-
-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem with OVH plugin for creating/renewing certificates #537
Comments
Hi @mirkoglisenti. Can you rerun the command that is failing with the |
|
This makes it look like your machine can't reach the OVH API server for some reason. What happens if you try to just make an unauthenticated query directly to the API like this? Invoke-RestMethod https://eu.api.ovh.com/1.0/domain/zone/_acme-challenge.blnservice.it/record?fieldType=TXT |
|
Hi Ryan, I have some updates. https://eu.api.ovh.com/createToken With these new credentials my Python script works perfectly but Posh-ACME on the virtual machine Windows Server 2019 fall still with the same identical error as before ( The only idea I had is that I saw that Posh-ACME makes a call to a GET API on such a formed URI: https://eu.api.ovh.com/1.0/domain/zone/_acme-challenge.blnservice.it but there is no zone called I look forward to hearing from you |
Sorry for the delay on my responses. Been busy lately. The plugin is making a query for the If you're comfortable temporarily modifying the plugin file, you could tweak it so it checks for 400 instead of 403 just to see whether that is indeed the problem. It's on line 442 of the OVH.ps1 file in the Plugins folder. Just literally change 403 to 400, save the file, and force re-import the plugin. Posh-ACME/Posh-ACME/Plugins/OVH.ps1 Lines 440 to 448 in fb403a7
You can also test just the plugin rather than a whole cert run using Publish-Challenge directly like this. Publish-Challenge blnservice.it (Get-PAAccount) faketoke OVH $pArgs -Verbose It might be a bit before I can test this myself. |
Hi Ryan, I think that I've found the real problem. After a bit of research on the "400 - query time out" error and some education about how OVH wants the query and especially the query headers to be formatted, I discovered that the problem was in the very time that was used as the timestamp to sign the http request: it was a time ahead in time (as if my server was a few seconds in the future). After solving the time problem via windows w32t commands, I was able to fix the problem and now everything works fine. So no problem in the Posh-ACME source code, it was a problem with my server and its time. If the same error happens to others, I hope this helps. Thank you very much |
Whoa, that's crazy that a few seconds of skew would cause that sort of problem. Most auth schemes I've seen that have time based components allow for a lot more wiggle room, like minutes. Congrats on figuring it out though. |
When you start the creation (with New-PACertificate) or you submit the renewal of a existing certificate you get an error during the Submit-ChallengeValidation phase.
Error:
Submit-ChallengeValidation: C:\Program Files\WindowsPowerShell\Modules\Posh-ACME\4.20.0\Public\New-PACertificate.ps1:253Line |
253 | Submit-ChallengeValidation
| ~~~~~~~~~~~~~~~~~~~~~~~~~~
| { "message": "Query out of time", "httpCode": "400 Bad Request", "errorCode": "QUERY_TIME_OUT" }
The text was updated successfully, but these errors were encountered: