feat(config): add DcvTimeoutMinutes with CERTINEXT_DCV_TIMEOUT_MINUTES env var override

Author: spbsoluble

CERTInext/CERTInextCAPlugin.cs

@@ -725,10 +725,10 @@ private async Task<EnrollmentResult> EnrollNewAsync(
             {
                 // SOX CC7.3: bound the entire DCV flow with a hard timeout so a stuck
                 // DNS provider or extreme propagation delay cannot hold a gateway worker
-                // thread indefinitely.  The timeout is generous (10 minutes) to accommodate
-                // slow DNS zones; it is separate from the per-request HTTP timeout.
-                // Log the limit so an auditor can confirm the configured ceiling.
-                const int dcvTimeoutMinutes = 10;
+                // thread indefinitely.  Configurable via DcvTimeoutMinutes (config or
+                // CERTINEXT_DCV_TIMEOUT_MINUTES env var); defaults to 10 minutes.
+                // Log the resolved limit so an auditor can confirm the configured ceiling.
+                int dcvTimeoutMinutes = _config.GetEffectiveDcvTimeoutMinutes();
                 _logger.LogInformation(
                     "Starting DCV for order {OrderNumber}. DcvTimeoutMinutes={Timeout}",
                     orderNumber, dcvTimeoutMinutes);

CERTInext/CERTInextCAPluginConfig.cs

@@ -196,6 +196,15 @@ public static Dictionary<string, PropertyConfigInfo> GetCAConnectorAnnotations()
                     Hidden = false,
                     DefaultValue = 30,
                     Type = "Number"
+                },
+                [Constants.Config.DcvTimeoutMinutes] = new PropertyConfigInfo
+                {
+                    Comments = $"OPTIONAL: Maximum minutes to wait for the entire DCV flow (DNS publish + propagation + verify) " +
+                               $"before timing out the enrollment. Can also be set via the {Constants.Config.DcvTimeoutMinutesEnvVar} " +
+                               $"environment variable; the env var takes precedence when both are set. Default: 10.",
+                    Hidden = false,
+                    DefaultValue = 10,
+                    Type = "Number"
                 }
             };
         }
@@ -470,5 +479,25 @@ public class CERTInextConfig
         /// </summary>
         [JsonPropertyName("DcvPropagationDelaySeconds")]
         public int DcvPropagationDelaySeconds { get; set; } = 30;
+
+        /// <summary>
+        /// Maximum minutes for the entire DCV flow before the enrollment is cancelled.
+        /// Overridden by the <c>CERTINEXT_DCV_TIMEOUT_MINUTES</c> environment variable when set.
+        /// Default: 10.
+        /// </summary>
+        [JsonPropertyName("DcvTimeoutMinutes")]
+        public int DcvTimeoutMinutes { get; set; } = 10;
+
+        /// <summary>
+        /// Returns the effective DCV timeout, preferring the environment variable over the
+        /// config field so operators can adjust the ceiling without a connector reconfiguration.
+        /// </summary>
+        public int GetEffectiveDcvTimeoutMinutes()
+        {
+            var env = System.Environment.GetEnvironmentVariable(Constants.Config.DcvTimeoutMinutesEnvVar);
+            if (!string.IsNullOrEmpty(env) && int.TryParse(env, out int envVal) && envVal > 0)
+                return envVal;
+            return DcvTimeoutMinutes > 0 ? DcvTimeoutMinutes : 10;
+        }
     }
 }

CERTInext/Constants.cs

@@ -31,6 +31,10 @@ public static class Config
             public const string DcvEnabled = "DcvEnabled";
             public const string DcvTxtRecordTemplate = "DcvTxtRecordTemplate";
             public const string DcvPropagationDelaySeconds = "DcvPropagationDelaySeconds";
+            public const string DcvTimeoutMinutes = "DcvTimeoutMinutes";
+
+            // Environment variable that overrides DcvTimeoutMinutes when set.
+            public const string DcvTimeoutMinutesEnvVar = "CERTINEXT_DCV_TIMEOUT_MINUTES";
 
             // Auth mode values
             public const string AuthModeAccessKey = "AccessKey"; // default; authKey = SHA256(accessKey+ts+txn)

