Problem with OVH plugin for creating/renewing certificates about posh-acme HOT 8 CLOSED

Hi @mirkoglisenti. Can you rerun the command that is failing with the -Verbose parameter and post the output here?

from posh-acme.

New-PACertificate -Domain *.blnservice.it, *.portal.blnservice.it, blnservice.it -Plugin OVH, OVH, OVH -PluginArgs $pArgs -Verbose

DETTAGLIATO: Updating directory info from https://acme-v02.api.letsencrypt.org/directory
DETTAGLIATO: Using ACME Server https://acme-v02.api.letsencrypt.org/directory
DETTAGLIATO: Using account 381216470
DETTAGLIATO: Order name not specified, using '!.blnservice.it'
DETTAGLIATO: Creating a new order '!.blnservice.it' for *.blnservice.it, *.portal.blnservice.it, blnservice.it
DETTAGLIATO: Publishing challenge for Domain blnservice.it with Token qwkZKWmobOnl2gkl6piwwShfwLF6_zo56s8Dbssbn3I using Plugin
 OVH and DnsAlias ''.
DETTAGLIATO: GET https://eu.api.ovh.com/1.0/domain/zone/_acme-challenge.blnservice.it/record?fieldType=TXT with 0-byte payload

Submit-ChallengeValidation : {"message":"Query out of time","httpCode":"400 Bad Request","errorCode":"QUERY_TIME_OUT"}
In C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\4.20.0\Public\New-PACertificate.ps1:253 car:9
+         Submit-ChallengeValidation
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Submit-ChallengeValidation], Web 
   Exception
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Submit-ChallengeValidation

from posh-acme.

This makes it look like your machine can't reach the OVH API server for some reason. What happens if you try to just make an unauthenticated query directly to the API like this?

Invoke-RestMethod https://eu.api.ovh.com/1.0/domain/zone/_acme-challenge.blnservice.it/record?fieldType=TXT

from posh-acme.

Invoke-RestMethod https://eu.api.ovh.com/1.0/domain/zone/_acme-challenge.blnservice.it/record?fieldType=TXT -verbose
VERBOSE: Requested HTTP/1.1 GET with 0-byte payload
VERBOSE: Received HTTP/1.1 34-byte response of content type application/json
Invoke-RestMethod:
{
"message": "You must login first"
}

from posh-acme.

Hi Ryan, I have some updates.
I tried using the credentials (AppKey, AppSecret, and ConsumerKey) to fetch information via a Python script that leverages the OVH API and noticed that the credentials were incorrect.
I then proceeded to create new ones via the website:

https://eu.api.ovh.com/createToken

With these new credentials my Python script works perfectly but Posh-ACME on the virtual machine Windows Server 2019 fall still with the same identical error as before (400 bad request - Query time out).

The only idea I had is that I saw that Posh-ACME makes a call to a GET API on such a formed URI:

https://eu.api.ovh.com/1.0/domain/zone/_acme-challenge.blnservice.it

but there is no zone called _acme-challenge.blnservice.it, there is only the one called blnservice.it.
Could it be that the HTTP request made by the OVH plugin is malformed?

I look forward to hearing from you
Thanks

from posh-acme.

Sorry for the delay on my responses. Been busy lately.

The plugin is making a query for the _acme-challenge.blnservice.it zone before it checks for blnservice.it just in case one exists. Historically, the call would result in either a 403 or 404 response if it didn't exist or the credentials hadn't been given access to it. I wonder if something in the API changed recently though.

If you're comfortable temporarily modifying the plugin file, you could tweak it so it checks for 400 instead of 403 just to see whether that is indeed the problem. It's on line 442 of the OVH.ps1 file in the Plugins folder. Just literally change 403 to 400, save the file, and force re-import the plugin.

You can also test just the plugin rather than a whole cert run using Publish-Challenge directly like this.

Publish-Challenge blnservice.it (Get-PAAccount) faketoke OVH $pArgs -Verbose

It might be a bit before I can test this myself.

from posh-acme.

Hi Ryan, I think that I've found the real problem.

After a bit of research on the "400 - query time out" error and some education about how OVH wants the query and especially the query headers to be formatted, I discovered that the problem was in the very time that was used as the timestamp to sign the http request: it was a time ahead in time (as if my server was a few seconds in the future).

After solving the time problem via windows w32t commands, I was able to fix the problem and now everything works fine.

So no problem in the Posh-ACME source code, it was a problem with my server and its time.

If the same error happens to others, I hope this helps.

Thank you very much

from posh-acme.

Whoa, that's crazy that a few seconds of skew would cause that sort of problem. Most auth schemes I've seen that have time based components allow for a lot more wiggle room, like minutes. Congrats on figuring it out though.

from posh-acme.