Letsencrypt DNS challenge

kristof · November 27, 2025, 11:34am

Bunkerweb v1.6.6

Has anyone tested Letsencrypt with DNS challenge for OVH?
Several tests have been carried out without success.
The three OVH API keys copied into the GUI field “LETS_ENCRYPT_DNS_CREDENTIAL_ITEM,” regardless of format (raw key/value or JSON), seem to be misinterpreted by the scheduler (pydantic error “Field required [type=missing…”

Thank you in advance for your feedback.

theophile_bunkerity · November 28, 2025, 8:17am

Hi @kristof,

Did you read the documentation about the DNS providers ?

OVH needs multiple credentials: Features - BunkerWeb documentation

Regards,

Théophile

kristof · November 28, 2025, 10:03am

Oh yes, I read it…
Now, have you tried entering the following keys/values in the “LETS_ENCRYPT_DNS_CREDENTIAL_ITEM” field of the Bunkerweb GUI:

dns_ovh_endpoint = ovh-eu
dns_ovh_application_key = myApplicationKey
dns_ovh_application_secret = mySecretKey
dns_ovh_consumer_key = myConsumerKey

Or :

dns_ovh_endpoint=ovh-eu
dns_ovh_application_key=myApplicationKey
dns_ovh_application_secret=mySecretKey
dns_ovh_consumer_key=myConsumerKey

The scheduler logs indicate:
nov. 27 09:06:28 myserver bunkerweb-scheduler.sh[13737]: dns_ovh_application_key nov. 27 09:06:28 myserver bunkerweb-scheduler.sh[13737]: Field required [type=missing, input_value={‘lets_encrypt_dns_creden…=”329hjkgu689’}, input_type=dict]
nov. 27 09:06:28 myserver bunkerweb-scheduler.sh[13737]: For further information visit https://errors.pydantic.dev/2.12/v/missing

Same message style for the other two keys

_________
I also tried:
{
“ovh_endpoint”: “ovh-eu”,
“ovh_application_key”: “myApplicationKey”,
“ovh_application_secret”: “mySecretKey”,
“ovh_consumer_key”: “myConsumerKey”
}

Also:

LETS_ENCRYPT_DNS_CREDENTIAL_ITEM_1=OVH_ENDPOINT=ovh-eu
LETS_ENCRYPT_DNS_CREDENTIAL_ITEM_2=OVH_APPLICATION_KEY=myApplicationKey
LETS_ENCRYPT_DNS_CREDENTIAL_ITEM_3=OVH_APPLICATION_SECRET=mySecretKey
LETS_ENCRYPT_DNS_CREDENTIAL_ITEM_4=OVH_CONSUMER_KEY=myConsumerKey

Also:

OVH_ENDPOINT=ovh-eu
OVH_APPLICATION_KEY=myApplicationKey
OVH_APPLICATION_SECRET=mySecretKey
OVH_CONSUMER_KEY=myConsumerKey

Also:

my.service_LETS_ENCRYPT_DNS_PROVIDER: “dns-ovh”
my.service_LETS_ENCRYPT_DNS_OVH_ENDPOINT: “ovh-eu”
my.service_LETS_ENCRYPT_DNS_OVH_APPLICATION_KEY: “myApplicationKey”
my.service_LETS_ENCRYPT_DNS_OVH_APPLICATION_SECRET: “mySecretKey”
my.service_LETS_ENCRYPT_DNS_OVH_CONSUMER_KEY: “myConsumerKey”

_______________
For Docker install:
Add environmental variables to the “scheduler” service:

LETS_ENCRYPT_DNS_CREDENTIAL_ITEM_1=OVH_ENDPOINT=ovh-eu
LETS_ENCRYPT_DNS_CREDENTIAL_ITEM_2=OVH_APPLICATION_KEY=myApplicationKey
LETS_ENCRYPT_DNS_CREDENTIAL_ITEM_3=OVH_APPLICATION_SECRET=mySecretKey
LETS_ENCRYPT_DNS_CREDENTIAL_ITEM_4=OVH_CONSUMER_KEY=myConsumerKey

Or

OVH_ENDPOINT=ovh-eu
OVH_APPLICATION_KEY=myApplicationKey
OVH_APPLICATION_SECRET=mySecretKey
OVH_CONSUMER_KEY=myConsumerKey

Nothing worked

Have you tried on this version (v1.6.6) with OVH API keys?
I should point out that these keys are used for some time via ACME on OPNsense, Proxmox, NPM, etc. without any problems.

I imagine that:

either the GUI syntax expected by the scheduler is incorrect,
or
the parsing of the GUI field value is not done correctly and triggers the error reported by pydantic.

Thank you in advance for any information that will help me achieve this.

theophile_bunkerity · November 28, 2025, 10:44am

Here’s an example on how to set it up: bunkerweb/examples/dns-ovh at master · bunkerity/bunkerweb · GitHub

kristof · November 28, 2025, 1:33pm

In this example, we/you use Bunkerweb in Docker containers (I also tried with the “All in One Docker container).
As mentioned, I also tested this solution with similar errors.

In this use case, we create all services in the compose, which is less flexible than using the GUI, and each time we add a new service, we have to reload the scheduler container at minimum.
In addition, if we have several services that use domains hosted by multiple providers, I assume we need to add “service_name.LETS_ENCRYP…” at the beginning of each variable?

If Bunkerweb is installed natively on a Linux server, is there a way to enter the OVH API keys directly into the configuration to bypass the problem we are encountering with GUI?
It seems that there is no configuration file in the system, as it must be written in the database?
So write key/values directly in the database ? possible ?

I can’t find any bugs reported on Git.

Is this DNS Challenge feature, which can be configured from the GUI, only available in the paid version?

kristof · December 2, 2025, 3:37pm

Hello,

After receiving clarification on how Letsencrypt works with DNS challenges in the Bunkerweb graphical interface, here is the final status:

When creating a service, the interface is in “Easy” mode.

In this mode, the “LETS_ENCRYPT_CREDENTIAL_ITEM” field in the GUI does not allow you to enter multiple API keys (3 for OVH), which prevents the generation of a certificate.

Solution:

- Switch the service display to “Advanced” mode.

- The “Lets encrypt dns credential item” section allows you to add multiple keys.

Please note: The syntax for OVH API keys is as follows:

dns_ovh_application_key key

dns_ovh_application_secret key

dns_ovh_consumer_key key

There is no “equal” sign between the key and the value, but a “space.”

The service is then provided as normal.

Thank you to the team for their help.

Best regards.