feat(dcv): DNS domain control validation via IDomainValidatorFactory#5
Merged
Merged
Conversation
…ed check, renewal window, retry logic, IDisposable, GroupNumber config, nested product response model
…ested product response format
… add lifecycle test, make empty-account resilient
…Acceptance and DCV findings
… generate-order-149-fresh, probe-endpoints, get-field-details targets
…findings from sandbox exploration
…ctory Adds 21 make targets covering every CERTInext V2 operation (ssl-certificates, private-pki-certificates, catalog, groups, orgs, domains, reports). Each target delegates to a corresponding script under scripts/v2/ which sources the new scripts/lib/certinext-v2-auth.sh for CERTInext-native SHA256 token exchange. Adds analysis/ to .gitignore so scratch docs and support emails are never committed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add Constants.Dcv subclass with dcvMethod codes (1=DNS TXT, 2=HTTP, 3=Email), dcvStatus values (0=Pending, 1=Validated, 2=Rejected), and the default TXT record hostname template. Add DcvEnabled, DcvTxtRecordTemplate, and DcvPropagationDelaySeconds to Constants.Config.
Add GetDcvRequest, DcvRequestDetails, and VerifyDcvRequest for the GetDcv/VerifyDcv endpoints. Add GetDcvResponse, DcvResponseDetails, VerifyDcvResponse, TrackOrderDomainVerification (with JsonExtensionData for heterogeneous per-domain entries), and DomainVerificationDetail. Wire DomainVerification onto TrackOrderResponseDetails.
GetDcvAsync posts to GetDcv and returns the token (and file/email fields) for a domain on an existing order. VerifyDcvAsync posts to VerifyDcv to ask CERTInext to check the published DNS TXT record. Both methods follow the existing pattern: BuildMetaAsync, retry, auth-failure detection, DeserializeOrThrow, meta.status check, structured logging with OrderNumber and Domain context.
…aySeconds
Add three DCV-related fields to CERTInextConfig with documented defaults
(false, _emsign-validation.{0}, 30 s) and corresponding UI annotations
in GetCAConnectorAnnotations. Guards the DNS DCV path so operators must
explicitly opt in before any DNS plugin interaction occurs.
Bump IAnyCAPlugin to 3.3.0-PRERELEASE-78770-979f582005 to gain access to IDomainValidatorFactory, IDomainValidator, and IDomainValidatorConfigProvider. Add a primary constructor accepting IDomainValidatorFactory (gateway injects this at startup) alongside the existing parameterless fallback. Add DomainValidatorConfigProvider inner class. Add PerformDcvIfNeededAsync: reads pending-DCV domains from TrackOrder, skips if the order is already issued, validates domain FQDNs, calls GetDcvAsync per domain, resolves the DNS plugin via ResolveDomainValidator(domain, 'dns-01'), stages the TXT record, waits for propagation, triggers VerifyDcv, then cleans up in a finally block. EnrollNewAsync calls this when DcvEnabled=true and the factory is present, then re-fetches the post-DCV certificate status before returning.
Add GetDcvSuccessJson, GetDcvFailureJson, VerifyDcvSuccessJson, and VerifyDcvFailureJson helpers to MockCertificateData. Add seven tests covering: successful token retrieval, meta-failure response, 401 authentication failure, successful verification, meta-failure on verify, 401 on verify, and 500 on verify.
…gets Add scripts/get-dcv.sh and scripts/verify-dcv.sh mirroring the track-order.sh pattern. Both scripts source ~/.env_certinext and certinext-auth.sh, accept ORDER_NUMBER, DOMAIN_NAME, and optional DCV_METHOD (default 1=DNS TXT), and use jq --arg for safe JSON construction to prevent injection via user-supplied values. Add get-dcv and verify-dcv Makefile targets with DCV_METHOD variable and register both in .PHONY.
Keep DCV config keys, DCV Makefile targets, and V2 API targets from fix/p1-p3-improvements; take PRIVATE_PKI_CSR filename from feat branch. Keep DCV tests from HEAD; auto-merged README and integration-manifest changes from feat/v1.0-release-notes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
IDomainValidatorFactoryconstructor injection, enabling the gateway's installed DNS provider plugins (e.g.azure-azuredns-dnsplugin,aws-route53-dnsplugin) to handle TXT record publishing during enrollmentGetDcv/VerifyDcvAPI client methods and corresponding request/response DTOsDcvEnabled,DcvTxtRecordTemplate, andDcvPropagationDelaySecondsconnector config fields (opt-in; default off)Keyfactor.AnyGateway.IAnyCAPluginto3.3.0-PRERELEASE-78770-979f582005(required forIDomainValidatorFactory)Changes
4181e4bfeat(constants)—Constants.Dcv(method codes, status codes, default TXT template) and Config DCV key names94bc2d7feat(api)—GetDcvRequest,VerifyDcvRequest,GetDcvResponse,VerifyDcvResponse,TrackOrderDomainVerificationDTOsea1fdd2feat(client)—GetDcvAsyncandVerifyDcvAsyncinICERTInextClient/CERTInextClientb2ea1c3feat(config)—DcvEnabled,DcvTxtRecordTemplate,DcvPropagationDelaySecondsinCERTInextConfigand CA connector annotationsef4c728feat(enroll)—IDomainValidatorFactoryconstructor injection;PerformDcvIfNeededAsync;EnrollNewAsyncDCV pathef692b2test(client)— 7 WireMock unit tests forGetDcvAsync/VerifyDcvAsync1251258chore(scripts)—scripts/get-dcv.sh,scripts/verify-dcv.sh,make get-dcv/make verify-dcvtargetsDCV flow
Key invariant: DCV is skipped entirely when the order is already in a terminal (issued/revoked) state. A completed order never triggers DNS validation.
Test plan
dotnet build— 0 errors, 0 warnings on bothCERTInextandCERTInext.Testsdotnet test— 111/111 passing (7 new DCV tests)🤖 Generated with Claude Code