info from https://acme-v02.api.letsencrypt.org/directory
DETTAGLIATO: Using ACME Server https://acme-v02.api.letsencrypt.org/directory
DETTAGLIATO: Using account 381216470
DETTAGLIATO: Order name not specified, using '!.blnservice.it'
DETTAGLIATO: Creating a new order '!.blnservice.it' for *.blnservice.it, *.portal.blnservice.it, blnservice.it
DETTAGLIATO: Publishing challenge for Domain blnservice.it with Token qwkZKWmobOnl2gkl6piwwShfwLF6_zo56s8Dbssbn3I using Plugin
OVH and DnsAlias ''.
DETTAGLIATO: GET https://eu.api.ovh.com/1.0/domain/zone/_acme-challenge.blnservice.it/record?fieldType=TXT with 0-byte payload
Submit-ChallengeValidation : {"message":"Query out of time","httpCode":"400 Bad Request","errorCode":"QUERY_TIME_OUT"}
In C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\4.20.0\Public\New-PACertificate.ps1:253 car:9
+ Submit-ChallengeValidation
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Submit-ChallengeValidation], Web
Exception
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Submit-ChallengeValidation
from posh-acme.
This makes it look like your machine can't reach the OVH API server for some reason. What happens if you try to just make an unauthenticated query directly to the API like this?
Invoke-RestMethod https://eu.api.ovh.com/1.0/domain/zone/_acme-challenge.blnservice.it/record?fieldType=TXT
from posh-acme.
Invoke-RestMethod https://eu.api.ovh.com/1.0/domain/zone/_acme-challenge.blnservice.it/record?fieldType=TXT -verbose
VERBOSE: Requested HTTP/1.1 GET with 0-byte payload
VERBOSE: Received HTTP/1.1 34-byte response of content type application/json
Invoke-RestMethod:
{
"message": "You must login first"
}
from posh-acme.
Hi Ryan, I have some updates.
I tried using the credentials (AppKey
, AppSecret
, and ConsumerKey
) to fetch information via a Python script that leverages the OVH API and noticed that the credentials were incorrect.
I then proceeded to create new ones via the website:
https://eu.api.ovh.com/createToken
With these new credentials my Python script works perfectly but Posh-ACME on the virtual machine Windows Server 2019 fall still with the same identical error as before (400 bad request - Query time out
).
The only idea I had is that I saw that Posh-ACME makes a call to a GET API on such a formed URI:
https://eu.api.ovh.com/1.0/domain/zone/_acme-challenge.blnservice.it
but there is no zone called _acme-challenge.blnservice.it
, there is only the one called blnservice.it
.
Could it be that the HTTP request made by the OVH plugin is malformed?
I look forward to hearing from you
Thanks
from posh-acme.
Sorry for the delay on my responses. Been busy lately.
The plugin is making a query for the _acme-challenge.blnservice.it
zone before it checks for blnservice.it
just in case one exists. Historically, the call would result in either a 403 or 404 response if it didn't exist or the credentials hadn't been given access to it. I wonder if something in the API changed recently though.
If you're comfortable temporarily modifying the plugin file, you could tweak it so it checks for 400 instead of 403 just to see whether that is indeed the problem. It's on line 442 of the OVH.ps1 file in the Plugins folder. Just literally change 403 to 400, save the file, and force re-import the plugin.
Posh-ACME/Posh-ACME/Plugins/OVH.ps1
Lines 440 to 448 in fb403a7
You can also test just the plugin rather than a whole cert run using Publish-Challenge directly like this.
Publish-Challenge blnservice.it (Get-PAAccount) faketoke OVH $pArgs -Verbose
It might be a bit before I can test this myself.
from posh-acme.
Hi Ryan, I think that I've found the real problem.
After a bit of research on the "400 - query time out" error and some education about how OVH wants the query and especially the query headers to be formatted, I discovered that the problem was in the very time that was used as the timestamp to sign the http request: it was a time ahead in time (as if my server was a few seconds in the future).
After solving the time problem via windows w32t commands, I was able to fix the problem and now everything works fine.
So no problem in the Posh-ACME source code, it was a problem with my server and its time.
If the same error happens to others, I hope this helps.
Thank you very much
from posh-acme.
Whoa, that's crazy that a few seconds of skew would cause that sort of problem. Most auth schemes I've seen that have time based components allow for a lot more wiggle room, like minutes. Congrats on figuring it out though.
from posh-acme.
Related Issues (20)
- Set-PAOrder revokes certificate when -Force used, even with -RevokeCert:$false HOT 1
- [WebRoot Plugin] Support for Network Share Credentials HOT 3
- Is there a reason that the (Get-PACertificate).RenewAfter property is a [System.String] when the NotBefore and NotAfter are [datetime]? HOT 2
- How to use with PowerDNS, can't fins DNS-plugin? HOT 12
- Feedback Request: Dropping Support for PowerShell 5.1 HOT 5
- 1year / 365 days cert ZeroSSL (aka Lifetime LifetimeDays variable) HOT 8
- WEDOS DNS support ? HOT 5
- Multiple Accounts with DigiCert HOT 4
- Cloudflare Plug In fails to convert String to SecureString HOT 9
- Submit-Renewal doesn't appear to follow ErrorAction HOT 2
- Is there a full list of supported fields for -Subject? HOT 3
- 404 on Submit-ChallengeValidation when using LetsEncrypt Staging HOT 1
- OVH plugin using DnsAlias fails if not using subdomain of the OVHdomain HOT 2
- Trying to use ZeroSSL HOT 4
- Error requesting certificate with WebRoot plugin HOT 5
- FullChainFile doesn't contain ISRG Root X1 HOT 9
- Active24 plugin no longer working HOT 25
- Pull cert into local certificate store using FQDN and Subsequent renew HOT 5
- CmdLets Repeatedly asking for DNS Text Records HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from posh-acme.