Skip to main content

Certbot

Wildcard Let’s Encrypt Certificate with OVH DNS (Certbot)

0. Introduction

Goal

Obtain and automatically renew a wildcard TLS certificate (*.qool.ovh) using Let’s Encrypt, with DNS hosted at OVH and the server hosted elsewhere (e.g. Contabo).

Key Requirements

Wildcard certificates require DNS-01 validation. This means Certbot must be able to create and remove DNS TXT records via the OVH API.

High-Level Overview

The process consists of:

  1. Installing Certbot (Snap version)
  2. Creating a correct OVH API token
  3. Storing OVH credentials securely
  4. Verifying API access with Python
  5. Running Certbot with the OVH DNS plugin
  6. Cleaning up and relying on auto-renewal
  7. 1. Install Certbot (Snap)

1. Installing Certbot (Snap version)

Remove old packages

sudo apt remove certbot

Install Snap and Certbot

sudo apt update
sudo apt install snapd
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Install OVH DNS plugin

sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-ovh

2. Create OVH API Token

Where

Create the token at:

https://api.ovh.com/createToken/

Token settings

Validity: Unlimited

Required permissions (exact)

GET    /domain/zone
GET    /domain/zone/
GET    /domain/zone/qool.ovh
GET    /domain/zone/qool.ovh/*
POST   /domain/zone/qool.ovh/*
PUT    /domain/zone/qool.ovh/*
DELETE /domain/zone/qool.ovh/*

Note: OVH treats /domain/zone and /domain/zone/ as different paths. Certbot (Lexicon) requires the trailing slash permission.

3. Store OVH Credentials Securely

Create credentials file

sudo nano /etc/letsencrypt/ovh.ini

File contents

dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = YOUR_APPLICATION_KEY
dns_ovh_application_secret = YOUR_APPLICATION_SECRET
dns_ovh_consumer_key = YOUR_CONSUMER_KEY

Lock down permissions

sudo chmod 600 /etc/letsencrypt/ovh.ini

4. Verify OVH API Access (Before Certbot)

Create a small Python test

import ovh

client = ovh.Client(
    endpoint='ovh-eu',
    application_key='YOUR_APPLICATION_KEY',
    application_secret='YOUR_APPLICATION_SECRET',
    consumer_key='YOUR_CONSUMER_KEY'
)

print(client.get('/domain/zone'))

Expected output

A list of domains including qool.ovh. If this works, the API token and permissions are correct.

5. Request the Wildcard Certificate

Run Certbot

sudo certbot certonly \
  --dns-ovh \
  --dns-ovh-credentials /etc/letsencrypt/ovh.ini \
  --dns-ovh-propagation-seconds 120 \
  --agree-tos \
  --email admin@qool.ovh \
  -d "*.qool.ovh" \
  -d "qool.ovh"

Successful result

Certbot reports that the certificate was issued and stored in:

/etc/letsencrypt/live/qool.ovh/

6. Verify and Test Renewal

Check certificate files

sudo ls -l /etc/letsencrypt/live/qool.ovh/

Test auto-renewal

sudo certbot renew --dry-run

Snap installs a systemd timer automatically, so renewals run without manual action.

7. Cleanup (Recommended)

Remove duplicate credential copies

Keep only:

/etc/letsencrypt/ovh.ini

Remove test artifacts

rm -f ~/python/set-ovy.py
rm -rf ~/ovh-test

Final Notes

-

  • DNS hosting location matters; web hosting location does not.
    • -
  • Certbot OVH plugin requires both /domain/zone and /domain/zone/ permissions.
    • -
  • Protect the OVH API token like a root password.
    • -
  • Once working, the setup is fully automatic and production-safe.

Back to top