Support 2FA

[f0086]

If 2FA is enabled (new webinterface only), accessing the XML API does not work any more and teh Zones can't be changed.

[couchtyp]

There is nothing mentioned in the most recent version of the documentation (7.1, from 2019) for the SchlundTech XML Interface regarding support for 2FA-activated accounts. I'm afraid that without proper documentation, I'll not be able to update the plugin to support whatever alternate authentication mechanism SchlundTech might offer.

If anyone can contribute reliable information regarding that, feel free to comment.

[jurica]

Hi,

I found out that the XML Gateway does support 2FA, see: https://help.internetx.com/display/APIXMLEN/Authentication To get it working it's just required to add a "" tag to the "" section with the current token as payload. So basically it's "just" a matter of adding the secret key to the config, generating the OTP as defined in RFC 6238 (i.e. by using https://pyauth.github.io/pyotp/) and adding it to the requests.

A quick test with curl and some hardcoded requests showed, that it also is working ;).

I would also really appreciate if you could add support for 2FA to this project. I'm willing to help/contribute, but I'm not very familiar with python so it might take some time until I can produce some helpful code.

[f0086]

@couchtyp @jurica Any plan to get this implemented? I am also not very familiar with python, so I am not a huge help here :(

[couchtyp]

Sorry, that took a while. SchlundTech updated their documentation in the meantime so I've gone ahead and added the option to provide a 2FA token as part of the credentials file real quick. Testing is a bit limited on my side at the moment as I'm not actively using SchlundTech for any domains currently.

[f0086]

Wow, that is awesome, thanks! I will test it this week and report back.

[stefango79]

Hi, I finally could test it a few minutes ago. It kinda works. If I put in a valid Token into the ini and quickly start certbot it works. Normally I would expect the Token to be generated on the fly. The ini should only have the secret key in it.

If there is an update I can test again. I'm a developer myself, but never used Python. Maybe I'll give PyOTP a try, when I have some spare time (unlikely in the near future).

[stefango79]

I think I have a working copy now - working with Pyotp. As this is my first time writing Python and pushing anything to GitHub, I might need some help here (I'll read into PRs tomorrow). I inserted Pyotp via pip into the Dockerfile (as that's what I'm using).