Google Authenticator 2FA set up but receiving email access codes

[Avalanchee]

Recently I've been receiving OTP emails despite having OTP app set up as my 2FA.
I have an ACL which is exempt from 2FA requirement (it's an IP address where certbot is logging in programmatically from) - and it worked great for over a year.
Now I'm receiving OTP emails on every login - whether from within the ACL or from outside.
When I remove the flag "Enabled For: Only access attempts outside the ACL" - I'm being asked for an OTP code rather than email (as expected).

I tried removing 2FA entirely and setting it up again - same result.

Please assist, thanks.

 

[sandy]

please let me know a domain name in your account,

regards

 

[Avalanchee]

nir.me

 

[sandy]

thank you .. looking into this presently

regards.

 

[sandy]

can you please try again and be sure to use all lower case on the user ID.

 

[Avalanchee]

Thanks Sandy,
I've changed the username to lowercase in both my password manager and script.

The situation hasn't changed much - currently from within the ACL I am able to login without OTP (however, strangely - only from one specific browser).
From other browsers inside the ACL and from outside the ACL - I am still getting the email code prompt.
In the bottom of the prompt I see a checkbox (which I'm not sure was there before): "Extend device expiry to 30 days instead of 7."
If I enter the code from the email, it seems that the browser no longer requires OTP for the next logins.
I consider it a security downgrade for devices outside the ACL compared to the previous behavior (OTP request for every login).

Please advise,
Thanks.

 

[sandy]

can you contact us on this via the Get Support link on your members page? oh sorry, just noticed yours is a free account.... This will be looked into soon. regards

 

[Avalanchee]

I noticed that even with OTP disabled I'm getting token requests to approve the browser.
Is this by design?
Can you please recommend a good approach to handle automatic certbot renewals via TXT records? as there is no API, we have to resort to login via shell scripts using curl.
Thanks.

 

[sandy]

still looking into the Token concern

For DDNS: certbot

Changes to Dynamic DNS

support.zoneedit.com

 

[Avalanchee]

Nice, thanks for the resource. Had no idea it exists.
I've been using an open source project to renew my wildcard certificates and the token problem broke it.
Link: https://github.com/jeansergegagnon/zoneedit_letsencrypt
From first look it seems this endpoint makes the whole script obsolete but I'll know for sure after I try.

 

[sandy]

Perhaps try..... disable ACL and just use 2FA ...

 

[Avalanchee]

I'll try to give an answer within a few days.
And yea I don't really need the ACL except for certbot so it could be a good solution.

 

[Avalanchee]

Hey Sandy,
I can confirm the solution works like a charm!
It's a warm feeling being able to replace a whole script with a single curl command

I'm only curious how to make use of "auth tokens" to perform the API call instead of basic authentication with my ZoneEdit credentials?
I did generate a token under domain management => "Enable DYN auth tokens", but I'm not sure where to put it.

Thanks!

 

[sandy]

Have you tried entering the DYN auth code instead of the account password where its been used now?

regards

 

[Avalanchee]

I tried instead of user, didn't think the password field would work...
But tested it now and it's working great.

Thank you again, I really appreciate all the help!

 

[sandy]