Certbot Wildcards Certifiactes (OVH) Wildcard Let’s Encrypt Certificate with OVH DNS (Certbot) 0. Introduction Goal Obtain and automatically renew a wildcard TLS certificate ( *.qool.ovh ) using Let’s Encrypt, with DNS hosted at OVH and the server hosted elsewhere (e.g. Contabo). Key Requirements Wildcard certificates require DNS-01 validation. This means Certbot must be able to create and remove DNS TXT records via the OVH API. High-Level Overview The process consists of: Installing Certbot (Snap version) Creating a correct OVH API token Storing OVH credentials securely Verifying API access with Python Running Certbot with the OVH DNS plugin Cleaning up and relying on auto-renewal 1. Install Certbot (Snap) 1. Installing Certbot (Snap version) Remove old packages sudo apt remove certbot Install Snap and Certbot sudo apt update sudo apt install snapd sudo snap install core sudo snap refresh core sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot Install OVH DNS plugin sudo snap set certbot trust-plugin-with-root=ok sudo snap install certbot-dns-ovh 2. Create OVH API Token Where Create the token at: https://api.ovh.com/createToken/ Token settings Validity: Unlimited Required permissions (exact) GET /domain/zone GET /domain/zone/ GET /domain/zone/qool.ovh GET /domain/zone/qool.ovh/* POST /domain/zone/qool.ovh/* PUT /domain/zone/qool.ovh/* DELETE /domain/zone/qool.ovh/* Note: OVH treats /domain/zone and /domain/zone/ as different paths. Certbot (Lexicon) requires the trailing slash permission. wise.ovh, these are the API settings GET /domain/zone/ GET /domain/zone/* POST /domain/zone/* PUT /domain/zone/* DELETE /domain/zone/* When API key is set, this can be executed: sudo certbot certonly \ --dns-ovh \ --dns-ovh-credentials ~/.secrets/certbot/ovh.ini \ -d wise.ovh -d '*.wise.ovh' 3. Store OVH Credentials Securely Create credentials file sudo nano /etc/letsencrypt/ovh.ini File contents dns_ovh_endpoint = ovh-eu dns_ovh_application_key = YOUR_APPLICATION_KEY dns_ovh_application_secret = YOUR_APPLICATION_SECRET dns_ovh_consumer_key = YOUR_CONSUMER_KEY Lock down permissions sudo chmod 600 /etc/letsencrypt/ovh.ini 4. Verify OVH API Access (Before Certbot) Create a small Python test import ovh client = ovh.Client( endpoint='ovh-eu', application_key='YOUR_APPLICATION_KEY', application_secret='YOUR_APPLICATION_SECRET', consumer_key='YOUR_CONSUMER_KEY' ) print(client.get('/domain/zone')) Expected output A list of domains including qool.ovh . If this works, the API token and permissions are correct. 5. Request the Wildcard Certificate Run Certbot sudo certbot certonly \ --dns-ovh \ --dns-ovh-credentials /etc/letsencrypt/ovh.ini \ --dns-ovh-propagation-seconds 120 \ --agree-tos \ --email admin@qool.ovh \ -d "*.qool.ovh" \ -d "qool.ovh" Successful result Certbot reports that the certificate was issued and stored in: /etc/letsencrypt/live/qool.ovh/ 6. Verify and Test Renewal Check certificate files sudo ls -l /etc/letsencrypt/live/qool.ovh/ Test auto-renewal sudo certbot renew --dry-run Snap installs a systemd timer automatically, so renewals run without manual action. 7. Cleanup (Recommended) Remove duplicate credential copies Keep only: /etc/letsencrypt/ovh.ini Remove test artifacts rm -f ~/python/set-ovy.py rm -rf ~/ovh-test Final Notes DNS hosting location matters; web hosting location does not. Certbot OVH plugin requires both /domain/zone and /domain/zone/ permissions. Protect the OVH API token like a root password. Once working, the setup is fully automatic and production-safe.