OVH unable to use DNS challenge 403 Forbidden

[lilyasshauer]

Welcome

• Yes, I'm using a binary release within 2 latest releases.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

Succesful creation of certificates.

This might be related to #2385

What did you see instead?

I'm currently trying to set up traefik using an OVH DNS challenge and so far always get the error:

unable to generate a certificate for the domains [sub.FQDN.de]: error: one or more domains had a problem:\n[sub.FQDN.de] [sub.FQDN.de] acme: error presenting token: ovh: error when call api to add record (/domain/zone/de/record): OVHcloud API error (status code 403): Client::Forbidden: \"This call has not been granted\"

The tokens in use are the same ones I use for certbot, where they work as expected, and have more permissions than the lego docs recommend.
They have the following permission set:
GET /domain/zone/*
PUT /domain/zone/FQDN.de/*
POST /domain/zone/FQDN.de/*
DELETE /domain/zone/FQDN.de/*

How do you use lego?

Docker image

Reproduction steps

To narrow down the issue I tried running lego directly using docker with freshly generated credentials using https://www.ovh.com/auth/api/createToken and allowing only POST & DELETE /domain/zone/* as stated in the guide

With the command:

docker run --rm -it \
  -e OVH_APPLICATION_KEY="MYKEY" \
  -e OVH_APPLICATION_SECRET="MYSECRET" \
  -e OVH_CONSUMER_KEY="MYCSKEY" \
  -e OVH_ENDPOINT="ovh-eu" \
  goacme/lego \
    --email [email protected] \
    --dns ovh \
    -d FQDN.de \
    run

Effective version of lego

lego version 4.25.2 linux/arm64 (and amd64)

Logs

In this instance (with the newly created credentials) I got a 404 This service does not exist:

2025/08/14 21:32:40 [INFO] [FQDN.de] acme: Obtaining bundled SAN certificate
2025/08/14 21:32:40 [INFO] [FQDN.de] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/.....
2025/08/14 21:32:40 [INFO] [FQDN.de] acme: Could not find solver for: tls-alpn-01
2025/08/14 21:32:40 [INFO] [FQDN.de] acme: Could not find solver for: http-01
2025/08/14 21:32:40 [INFO] [FQDN.de] acme: use dns-01 solver
2025/08/14 21:32:40 [INFO] [FQDN.de] acme: Preparing to solve DNS-01
2025/08/14 21:33:00 [INFO] [FQDN.de] acme: Cleaning DNS-01 challenge
2025/08/14 21:33:10 [WARN] [FQDN.de] acme: cleaning up failed: ovh: unknown record ID for '_acme-challenge.FQDN.de.' 
2025/08/14 21:33:11 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/......
2025/08/14 21:33:11 Could not obtain certificates:
        error: one or more domains had a problem:
[FQDN.de] [FQDN.de] acme: error presenting token: ovh: error when call api to add record (/domain/zone/de/record): OVHcloud API error (status code 404): Client::NotFound: "This service does not exist" (X-OVH-Query-Id: EU.ext-2......)

When using the credentials I use for certbot I get a 403:

[FQDN.de] acme: error presenting token: ovh: error when call api to add record (/domain/zone/de/record): OVHcloud API error (status code 403): Client::Forbidden: "This call has not been granted" (X-OVH-Query-Id: EU.ext-1....)

Go environment (if applicable)

No response

[ldez]

Hello,

Your log snippets are not consistent.

sub.FQDN.de:

unable to generate a certificate for the domains [sub.FQDN.de]: error: one or more domains had a problem:\n[sub.FQDN.de] [sub.FQDN.de] acme: error presenting token: ovh: error when call api to add record (/domain/zone/de/record): OVHcloud API error (status code 403): Client::Forbidden: \"This call has not been granted\"

FQDN.de:

error: one or more domains had a problem:
[FQDN.de] [FQDN.de] acme: error presenting token: ovh: error when call api to add record (/domain/zone/de/record): OVHcloud API error (status code 404): Client::NotFound: "This service does not exist" (X-OVH-Query-Id: EU.ext-2......)

I don't think this is related to OVH API v2.

I need more realistic and consistent logs.

My current guess is you have something in front of lego, like a local DNS or a firewall.

[lilyasshauer]

Hi @ldez,
I'm so sorry - turns out DNS was the culprit. I just switched traefik to use Google/Cloudflare (using the dnschallenge resolvers directive) and got everything working.

Thank you for pointing me in the right direction.