Merge origin/main (Release 1.3.0) into dnsplugins

Brings in upstream fixes from main while preserving the dnsplugins
branch architecture (inline DNS providers removed in favor of external
plugins resolved via IDomainValidatorFactory).

Resolutions:
- Kept deletion of inline Cloudflare/Google/Factory providers (moved to
  plugin projects on this branch).
- Dropped provider-specific config fields/annotations re-added by main;
  those configs now belong to each DNS plugin.
- Added main's new Enabled disable-switch: cached AcmeClientConfig in
  Initialize, early-return in Initialize, and FAILED enrollment when
  the connector is disabled.
- Added main's DnsVerificationServer config (with annotation) for
  private DNS zones, and wired it into the DnsVerificationHelper
  constructor call in Enroll.
- Kept dnsplugins' AcmeCaPlugin.csproj state (newer IAnyCAPlugin
  prerelease, Google package removed, other provider packages pending
  cleanup).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: bhillkeyfactor

.gitignore

@@ -329,8 +329,8 @@ ASALocalRun/
 # MFractors (Xamarin productivity tool) working folder 
 .mfractor/
 /.claude
-/MIGRATION-SUMMARY.md
-/PLUGIN-MIGRATION-GUIDE.md
-/ReflectFramework.csx
-/InspectFramework/InspectFramework.csproj
-/InspectFramework/Program.cs
+MIGRATION-SUMMARY.md
+PLUGIN-MIGRATION-GUIDE.md
+ReflectFramework.csx
+InspectFramework/InspectFramework.csproj
+InspectFramework/Program.cs

AcmeCaPlugin/AcmeCaPlugin.cs

@@ -63,6 +63,7 @@ public class AcmeCaPlugin : IAnyCAPlugin
         private static readonly ILogger _logger = LogHandler.GetClassLogger<AcmeCaPlugin>();
         private IAnyCAPluginConfigProvider Config { get; set; }
         private readonly IDomainValidatorFactory _validatorFactory;
+        private AcmeClientConfig _config;
 
         // Constants for better maintainability
         private const string DEFAULT_PRODUCT_ID = "default";
@@ -88,6 +89,16 @@ public void Initialize(IAnyCAPluginConfigProvider configProvider, ICertificateDa
             _logger.MethodEntry();
             Config = configProvider ?? throw new ArgumentNullException(nameof(configProvider));
 
+            _config = GetConfig();
+            _logger.LogTrace("Enabled: {Enabled}", _config.Enabled);
+
+            if (!_config.Enabled)
+            {
+                _logger.LogWarning("The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping config validation...");
+                _logger.MethodExit();
+                return;
+            }
+
             // Validate that factory is available - validators will be resolved per-domain during enrollment
             if (_validatorFactory == null)
             {
@@ -124,6 +135,12 @@ public DomainValidatorConfigProvider(Dictionary<string, object> config)
         public async Task Ping()
         {
             _logger.MethodEntry();
+            if (!_config.Enabled)
+            {
+                _logger.LogWarning("The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping connectivity test...");
+                _logger.MethodExit();
+                return;
+            }
 
             HttpClient httpClient = null;
             try
@@ -201,6 +218,13 @@ public Task ValidateCAConnectionInfo(Dictionary<string, object> connectionInfo)
             var rawData = JsonConvert.SerializeObject(connectionInfo);
             var config = JsonConvert.DeserializeObject<AcmeClientConfig>(rawData);
 
+            if (config != null && !config.Enabled)
+            {
+                _logger.LogWarning("The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping config validation...");
+                _logger.MethodExit();
+                return Task.CompletedTask;
+            }
+
             // Validate required configuration fields
             var missingFields = new List<string>();
             if (string.IsNullOrWhiteSpace(config?.DirectoryUrl))
@@ -266,6 +290,16 @@ public async Task<EnrollmentResult> Enroll(
         {
             _logger.MethodEntry();
 
+            if (!_config.Enabled)
+            {
+                _logger.LogWarning("The CA is currently in the Disabled state. It must be Enabled to perform operations. Enrollment rejected.");
+                _logger.MethodExit();
+                return new EnrollmentResult
+                {
+                    Status = (int)EndEntityStatus.FAILED,
+                    StatusMessage = "CA connector is disabled. Enable it in the CA configuration to perform enrollments."
+                };
+            }
 
             if (string.IsNullOrWhiteSpace(csr))
                 throw new ArgumentException("CSR cannot be null or empty", nameof(csr));
@@ -500,7 +534,7 @@ private async Task ProcessAuthorizations(AcmeClient acmeClient, OrderDetails ord
                 throw new InvalidOperationException("Missing or invalid authorization list in order payload.");
             }
 