README.md

@@ -243,6 +243,10 @@ The following fields are presented in the Keyfactor Command Management Portal wh
 | `IgnoreExpired` | Optional | If `true`, expired certificates are skipped during synchronization and are not imported into Keyfactor Command. Default: `false`. | N/A | `false` |
 | `PageSize` | Optional | Number of orders to retrieve per page during synchronization. Default: `100`. Maximum: `500`. Reduce this value if synchronization requests time out. | N/A | `100` |
 | `Enabled` | Optional | Enables or disables the CA connector. Setting this to `false` allows the connector record to be created before all credentials are available, without triggering a live connectivity test. Default: `true`. | N/A | `true` |
+| `DcvEnabled` | Optional | When `true`, the gateway performs DNS-based Domain Control Validation (DCV) during enrollment for orders that require it. Requires a DNS provider plugin (e.g. `azure-azuredns-dnsplugin`) to be deployed on the gateway. Default: `false`. | N/A | `false` |
+| `DcvTxtRecordTemplate` | Optional | Format string for the DNS TXT record hostname published during DCV. `{0}` is replaced with the domain being validated. Default: `_emsign-validation.{0}`. | N/A | `_emsign-validation.{0}` |
+| `DcvPropagationDelaySeconds` | Optional | Seconds to wait after publishing the DNS TXT record before asking CERTInext to verify it. Increase for zones with slow propagation. Default: `30`. | N/A | `30` |
+| `DcvTimeoutMinutes` | Optional | Maximum minutes to wait for the entire DCV flow (DNS publish + propagation + verify) before cancelling the enrollment. Can also be set via the `CERTINEXT_DCV_TIMEOUT_MINUTES` environment variable; the environment variable takes precedence when both are set. Default: `10`. | N/A | `10` |
 
 > Note: `AccountNumber` and group-level identifiers are distinct values. The `AccountNumber` is your top-level user account identifier. CERTInext groups (cost centers or departments) each have their own `groupNumber`, which is passed per-order and is separate from any organization number displayed on the Organizations page.
 

docsource/configuration.md

@@ -113,6 +113,10 @@ The following fields are presented in the Keyfactor Command Management Portal wh
 | `IgnoreExpired` | Optional | If `true`, expired certificates are skipped during synchronization and are not imported into Keyfactor Command. Default: `false`. | N/A | `false` |
 | `PageSize` | Optional | Number of orders to retrieve per page during synchronization. Default: `100`. Maximum: `500`. Reduce this value if synchronization requests time out. | N/A | `100` |
 | `Enabled` | Optional | Enables or disables the CA connector. Setting this to `false` allows the connector record to be created before all credentials are available, without triggering a live connectivity test. Default: `true`. | N/A | `true` |
+| `DcvEnabled` | Optional | When `true`, the gateway performs DNS-based Domain Control Validation (DCV) during enrollment for orders that require it. Requires a DNS provider plugin (e.g. `azure-azuredns-dnsplugin`) to be deployed on the gateway. Default: `false`. | N/A | `false` |
+| `DcvTxtRecordTemplate` | Optional | Format string for the DNS TXT record hostname published during DCV. `{0}` is replaced with the domain being validated. Default: `_emsign-validation.{0}`. | N/A | `_emsign-validation.{0}` |
+| `DcvPropagationDelaySeconds` | Optional | Seconds to wait after publishing the DNS TXT record before asking CERTInext to verify it. Increase for zones with slow propagation. Default: `30`. | N/A | `30` |
+| `DcvTimeoutMinutes` | Optional | Maximum minutes to wait for the entire DCV flow (DNS publish + propagation + verify) before cancelling the enrollment. Can also be set via the `CERTINEXT_DCV_TIMEOUT_MINUTES` environment variable; the environment variable takes precedence when both are set. Default: `10`. | N/A | `10` |
 
 > Note: `AccountNumber` and group-level identifiers are distinct values. The `AccountNumber` is your top-level user account identifier. CERTInext groups (cost centers or departments) each have their own `groupNumber`, which is passed per-order and is separate from any organization number displayed on the Organizations page.