My domain is: proxmox.home.dawidwrobel.com
I ran this command:
certbot certonly --dns-ovh --dns-ovh-credentials /root/.credentials -d proxmox.home.dawidwrobel.com
It produced this output:
aving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-ovh, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for proxmox.home.dawidwrobel.com
Cleaning up challenges
Error determining zone identifier for proxmox.home.dawidwrobel.com: 403 Client Error: Forbidden for url: https://eu.api.ovh.com/1.0/domain/zone/. (Are your Application Key and Consumer Key values correct?)
My web server is (include version): n/a
The operating system my web server runs on is (include version): Proxmox 6.0
My hosting provider, if applicable, is: OVH EU
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0
I created API access for my DNS zone specifically:
https://api.ovh.com/createToken/?GET=/domain/zone/proxmox.home.dawidwrobel.com/*&POST=/domain/zone/proxmox.home.dawidwrobel.com/*&PUT=/domain/zone/proxmox.home.dawidwrobel.com/*&GET=/domain/zone/proxmox.home.dawidwrobel.com&DELETE=/domain/zone/proxmox.home.dawidwrobel.com/record/*
The credentials work fine with acme.sh script (which has explicit support for this: https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api#security), but looks that letsencrypt attempts to list all of the DNS zones (https://eu.api.ovh.com/1.0/domain/zone/), which the limited API access won’t allow. Why is it needed at all? This imposes a security risk, which could easily be limited by issuing limited-access API credentials.
EDIT: I worked around this adding /domain/zone/* GET access. I suppose this is OK, although ideally this shouldn’t be needed at all.