Resolved HOW TO UPDATE SYSTEM TIME AND ENABLE MULTI FACTOR AUTHENTICATION.

[MHC_1]

Server operating system version

alma linux

Plesk version and microupdate number

18.0.76#4

WE RUN IN THE UK.

UK HAS TIME CHANGE SUNDAY 29TH MARCH

We have had to update the server time so the server time is the same as the time on clocks here. Server time was previously -1 hour. (2pm instead of 3pm) .

Now, we have updated the server time as per the GUI --> Server Settings --> Server Time .

Now MFA login no longer works despite the MFA on the device providing the code and the server should be the same time.

HOW DO WE FIX THIS?

WHY WAS THERE NO NOTIFICATION OF MFA RISL?

 

[scsa20]

This is usually because the timezone you have set vs the time you have set is not the same if you manually set the clock. My suggestion is to make sure that the timezone is set correctly and have it sync with a NTP server.

Check current setting

timedatectl status

Confirm it's set to the correct time zone If it's not the correct timezone you can see a list by using:

timedatectl list-timezones

You can also add | grep -i your_city or a city near by to narrow the search to make sure you find the correct one. Once you find the correct timezone issue:

sudo timedatectl set-timezone America/New_York

Replace America/New_York with your actual timezone.

Then make sure NTP is enabled by issuing:

sudo timedatectl set-ntp true

Then you can issue

sudo chronyc -a makestep

to force a sync (chronyc should be used by default for almalinux iirc, if not then need to find what your server uses and use that command to sync, if you don't have NTP enabled then install chrony and configure it, refer to https://linuxconfig.org/how-to-configure-ntp-server-and-client-on-almalinux for configuration instructions).

 

[MHC_1]

@scsa20 I'm not clear how this can relate to the 2FA login aspect.

I did find https://support.plesk.com/hc/en-us/...cation-for-Plesk-via-a-command-line-interface however.

 

[scsa20]

Because 2FA is tied to a TOTP which is tied to UTC times. So if your TOTP app is looking at one time via UTC but the server's UTC is different, then the TOTP will never match. This is why it's important to make sure the time actually matches the time zone which in turn will match the time with UTC. A few seconds is fine but a whole hour difference will be completely wrong (and I know this because I've troubleshooted an issue unrelated to Plesk where a user's computer clock was off by a minute and the TOTP software was on the same system so the 2FA is always 2 codes behind from what the actual server is looking for).

 

[MHC_1]

@scsa20 thanks. The Issue arose because the PHP on the Server and the MariaDB on the server was running on different times. This was due to the BST +1 hour shift. PHP was running on Europe/London on all instances but the MariaDB was running on System time . For 6 months there was no difference.

We reverted the server time to "correct" BST time and instead adjusted the MariaDB time to "+1:00" .

Also the 2FA devices were manually adjusted to keep their times in sync with the stated server time.

Sorry for the panic and caps lock yesterday!