cert-manager-webhook-ovh icon indicating copy to clipboard operation
cert-manager-webhook-ovh copied to clipboard

Published 20 hours ago verified publisher icon baarde

Invalid signature when calling OVH API

Open fmonorchio opened this issue 3 years ago • 8 comments

Hi,

I want to use DNS01 challenge for wildcard certificate. I have configured my OVH credentials with the right permissions but when calling OVH I have this error: 'Invalid Signature'.

K8s version: 1.19.2 Cert Manager version: 1.0.3 Webhook OVH version: 0.1.0

fmonorchio avatar Oct 27 '20 09:10 fmonorchio

getting the same issue with

k8s version: 1.19.3 cert-manager: 0.16.1 & 1.0.4 webhook-ovh: 0.1.0

Log:

Error presenting challenge: OVH API call failed: GET /domain/zone/example.com/status - Error 400: "Invalid signature"

Followed the instructions for the API rights and did double check with /me/api/credential/{credential_id} for it to be set correctly.

Impulse87 avatar Nov 14 '20 13:11 Impulse87

Hello,

We deployed ovh-webhook on our production with these versions :

K8s version: 1.17.9 Cert Manager version: 1.0.2 Webhook OVH version: 0.1.0

We got this problem because of a base64 encoding error (due to windows). You can use https://www.base64decode.org/ to verify your applicationSecret.

Besides, after that we had a Error 403: "This credential does not exist". it came from consumerkey which wasn't link (or didn't exist) to your applicationId. In order to generate a consumerKey link to your application. You can't use the ovh console GUI.

But you can try the following curl (cf. https://docs.ovh.com/gb/en/customer/first-steps-with-ovh-api/) :

curl -XPOST -H"X-Ovh-Application: $ApplicationID" -H "Content-type: application/json" \
https://eu.api.ovh.com/1.0/auth/credential  -d '{"accessRules": [{"method": "GET","path": "/domain/zone/*"},{"method": "PUT","path": "/domain/zone/*"},{"method": "POST","path": "/domain/zone/*"},{"method": "DELETE","path": "/domain/zone/*"}],"redirection":"https://www.mywebsite.com/"}'

It produces :

{
  "validationUrl":"https://eu.api.ovh.com/auth/credentialToken=credt",
  "consumerKey":"$ConsumerKeyId",
  "state":"pendingValidation"
}

Then you can validate your consumerKey by following the validationUrl.

Moreover, you can test ovh webhook with your credentials : https://github.com/baarde/cert-manager-webhook-ovh#development.

Have a good day,

Thomas

tmarmillot avatar Nov 14 '20 15:11 tmarmillot

Hello,

I can reproduce this. I can perfectly do a GET with some python code on "/domain/zone/myzone.com/status" so my API access is working... I double-checked my base64 encoding for the applicationSecret but the test suite keeps on failing.

suite.go:40: expected Present to not error, but got: OVH API call failed: GET /domain/zone/myzone.com/status - Error 400: "Invalid signature"

I have tested different go version, Go 1.12, 1.13 and 1.15.

julienkosinski avatar Dec 22 '20 16:12 julienkosinski

Hello Julien,

Are you sure the \n character hasn't been added to the secret by mistake? This may happen when using the echo command. For example, this would add an extra line break:

echo "SwzLFNC7l3yafoBm44NrHMvDY7gHUmjR" | openssl enc -a

Whereas, this wouldn't:

echo -n "SwzLFNC7l3yafoBm44NrHMvDY7gHUmjR" | openssl enc -a

As the application secret is 32 character-long, the base-64 encoded string should be 44 character-long and end with a = (rather than a K).

baarde avatar Dec 22 '20 20:12 baarde

@baarde Wahou thank you so much, this is it! You perfectly nailed it. I feel a bit dumb, considering the time I spent on it, but now, I'll remember that! Hope this could be useful for others. Thanks again! :+1:

julienkosinski avatar Dec 22 '20 20:12 julienkosinski

Hello,

thanks @baarde !

can we upgrade the documentation with your example echo -n "SwzLFNC7l3yafoBm44NrHMvDY7gHUmjR" | openssl enc -a and the curl to produce ovh credentials ?

In order to generate a consumerKey link to your application. You can't use the ovh console GUI.

But you can try the following curl (cf. https://docs.ovh.com/gb/en/customer/first-steps-with-ovh-api/) :

curl -XPOST -H"X-Ovh-Application: $ApplicationID" -H "Content-type: application/json" \
https://eu.api.ovh.com/1.0/auth/credential  -d '{"accessRules": [{"method": "GET","path": "/domain/zone/*"},{"method": "PUT","path": "/domain/zone/*"},{"method": "POST","path": "/domain/zone/*"},{"method": "DELETE","path": "/domain/zone/*"}],"redirection":"https://www.mywebsite.com/"}'
It produces :

{
  "validationUrl":"https://eu.api.ovh.com/auth/credentialToken=credt",
  "consumerKey":"$ConsumerKeyId",
  "state":"pendingValidation"
}
Then you can validate your consumerKey by following the validationUrl.

Have a good day.

tmarmillot avatar Dec 22 '20 21:12 tmarmillot

@julienkosinski I'm glad the problem is solved.

@tmarmillot Good idea. I will update the docs.

baarde avatar Dec 22 '20 21:12 baarde

If you are looking for an updated and improved version of this webhook, feel free to head to https://github.com/aureq/cert-manager-webhook-ovh

aureq avatar Oct 15 '22 06:10 aureq