I think I found a bug

After I create an extension I can register a phone with the auto generated secret, but if I change the secret, it refuses to register. I can look in the logs and it is saying bad username/pass. I feel like the GUI is not updating the password in the database/config files.

Thoughts?

If you change it on the server first, while the phone is still registered to the system it is possible that your phone will be fail2banned before you can change it on the device. Try stopping fail2ban to see if that corrects your issue.

Are you updating the password on your device after you change it in the extension?

Of course.

How are you updating the password and provisioning the device?

Through the devices web portal, and OSS Endpoint Manager Alike.