Then your issue appears to be ACS → CPE authentication.
I’m not sure how I missed that above, but this confirms the issue is ACS → CPE authentication.
Do you get the connection request error for all CPEs, or just certain ones? Is the inform script above setup, and have a corresponding preset configured? Provision scripts require presets to kick them off.
Here is the default preset for the default inform provision:
Hi @akcoder ,
can confirm I do have that inform preset, exactly as yours.
The absolutely ridiculous thing to me is that, given a single CPE, the thing still fails even if I manually set cwmp.connectionRequestAuth to AUTH('<the user from the CPE config itself>', '<same for password>').
Is there any other configuration parameter that can interfer?
I saw this post from @zaidka but didn’t resolve anything 
@zaidka what does this exactly mean? Do you expect ACS to CPE and CPE to ACS to share the same credentials?
I’d start back at the beginning. Disable connection request auth in the CPE. Does the ACS then successfully initiate a connection request to the CPE? If so, then go into Admin → Config and add the entry cwmp.debug with the following value: DeviceID.ID = "<ACS_ID_OF_CPE_COPIED_EXACTLY_FROM_ACS_GUI>"
Then tail the debug file. The location for the debug file will be in your genieacs.env file. For example
GENIEACS_DEBUG_FILE=/var/log/genieacs/genieacs-debug.yaml
The highlighted value below for your CPE is what to put between the quotes.
Hi @akcoder ,
thank you for the detailed instructions.
I tested against two different GenieACS servers: one with the custom authenticate script and the other one with just AUTH("somefixed", "string") . The result is that just the second one always works.
Even removing the cwmp.auth configuration, restarting the server etc. won’t lead to a working situation.
Summon and other commands only work when AUTH is fixed.
I now suspect there is something wrong in the ACS → CPE authentication workflow. Maybe it calls the EXT authentication script with a wrong parameter?
I enabled the debug as you suggested and can confirm that at least the username is being sent correctly for the Digest auth from the ACS. I have no way to check what the password is sent, since Digest is enforced.
I am demoralised. I thought this was a mature product and instead there is not even documentation for this set of functions.
When cwmp.auth is not set, GenieACS defaults to AUTH(username, password). The values for username and password get pulled from InternetGatewayDevice.ManagementServer.ConnectionRequestUsername and InternetGatewayDevice.ManagementServer.ConnectionRequestPasword. So if you are not setting those values for the device, then no authentication will be able to take place. And this is confirmed by when you hard code in the username and password everything work. But for all of this to work, you have to use the default inform script which sets the connection request username and password params.
// Device ID as username
const username = declare("DeviceID.ID", {value: 1}).value[0]
// Password will be fixed for a given device because Math.random() is seeded with device ID by default.
const password = Math.trunc(Math.random() * Number.MAX_SAFE_INTEGER).toString(36);
declare("InternetGatewayDevice.ManagementServer.ConnectionRequestUsername", {value: 1}, {value: username});
declare("InternetGatewayDevice.ManagementServer.ConnectionRequestPassword", {value: 1}, {value: password});
declare("Device.ManagementServer.ConnectionRequestUsername", {value: 1}, {value: username});
declare("Device.ManagementServer.ConnectionRequestPassword", {value: 1}, {value: password});
If you aren’t happy with GenieACS, you should look at Calix Cloud. Calix would love to have your money. But for the amount of money you pay Calix per device, you could hire a full time engineer to work on your ACS infrastructure/write scripts/etc.
It wasn’t really a matter of being happy, just of having a working setup. As of 7 days ago, only the passive part of my GenieACS instance was working.
The end of this story seems to be that, somehow, I don’t know if due to GenieACS or my CPEs limitation, the ACS password set on the CPE was fine while pushing data but too long to get messages from the ACS. I reduced the number of characters of my generated password and now works seamlessly.
I was also able to push the password reduction to all connected CPEs via a Provision I’m putting below, in case anybody needs it in the future.
// Refresh values daily
const daily = Date.now(86400000);
// Update pw
let SerialNumber = declare("DeviceID.SerialNumber", {value: 1}).value[0];
let pswPass = ext("authenticate", "getPasswordShort", SerialNumber);
declare("InternetGatewayDevice.ManagementServer.Password", {value: daily}, {value: pswPass});
@akcoder thank you for your patient and effort put into this issue. I also stumbled upon the provision scripts you wrote in the wiki and are going to try and implement those to see if I can at least automate the CPEs configuration in our lab.