OVH DNS plugin with zone-specific API access

My domain is:

I ran this command:
certbot certonly --dns-ovh --dns-ovh-credentials /root/.credentials -d

It produced this output:

aving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-ovh, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for
Cleaning up challenges
Error determining zone identifier for 403 Client Error: Forbidden for url: (Are your Application Key and Consumer Key values correct?)

My web server is (include version): n/a

The operating system my web server runs on is (include version): Proxmox 6.0

My hosting provider, if applicable, is: OVH EU

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I created API access for my DNS zone specifically:*&POST=/domain/zone/*&PUT=/domain/zone/*&GET=/domain/zone/*

The credentials work fine with script (which has explicit support for this:, but looks that letsencrypt attempts to list all of the DNS zones (, which the limited API access won’t allow. Why is it needed at all? This imposes a security risk, which could easily be limited by issuing limited-access API credentials.

EDIT: I worked around this adding /domain/zone/* GET access. I suppose this is OK, although ideally this shouldn’t be needed at all.

1 Like

It looks like the certbot OVH plugin is utilizing the Lexicon library to access the OVH API. You might try submitting an issue there as it doesn’t look like the certbot team can fix the problem without writing their own OVH API access layer.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.