search

oGGy990 / certbot-dns-inwx

INWX DNS authenticator plugin for certbot
Apache License 2.0
105 stars 16 forks source link

Multiple domains on 2FA secured inwx accounts. #1

Closed jkroepke closed 6 years ago

jkroepke commented 6 years ago

Hi,

when you request 2 domains, for example *.example.com and example.com, the certbot will start two separate challenges and will try login to inwx two times.

If the account on inwx is secured by mobile tan, the request will be failed because a mobile tan token can not be used twice.

oGGy990 commented 6 years ago

Hi,

to be honest, 2FA has never been tried by me. I was just relying on the INWX Python API doing the right thing (which it does).

The issue seems to be rather problematic: since each challenge is delayed by 60 seconds and TOTP tan codes change every 30 seconds, reuse of the same tan for multiple challenges is extremely unlikely. Also, such codes are actually not restricted to be only usable once. It is rather, that the INWX API is denying valid tan codes:

I have followed the message exchange between certbot and the INWX on my own server with 9 sequential challenges of which only 2 succeeded after enabling 2FA. The sent TOTP codes match exactly what my mobile TOTP management app(s) displays. The API denies them anyway.

It seems, INWX is having some issues anyways, as i needed about 3 new secrets and 15 tries to actually enable 2FA on the INWX website until the tan was not considered invalid (generating the code by both, Google Auth and FreeOTP).

PS: System times were synchronized and validated, of course.

jkroepke commented 6 years ago

The API denies them anyway.

Thats fine. OTP Tokens should be valid only on first usage.

The problem is that every action creates a new session instead reusing an active.

oGGy990 commented 6 years ago

The problem is that every action creates a new session instead reusing an active.

Should actually not be an issue across challenges due to the delay, but the deletion of the record followed by an "immediate" search for the appropriate domain in the next challenges introduced the problem.

I have fixed this now by a DOMRobot client cache (also across challenges) keyed by the given credentials file path (see fdff0920dce9102762647d2582781b1a4f3e34a0 - works for me).

Still having the 2FA setup issue on their page though. :-)

Thanks for your report!

jkroepke commented 6 years ago

Nevermind. Works.

jkroepke commented 6 years ago

FYI: for me and all other users:

It's possible to create a 2nd user login via inwx support which has no 2FA. It more an app passwords like google does it.