Introduction

Recently, I wanted to create a bunch of domains on my friend’s server, and have TLS certificates delivered. The option I find easiest to manage is to ask my CA (Lets Encrypt) for a single, wildcard TLS certificate.

If you are using OVH to manage your domain, you can do that by creating an API key for your account, and using the certbot OVH plugin.
Usually, tutorials will tell you to give these permissiont to the API key:

GET /domain/zone/*
PUT /domain/zone/*
POST /domain/zone/*
DELETE /domain/zone/*

Problem is, I don’t want my friend’s server to have a certificate valid for *.itrooz.fr, and definitively don’t want it to have broad access to the OVH account managing my domain.

The solution ? Generating a certificate for *.server1.friend.itrooz.fr, with an API key with permissions limited to these domains.

In this blog, we will show how to do this for *.server1.friend.itrooz.fr, given that you own the domain itrooz.fr

How to do that ?

Creating the zone

The key point is: the OVH API is scoped by DNS zone. So you will have to create a DNS zone for server1.friend.itrooz.fr, even if it will be managed by the same account and have the same NS servers.

You can do that by going here, and ordering the zone server1.friend.itrooz.fr, which should (?) be free.

After the form is completed, the DNS zone might take ~10 minutes to appear in your panel. Just wait !

The child zone is not yet usable, as the parent zone need to reference it. You need to create NS records in your itrooz.fr zone, matching the servers in the “DNS servers” section of of your child zone (2 as of writing). After this (and waiting), creating a record in your child zone should be reflected by tools like nslookup.

Creating the API token

Then, you need to create an API token, that will be used to automatically renew the wildcard TLS certificate that we need, using DNS-01.

We are going to assign it strict permissions, to avoid giving it access to the whole domain:

GET /domain/zone/ // Maybe this one needs to be /domain/zone/* ? Can't remember
GET /domain/zone/server1.friend.itrooz.fr/*
PUT /domain/zone/server1.friend.itrooz.fr/record
POST /domain/zone/server1.friend.itrooz.fr/record
POST /domain/zone/server1.friend.itrooz.fr/refresh
DELETE /domain/zone/server1.friend.itrooz.fr/record

Running certbot automatically

You’ll need to install the certbot OVH plugin on your server: apt install python3-certbot-dns-ovh.

Then, create a directory, and add a script with this content:

#!/bin/sh

certbot run --installer nginx --dns-ovh --dns-ovh-credentials "$(dirname $(realpath $0))/ovh_secrets.ini" -d "*.server1.friend.itrooz.fr" -d "server1.friend.itrooz.fr" --verbose

Next to it, create a file ovh_secrets.ini with this content (replace with your keys from the previous step):

dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = YOUR_APPLICATION_KEY
dns_ovh_application_secret = YOUR_APPLICATION_SECRET
dns_ovh_consumer_key = YOUR_CONSUMER_SECRET

And then, a simple crontab will do the job: 0 0 1 */2 * /root/itrooz/ovh/renew.sh

Done ! Enjoy your untrusted server being able to generate a certificate for itself while not treatening the rest of your domain.

Introduction¶

How to do that ?¶

Creating the zone¶

Creating the API token¶

Running certbot automatically¶

Introduction

How to do that ?

Creating the zone

Creating the API token

Running certbot automatically