Invalid signature when calling OVH API

[fmonorchio]

Hi,

I want to use DNS01 challenge for wildcard certificate. I have configured my OVH credentials with the right permissions but when calling OVH I have this error: 'Invalid Signature'.

K8s version: 1.19.2 Cert Manager version: 1.0.3 Webhook OVH version: 0.1.0

[Impulse87]

getting the same issue with

k8s version: 1.19.3 cert-manager: 0.16.1 & 1.0.4 webhook-ovh: 0.1.0

Log:

Error presenting challenge: OVH API call failed: GET /domain/zone/example.com/status - Error 400: "Invalid signature"

Followed the instructions for the API rights and did double check with /me/api/credential/{credential_id} for it to be set correctly.

[tmarmillot]

Hello,

We deployed ovh-webhook on our production with these versions :

K8s version: 1.17.9 Cert Manager version: 1.0.2 Webhook OVH version: 0.1.0

We got this problem because of a base64 encoding error (due to windows). You can use https://www.base64decode.org/ to verify your applicationSecret.

Besides, after that we had a Error 403: "This credential does not exist". it came from consumerkey which wasn't link (or didn't exist) to your applicationId. In order to generate a consumerKey link to your application. You can't use the ovh console GUI.

But you can try the following curl (cf. https://docs.ovh.com/gb/en/customer/first-steps-with-ovh-api/) :

curl -XPOST -H"X-Ovh-Application: $ApplicationID" -H "Content-type: application/json" \
https://eu.api.ovh.com/1.0/auth/credential  -d '{"accessRules": [{"method": "GET","path": "/domain/zone/*"},{"method": "PUT","path": "/domain/zone/*"},{"method": "POST","path": "/domain/zone/*"},{"method": "DELETE","path": "/domain/zone/*"}],"redirection":"https://www.mywebsite.com/"}'

It produces :

{
  "validationUrl":"https://eu.api.ovh.com/auth/credentialToken=credt",
  "consumerKey":"$ConsumerKeyId",
  "state":"pendingValidation"
}

Then you can validate your consumerKey by following the validationUrl.

Moreover, you can test ovh webhook with your credentials : https://github.com/baarde/cert-manager-webhook-ovh#development.

Have a good day,

Thomas

[julienkosinski]

Hello,

I can reproduce this. I can perfectly do a GET with some python code on "/domain/zone/myzone.com/status" so my API access is working... I double-checked my base64 encoding for the applicationSecret but the test suite keeps on failing.

suite.go:40: expected Present to not error, but got: OVH API call failed: GET /domain/zone/myzone.com/status - Error 400: "Invalid signature"

I have tested different go version, Go 1.12, 1.13 and 1.15.

[baarde]

Hello Julien,

Are you sure the \n character hasn't been added to the secret by mistake? This may happen when using the echo command. For example, this would add an extra line break:

echo "SwzLFNC7l3yafoBm44NrHMvDY7gHUmjR" | openssl enc -a

Whereas, this wouldn't:

echo -n "SwzLFNC7l3yafoBm44NrHMvDY7gHUmjR" | openssl enc -a

As the application secret is 32 character-long, the base-64 encoded string should be 44 character-long and end with a = (rather than a K).

[julienkosinski]

@baarde Wahou thank you so much, this is it! You perfectly nailed it. I feel a bit dumb, considering the time I spent on it, but now, I'll remember that! Hope this could be useful for others. Thanks again! :+1:

[tmarmillot]

Hello,

thanks @baarde !

can we upgrade the documentation with your example echo -n "SwzLFNC7l3yafoBm44NrHMvDY7gHUmjR" | openssl enc -a and the curl to produce ovh credentials ?

In order to generate a consumerKey link to your application. You can't use the ovh console GUI.

But you can try the following curl (cf. https://docs.ovh.com/gb/en/customer/first-steps-with-ovh-api/) :

curl -XPOST -H"X-Ovh-Application: $ApplicationID" -H "Content-type: application/json" \
https://eu.api.ovh.com/1.0/auth/credential  -d '{"accessRules": [{"method": "GET","path": "/domain/zone/*"},{"method": "PUT","path": "/domain/zone/*"},{"method": "POST","path": "/domain/zone/*"},{"method": "DELETE","path": "/domain/zone/*"}],"redirection":"https://www.mywebsite.com/"}'
It produces :

{
  "validationUrl":"https://eu.api.ovh.com/auth/credentialToken=credt",
  "consumerKey":"$ConsumerKeyId",
  "state":"pendingValidation"
}
Then you can validate your consumerKey by following the validationUrl.

Have a good day.

[baarde]

@julienkosinski I'm glad the problem is solved.

@tmarmillot Good idea. I will update the docs.

[aureq]

If you are looking for an updated and improved version of this webhook, feel free to head to https://github.com/aureq/cert-manager-webhook-ovh