search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
39.41k stars 4.98k forks source link

issue to auth with DSM 2FA open #5077

Open jjlizz opened 7 months ago

jjlizz commented 7 months ago

I'm using latest docker version of acme.sh to upload cert to DSM yet facing login failure. I upload cert every month and it worked fine until this month. DMS version: DSM 7.2.1-69057 Update 4 And here is the log.

[Tue Apr 2 13:00:05 UTC 2024] _is_idn_d='jjlizz.org' [Tue Apr 2 13:00:05 UTC 2024] _idn_temp [Tue Apr 2 13:00:05 UTC 2024] Lets find script dir. [Tue Apr 2 13:00:05 UTC 2024] SCRIPT='/root/.acme.sh/acme.sh' [Tue Apr 2 13:00:05 UTC 2024] _script='/root/.acme.sh/acme.sh' [Tue Apr 2 13:00:05 UTC 2024] _script_home='/root/.acme.sh' [Tue Apr 2 13:00:05 UTC 2024] Using default home:/root/.acme.sh [Tue Apr 2 13:00:05 UTC 2024] Using config home:/acme.sh [Tue Apr 2 13:00:05 UTC 2024] LE_WORKING_DIR='/root/.acme.sh' https://github.com/acmesh-official/acme.sh v3.0.8 [Tue Apr 2 13:00:05 UTC 2024] Running cmd: deploy [Tue Apr 2 13:00:05 UTC 2024] Using config home:/acme.sh [Tue Apr 2 13:00:05 UTC 2024] default_acme_server [Tue Apr 2 13:00:05 UTC 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90' [Tue Apr 2 13:00:05 UTC 2024] _ACME_SERVER_HOST='acme.zerossl.com' [Tue Apr 2 13:00:05 UTC 2024] _ACME_SERVER_PATH='v2/DV90' [Tue Apr 2 13:00:05 UTC 2024] The domain 'jjlizz.org' seems to have a ECC cert already, lets use ecc cert. [Tue Apr 2 13:00:05 UTC 2024] DOMAIN_PATH='/acme.sh/jjlizz.org_ecc' [Tue Apr 2 13:00:05 UTC 2024] DOMAIN_CONF='/acme.sh/jjlizz.org_ecc/jjlizz.org.conf' [Tue Apr 2 13:00:05 UTC 2024] _deployApi='/root/.acme.sh/deploy/synology_dsm.sh' [Tue Apr 2 13:00:05 UTC 2024] _cdomain='jjlizz.org' [Tue Apr 2 13:00:05 UTC 2024] SYNO_Username='cert' [Tue Apr 2 13:00:05 UTC 2024] SYNO_Password='[hidden](please add '--output-insecure' to see this value)' [Tue Apr 2 13:00:05 UTC 2024] SYNO_Create='1' [Tue Apr 2 13:00:05 UTC 2024] SYNO_Device_Name='CertRenewal' [Tue Apr 2 13:00:05 UTC 2024] SYNO_Device_ID='[hidden](please add '--output-insecure' to see this value)' [Tue Apr 2 13:00:05 UTC 2024] SYNO_Scheme='http' [Tue Apr 2 13:00:05 UTC 2024] SYNO_Hostname='lee.nas.com' [Tue Apr 2 13:00:05 UTC 2024] SYNO_Port='5000' [Tue Apr 2 13:00:05 UTC 2024] SYNO_Certificate='NAS org SSL' [Tue Apr 2 13:00:05 UTC 2024] _base_url='http://lee.nas.com:5000' [Tue Apr 2 13:00:05 UTC 2024] Getting API version [Tue Apr 2 13:00:05 UTC 2024] GET [Tue Apr 2 13:00:05 UTC 2024] url='http://lee.nas.com:5000/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth' [Tue Apr 2 13:00:05 UTC 2024] timeout= [Tue Apr 2 13:00:05 UTC 2024] _CURL='curl --silent --dump-header /acme.sh/http.header -L --trace-ascii /tmp/tmp.u6sIAtr0Yp -g ' [Tue Apr 2 13:00:05 UTC 2024] ret='0' [Tue Apr 2 13:00:05 UTC 2024] Logging into lee.nas.com:5000 [Tue Apr 2 13:00:05 UTC 2024] GET [Tue Apr 2 13:00:05 UTC 2024] url='http://lee.nas.com:5000/webapi/entry.cgi?api=SYNO.API.Auth&version=7&method=login&format=sid&account=XXXX&passwd=XXXXXX&enable_syno_token=yes&device_name=CertRenewal&device_id=XXXXXX' [Tue Apr 2 13:00:05 UTC 2024] timeout= [Tue Apr 2 13:00:05 UTC 2024] _CURL='curl --silent --dump-header /acme.sh/http.header -L --trace-ascii /tmp/tmp.1k9jSykjJU -g ' [Tue Apr 2 13:00:05 UTC 2024] ret='0' [Tue Apr 2 13:00:05 UTC 2024] Session ID [Tue Apr 2 13:00:05 UTC 2024] SynoToken [Tue Apr 2 13:00:05 UTC 2024] Unable to authenticate to http://lee.nas.com:5000 - check your username & password. [Tue Apr 2 13:00:05 UTC 2024] If two-factor authentication is enabled for the user: [Tue Apr 2 13:00:05 UTC 2024] - set SYNO_Device_Name then input correct OTP-code manually [Tue Apr 2 13:00:05 UTC 2024] - get & set SYNO_Device_ID via your browser cookies [Tue Apr 2 13:00:05 UTC 2024] Error deploy for domain:jjlizz.org [Tue Apr 2 13:00:05 UTC 2024] Deploy error.

And then I tried manually putting the api url in browser, it returned a success.

{ "data": { "SYNO.API.Auth": { "maxVersion": 7, "minVersion": 1, "path": "entry.cgi" } }, "success": true }

{ "data": { "account": "XXXX", "device_id": "XXXX", "ik_message": "", "is_portal_port": false, "sid": "XXXX", "synotoken": "XXXX" }, "success": true }

Now I'm totally lost.

github-actions[bot] commented 7 months ago

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

BBxx99 commented 7 months ago

same here

Anonym-tsk commented 6 months ago

Same issue

nillebor commented 6 months ago

The broken Synology Hook works again in the last version. The query of OTP in the console also works again. Tested on DSM 7.1. Update 6.

https://github.com/acmesh-official/acme.sh/pull/5111 https://github.com/acmesh-official/acme.sh/pull/5113