Skip to main content

OVH DNS

OVH uses a three-part credential: Application Key, Application Secret, and a Consumer Key that binds the application to a specific user + scope. You also pick the regional API endpoint — the same OVH account has separate endpoints per continent and product line.

Create the OVH application

  1. Go to the OVH API console for your region:

  2. Create an application. Copy the Application Key and Application Secret.

  3. Generate a Consumer Key by issuing a POST to /auth/credential with the access rules you need. CertAutoPilot's DNS-01 flow needs:

    GET /domain/zone/*
    POST /domain/zone/*/record
    POST /domain/zone/*/refresh
    DELETE /domain/zone/*/record/*

    The easier path is to run the helper script OVH provides in the API console docs — it opens a browser, you approve, and out pops a Consumer Key.

  4. Validate the Consumer Key in the browser when OVH prompts.

Add the credential

  1. Settings → DNS CredentialsNewOVH.
  2. Fields:
    • Endpoint: ovh-eu (default), ovh-ca, ovh-us, kimsufi-eu, kimsufi-ca, soyoustart-eu, soyoustart-ca.
    • Application key, Application secret, Consumer key: paste.
  3. Test connectivitySave.

Config fields

FieldRequiredPurpose
endpointnoRegional endpoint. Default ovh-eu.
application_keyyesOVH application key.
application_secretyesOVH application secret.
consumer_keyyesConsumer key tied to the application + scope.

Propagation

OVH propagates the TXT record within ~60 seconds after the refresh. Default propagation settings work.

Troubleshooting

"Unknown endpoint"

Either typo (only the values listed above are valid), or you put a raw URL. Use the short names only.

"This call requires an authentication"

Consumer Key doesn't cover the route the backend just called — typical when the CK was generated with a too-narrow scope. Regenerate with all four routes listed above.

"The requested object (record) does not exist"

OVH sometimes reports a 404 on the cleanup step for records it returned successfully on the present step. Harmless — CertAutoPilot ignores 404 on cleanup. If you see it in logs without a failed order, nothing to do.

See also