Cannot add account to CLI 2.0.0

N33T
N33T
Community Member

With CLI version 2 I cannot seem to add an account.

This is what happens:

op account add
Enter your sign-in address (example.1password.com): my.1password.com
Enter the email address for your account on my.1password.com: [email redacted]
[ERROR] 2022/03/17 15:10:42 Couldn't connect to the sign-in address you provided. Check the address and your network connection, then try again.

When I go back to 1.12.4, it works as expected.

Comments

  • Justin.Yoon_1P
    edited March 2022

    Hey @N33T ,

    Does the command ask for your secret key and password after email or return the error message right after you enter the email?

    edit: It looks like that error message is printed when attempting to check that the signin address can be reached. This step happens before the secret key and password are prompted. Is my.1password.com the exact text you are inputting in that step?

  • N33T
    N33T
    Community Member
    edited March 2022

    Hey @Justin.Yoon_1P,

    my.1password.com is the exact text that I am inputting.

    It could be that it is a DNS issue, we're using an internal DNS server due to policies.
    Does CLI v2 have a special way it resolves DNS?

    When I add an acccount with version 1 and then try to login with version 2 I get the following:

    op signin -f
    Enter the password for [email] at my.1password.com:
    [ERROR] 2022/03/18 09:44:44 failed to request.DoUnencrypted: Get "https://my.1password.com/api/v2/auth/[redacted]": dial tcp: lookup my.1password.com on [::1]:53: read udp [::1]:33617->[::1]:53: read: connection refused
    

    with v1:

    op signin
    Enter the password for [email] at my.1password.com:
    export OP_SESSION_my="[redacted]"
    # This command is meant to be used with your shell's eval function.
    # Run 'eval $(op signin my)' to sign in to your 1Password account.
    # Use the --raw flag to only output the session token.
    

    I did make that typo on the other post:
    https://1password.community/discussion/127993/cannot-add-account-to-cli-2-0-0#latest

    So that one can be removed as I accidentally double posted.

    When I try to resolve DNS with our internal DNS server:

    nslookup my.1password.com [DNS IP]
    Server:         [DNS IP]
    Address:        [DNS IP]#53
    
    Non-authoritative answer:
    Name:   my.1password.com
    Address: 34.192.182.4
    Name:   my.1password.com
    Address: 75.101.251.99
    Name:   my.1password.com
    Address: 34.230.244.235
    Name:   my.1password.com
    Address: 54.172.125.106
    Name:   my.1password.com
    Address: 54.197.109.118
    Name:   my.1password.com
    Address: 2600:1f18:60d5:4e01:9a5a:96db:6156:6d50
    Name:   my.1password.com
    Address: 2600:1f18:60d5:4e02:5ea8:d1f5:8833:6473
    Name:   my.1password.com
    Address: 2600:1f18:60d5:4e00:e020:a971:c344:3867
    Name:   my.1password.com
    Address: 2600:1f18:60d5:4e04:9c92:c5bb:230e:b2b9
    Name:   my.1password.com
    Address: 2600:1f18:60d5:4e03:b4cc:ceed:3591:edcb
    

    When I use the IPv6 address of the DNS server

    nslookup -query=AAAA my.1password.com [DNS v6 IP]
    Server:         [DNS v6 IP]
    Address:       [DNS v6 IP]#53
    
    Non-authoritative answer:
    Name:   my.1password.com
    Address: 2600:1f18:60d5:4e00:e020:a971:c344:3867
    Name:   my.1password.com
    Address: 2600:1f18:60d5:4e04:9c92:c5bb:230e:b2b9
    Name:   my.1password.com
    Address: 2600:1f18:60d5:4e01:9a5a:96db:6156:6d50
    Name:   my.1password.com
    Address: 2600:1f18:60d5:4e02:5ea8:d1f5:8833:6473
    Name:   my.1password.com
    Address: 2600:1f18:60d5:4e03:b4cc:ceed:3591:edcb
    
  • Hey @N33T

    Appreciate the additional info.

    Adding the account via op v1 and then trying to sign into it in v2 was a great idea. Using my.1password.com as the signin address should be completely fine. It seems like requests to my.1password.com are being rejected, and will need further investigation if the DNS is affecting it.

    To my knowledge, we have not changed the networking layer such that a DNS would be prohibited in v2. We will continue to look into this problem, stay tuned.

    For the time being, would you be able to confirm whether or not adding accounts and signing in with v2 works when the DNS is set to a public one, like Google's? If not due to policy, it is completely fine as well.

  • N33T
    N33T
    Community Member
    edited March 2022

    Hi @Justin.Yoon_1P,

    unfortunately I cannot change the DNS server due to policy (blocked by firewall).
    However I did try and disable IPv6 (on loopback and the nic), since the error seems to be related to the IPv6 localhost port 53.
    But that unfortunately gives the same error.

    1P desktop, 1P browser extension and 1P CLI v1 all work fine.

    Is port 53 also used by IPv6 for DNS?
    On my machine I don't even see it listening for [::]53, I only see [::]:5355 which seems to be for Link-Local Multicast Name Resolution.

  • Thanks for the update @N33T

    We are still looking into it.

    Which OS are you trying to run the CLI on by the way?

  • N33T
    N33T
    Community Member

    Hi @Justin.Yoon_1P,

    I use Arch btw.

    At home I also run Arch with the same setup and CLI v2 does work.
    It doesn't listen to [::]53 either.

  • Hey @N33T

    We have an Arch user in our company who encountered the same problem, wondering if it may be applicable to your case.

    This seems to be a common problem with CLI binaries written in Go - and we don't have a fix on our end yet, but we'll continue looking into it.

    Are you configuring DNS with systemd-resolved?

    While this individual did not have any custom DNS configured, they did have to do this step in the picture to symlink resolve.conf to stub-resolv.conf:

    I am not 100% sure if this applies to you, or if it will fix it for you, but the error message and OS match up so I thought I'd bring it up, please give it a try if it does indeed apply to you and let us know!

  • N33T
    N33T
    Community Member
    edited March 2022

    Hi @Justin.Yoon_1P,

    Thanks for the link to that part of the arch wiki.
    I am indeed using systemd-resolved for DNS.

    I can confirm that replacing /etc/resolv.conf with a symlink to /run/systemd/resolve/stub-resolv.conf does the trick.

    Thank you very much!

  • Hey @N33T

    I am very happy to hear that, thank you for the update.

This discussion has been closed.