ACME DNS Challenge 2FA

S

szeoguprer

New Member
Jul 5, 2020
15
1
3
It is very nice to see that you built support for Let's Encrypt ACME directly into the GUI.
However, for me it isn't working. Could it be that 2FA login is not yet supported?

I've added an account (Let's Encrypt V2 Staging).
Then I added a challenge plugin for my provider INWX with the following data:
Code: 
INWX_User="<username>"
INWX_Password="<password>"
INWX_Shared_Secret="<totp-secret>"


If I try to get the certificate, I'll get an authentication error:
Code: 
Loading ACME account details
Placing ACME order
Order URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/XXXXXXXXXXXXXXXXXX

Getting authorization details from 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/XXXXXXXX'
The validation for sub.sub.domain.tld is pending!
[Fri Jul 10 15:31:06 CEST 2020] INWX API: Authentication error (username/password correct?)
[Fri Jul 10 15:31:06 CEST 2020] Error add txt for domain:_acme-challenge.sub.sub.domain.tld
TASK ERROR: command 'setpriv --reuid nobody --regid nogroup --clear-groups --reset-env -- /bin/bash /usr/share/proxmox-acme/proxmox-acme setup inwx sub.sub.domain.tld' failed: exit code 1

The entered data is correct. I double checked.
So I guess the 2FA login is not yet supported in the GUI?

Then I tried to do it manually just to verify if it is working:
Code: 
apt install oathtool

wget -O -  https://get.acme.sh | sh

export INWX_User="<username>"
export INWX_Password="<password>"
export INWX_Shared_Secret="<totp-secret>"

acme.sh \
--issue \
--dns dns_inwx \
--domain sub.sub.domain.tld \
--keylength 4096 \
--key-file /etc/pve/local/pveproxy-ssl.key \
--fullchain-file /etc/pve/local/pveproxy-ssl.pem \
--reloadcmd "systemctl restart pveproxy" \
--debug \
--test


However in the Wiki it says:
Do not replace or manually modify the automatically generated node certificate files in /etc/pve/local/pve-ssl.pem and /etc/pve/local/pve-ssl.key or the cluster CA files in /etc/pve/pve-root-ca.pem and /etc/pve/priv/pve-root-ca.key.
Click to expand...

But I've used /etc/pve/local/pveproxy-ssl.pem instead of /etc/pve/local/pve-ssl.pem.
(Not sure where I got this information from)

It works perfectly fine if I do it manually.

So now my questions are:
  1. Is it currently somehow possible to get 2FA working in the GUI?
  2. Is it on todo list and will be implemented in a future version?
  3. Have I done it the right way when I did it manually? Is the file name /etc/pve/local/pveproxy-ssl.pem correct?
  4. Is it good practice to do it manually or should I prefer GUI without 2FA? (Don't want to turn it off tbh.)
 
Hi,

did you install "oathtool" tool before you tried it?
 
First I tried without oathtool and it didn't work.
Then I installed oathtool and did it manually - worked.
Then I tried it with GUI again (oathtool still installed) and it didin't work.
 
Just had the same issue, and found out what was wrong: You simply have to remove the quotes in the API details.

Like this:
Code: 
INWX_User=username
INWX_Password=password
INWX_Shared_Secret=secret
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom