INWX: Issue when using 2FA - Same 2FA code is used twice when Present returns non-error #1608
Comments
|
I have the same issue. Using traefik 2.7.1. |
|
I have the same problem. Temporarily disabling 2FA support was the only solution for me... |
|
inwx responded to my request and the only solution on their side is to create a second account that has access to the domains dns entries and where 2fa is disabled. Currently (information is from 30th of march 2022) they do not even plan to implement a different way to authenticate, so that regular api driven applications can do actions on the users behalf. |
|
Just moved my NS servers to cloudflare so I can have 2FA and DNS auth for LE. I’m not willing to have my main domain access only authenticated via one factor. Thanks for asking!
this also sounds like total bs to me, how does this break existing APIs? |
|
I am also affected (Lego 4.14.2 - the current version). I have solved this through "a lot of retries" from my side in the past, but that has usually taken three or four attempts. Even if the INWX token reuse detection is unusual, I am having trouble seeing why Lego needs to be affected by this? https://github.com/go-acme/lego/blob/master/providers/dns/inwx/inwx.go It seems that Lego is trying to authenticate with INWX multiple times? Couldn't we authenticate only once instead and keep the session open until the entire ACME protocol is done? (As a fallback, the other approach would be to wait for at least 30 seconds between generating two TOTP tokens. It would make the challenge slower, but at least it would work reliably.) Similar discussion with more background: StackExchange/dnscontrol#848 |
This is a workaround for go-acme#1608. INWX forbids to re-use the same TOTP twice, but the INWX DNS provider tries to reauthenticate from scratch on each step. I believe that this is not easily implementable with the existing Lego DNS provider interface, so to avoid refactoring that interaction, let's just make the INWX provider wait a bit until a new token is available. A new token is available every 30 seconds. The current workaround is to invoke Lego many more times. Retrying at a higher level is worse than retrying here. Fixes go-acme#1608 Signed-off-by: Günther Noack <[email protected]>
This is a workaround for go-acme#1608. INWX forbids to re-use the same TOTP twice, but the INWX DNS provider tries to reauthenticate from scratch on each step. I believe that this is not easily implementable with the existing Lego DNS provider interface, so to avoid refactoring that interaction, let's just make the INWX provider wait a bit until a new token is available. A new token is available every 30 seconds. The current workaround is to invoke Lego many more times. Retrying at a higher level is worse than retrying here. Fixes go-acme#1608 Signed-off-by: Günther Noack <[email protected]>
Welcome
What did you expect to see?
i should've seen that lego is presenting letsencrypt the dns challenge and that the challenge gets removed.
The removal does not work though which results in not downloading the certificate.
What did you see instead?
Output:
Unless you are lucky and your
Presentis called in one 30s timeframe and yourCleanUpis called in the next 30s timeframe the same 2FA code gets used twice (which is not a valid case for 2FA and most systems seem to implement it correctly).How do you use lego?
Docker image
Reproduction steps
Version of lego
4.6.0Logs
Go environment (if applicable)
No response
The text was updated successfully, but these errors were encountered: