Newest os-acme-client/acme.sh, DNS service "INWX XMLRPC" missing OTP seed field

[thexy]

Newest os-acme-client/acme.sh, DNS service "INWX XMLRPC" missing OTP seed field

Hi all,

on newest OPNsense 23.7.6, newest os-acme-client 3.19 and newest acme.sh 3.0.7_1 the DNS provider INWX XMLRPC (INWX being a Germany-based domain name registrar at inwx.de) allows entering a username and password for authentication. I think this wasn't always the case, I'm kinda missing an optional third field to add a "shared secret" (in acme.sh language), this is an RFC6238 one-time password seed aka Google Authenticator seed.

Can I rubber duck-debug my thought process here with you before I go out and file a bug report? Since 21.1 times I've had auto-renewal of OPNSense's own web GUI cert with os-acme-client via DNS-01 challenge against my INWX account configured and since forever ago that account has had one-time password authentication enabled. There is no optional OTP-less access to INWX' API so if the account itself has it ACME clients must use it as well. Renewal last correctly worked on August 1 of this year, at that time the OPNsense installation was still on 21.1. 60 days later on September 30 renewal failed. I didn't look at errors at the time, I figured I might just get on with an upgrade to newest OPNsense 23.7.6 along with os-acme-client and acme.sh.

With everything now up to date I'm seeing similar behavior as before. In "Services: ACME Client: Settings" I did "Reset ACME Client". A manual renew attempt correctly finds '/usr/local/share/examples/acme.sh/dnsapi/dns_inwx.sh', issues an error 'INWX API: Mobile TAN detected. Please define a shared secret.' and quits. Per 'dns_inwx.sh' this only happens if during script execution the environment variable $INWX_Shared_Secret is unset or set to an empty string.

I looked up previous errors that had been happening nightly since September 30, those all reported 'INWX API: Mobile TAN not correct.' which only happens if a $INWX_Shared_Secret value is set, used to generate a one-time password and in our HTTP response body we're not finding:

Code Select Expand

grep -- '<member><name>code</name><value><int>1000</int></value></member>'

Since this might just be a grep issue I thought it could be forum topic 36087 or opnsense/plugins issue #3590 waiting for official acme.sh commit 9143cd1 to become available in OPNsense. That wasn't it though, the commit made it into acme.sh-3.0.7_1.pkg on last Thursday, October 12 per fichtner's opnsense/plugins issue #3590 comment 1758942032. Also it did touch an unrelated file.

So erm ... how did I renew SSL certs against INWX' API with a Google Auth seed for two years when such a Google Auth seed cannot be entered in os-acme-client settings menu? I've been very hands-off of my OPNsense installation for a while, I also didn't document anything fancy back when I last set up cert renewal. Whatever I did surely wasn't so egregious as to manually insert a hard-coded string into the acme.sh renewal script. I hope. Did I do what this person did and this person did and manually add a variable to '/usr/local/etc/pkg.conf'? If so why were my changes - presumably - reverted between last successful renewal on August 1 and first renew failure on September 30 without me doing a package upgrade? I did try just now for fun to add this to the file and rebooted:

Code Select Expand

PKG_ENV {
    INWX_Shared_Secret: "rfc6238-otp-seed-here"
}

Whatever PKG_ENV is it's apprently not an environment available to packages in the sense that I think it it; the ACME renew process still reports 'Please define a shared secret.' so whatever I did there isn't helpful and I reverted this file to defaults.

Is there something in os-acme-client that I'm missing to provide arguments not configurable via the OPNsense web frontend? Was there ever an option for INWX XMLRPC shared secrets? In plugin code I'm not seeing anything, I'm at a bit of a loss.

Any help and rubber duck debug review is greatly appreciated, thanks!

[franco]

Hi,

It would be better to discuss on GitHub to get more traction:

https://github.com/opnsense/plugins/issues/3590

fraenki is the maintainer you want to ping. I'll leave a comment as well.


Cheers,
Franco

[thexy]

Thanks, added a comment to that thread.