Simplify credential creation process + increase security

How-to-use-OVH-domain-api.md

@@ -1,7 +1,18 @@
-### 1. Create application key and secret
-https://eu.api.ovh.com/createApp/
+## 1. Create application key, secret and consumer
 
-## 2. Set api key and api secret.
+It is a good security practice to limit the power of individual credentials to limit the damage in case anything goes wrong. acme.sh only requires access to the domain API to deal with the dns-01 challenge.
+
+**If you plan to manage SSL certificates for multiple/any zones:**
+
+https://api.ovh.com/createToken/?GET=/domain/zone/*&POST=/domain/zone/*&PUT=/domain/zone/*
+
+**If you plan to manage SSL certificates for a specif zone:**
+
+https://api.ovh.com/createToken/?GET=/domain/zone/mydomain.com&GET=/domain/zone/mydomain.com/*&POST=/domain/zone/mydomain.com/*&PUT=/domain/zone/mydomain.com/*
+
+In the page, please  select "Unlimited" for the Validity and replace ``mydomain.com`` by the zone you need to manage
+
+## 2. Set API key and API secret.
 
 ```
 # application key
@@ -10,53 +21,18 @@ export OVH_AK="your application key"
 # application secret
 export OVH_AS="your application secret"
 
+# consumer key
+export OVH_CK="your consumer key"
+
 acme.sh --issue -d   mydomain.com   --dns   dns_ovh
 ```
 
-If you are first time using OVH api,  you are required to authenticate the api. (This only happens the first time.)
-
-You will see some thing like bellow:
-
-```
-[Thu, Aug 25, 2016 10:54:03] Using OVH endpoint: ovh-eu
-[Thu, Aug 25, 2016 10:54:04] OVH consumer key is empty, Let's get one:
-[Thu, Aug 25, 2016 10:54:05] Please open this link to do authentication: https://eu.api.ovh.com/auth/?credentialToken=n0Qbjm6wBdBr2KiSqIuYSEnixxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-[Thu, Aug 25, 2016 10:54:05] Here is a guide for you: https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api
-[Thu, Aug 25, 2016 10:54:05] Please retry after the authentication is done.
-[Thu, Aug 25, 2016 10:54:05] Error add txt for domain:_acme-challenge.mytest.mydomain.com
-
-```
-
-
-## 3. Authentication the api key.
- (This only happens the first time.)
-
-Open the link above:
-```
-https://eu.api.ovh.com/auth/?credentialToken=n0Qbjm6wBdBr2KiSqIuYSEnixxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-```
-
-In the page, please  select "Unlimited" for the Validity.
-
-Click "Authorize Access"
-
-
-## 4. Then go back to try again.
-
-```
-acme.sh --issue -d   mydomain.com   --dns   dns_ovh
-```
-
-Done.
-
-
-
-## 5. OVH api support OVH, kimsufi, soyoustart and runabove.
+## 3. OVH api support OVH, kimsufi, soyoustart and runabove.
 The default is using  ovh-eu region.
 
 if you are using  ovh-ca region, 
 
-Create app key here:  https://ca.api.ovh.com/createApp/
+Create app key here:  https://ca.api.ovh.com/createToken/
 
 Then please specify the region in the first step:
 
@@ -67,12 +43,13 @@ export OVH_AK="your application key"
 
 export OVH_AS="your application secret"
 
+export OVH_CK="your consumer key"
+
 acme.sh --issue -d   mydomain.com   --dns   dns_ovh
 
 ```
 
-
-All the supported regions:
+Supported regions:
 ```
 #'ovh-eu'  (default)
 #'ovh-ca': 
@@ -81,8 +58,4 @@ All the supported regions:
 #'soyoustart-eu'
 #'soyoustart-ca'
 #'runabove-ca'
-```
-
-
-
-
+```