-            var dnsVerifier = new DnsVerificationHelper(_logger);
+            var dnsVerifier = new DnsVerificationHelper(_logger, config.DnsVerificationServer);
             var pendingChallenges = new List<(Authorization authz, Challenge challenge, Dns01ChallengeValidationDetails validation, IDomainValidator validator)>();
 
             // First pass: Create all DNS records using per-domain IDomainValidator

AcmeCaPlugin/AcmeCaPlugin.csproj

@@ -4,7 +4,7 @@
         <ImplicitUsings>disable</ImplicitUsings>
         <Nullable>disable</Nullable>
         <CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
-        <GenerateAssemblyInfo>false</GenerateAssemblyInfo>
+        <GenerateAssemblyInfo>true</GenerateAssemblyInfo>
         <RootNamespace>Keyfactor.Extensions.CAPlugin.Acme</RootNamespace>
         <AssemblyName>AcmeCaPlugin</AssemblyName>
     </PropertyGroup>

AcmeCaPlugin/AcmeCaPluginConfig.cs

@@ -1,4 +1,4 @@
-using Keyfactor.AnyGateway.Extensions;
+using Keyfactor.AnyGateway.Extensions;
 using System.Collections.Generic;
 
 namespace Keyfactor.Extensions.CAPlugin.Acme
@@ -9,6 +9,13 @@ public static Dictionary<string, PropertyConfigInfo> GetPluginAnnotations()
         {
             return new Dictionary<string, PropertyConfigInfo>()
             {
+                ["Enabled"] = new PropertyConfigInfo()
+                {
+                    Comments = "Enable or disable this CA connector. When disabled, all operations (ping, enroll, sync) are skipped.",
+                    Hidden = false,
+                    DefaultValue = "true",
+                    Type = "Bool"
+                },
                 ["DirectoryUrl"] = new PropertyConfigInfo()
                 {
                     Comments = "ACME directory URL (e.g. Let's Encrypt, ZeroSSL, etc.)",
@@ -60,6 +67,15 @@ public static Dictionary<string, PropertyConfigInfo> GetPluginAnnotations()
                     Hidden = false,
                     DefaultValue = "60",
                     Type = "Number"
+                },
+
+                // DNS Verification Settings
+                ["DnsVerificationServer"] = new PropertyConfigInfo()
+                {
+                    Comments = "DNS server to use for verifying TXT record propagation. For private/local DNS zones, set this to your authoritative DNS server IP (e.g., 10.3.10.37). Leave empty to use public DNS servers (Google, Cloudflare, etc.).",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
                 }
 
             };

AcmeCaPlugin/AcmeClientConfig.cs

@@ -2,6 +2,7 @@
 {
     public class AcmeClientConfig
     {
+        public bool Enabled { get; set; } = true;
         public string DirectoryUrl { get; set; } = "https://acme-v02.api.letsencrypt.org/directory";
         public string Email { get; set; } = string.Empty;
         public string EabKid { get; set; } = null;
@@ -14,5 +15,8 @@ public class AcmeClientConfig
         // DNS Propagation Delay (in seconds) - wait this long after creating DNS records before checking propagation
         public int DnsPropagationDelaySeconds { get; set; } = 60;
 
+        // DNS Verification Settings - DNS server IP for verification (for private zones)
+        public string DnsVerificationServer { get; set; } = null;
+
     }
 }

CHANGELOG.md

@@ -1,4 +1,8 @@
-# v1.2.0
+# v1.3.0
+* Containerization Changes for SaaS Environment
+* Fixed URL CaId Length issue
+ 
+ # v1.2.0
 * Added RFC 2136 Dynamic DNS Provider Support (BIND with TSIG authentication)
 * Added Infoblox DNS Provider Support
 * Added configurable DNS verification server for private/local DNS zones

README.md

@@ -674,6 +674,7 @@ spec:
 
         Populate using the configuration fields collected in the [requirements](#requirements) section.
 
+        * **Enabled** - Enable or disable this CA connector. When disabled, all operations (ping, enroll, sync) are skipped. 
         * **DirectoryUrl** - ACME directory URL (e.g. Let's Encrypt, ZeroSSL, etc.) 
         * **Email** - Email for ACME account registration. 
         * **EabKid** - External Account Binding Key ID (optional) 

integration-manifest.json

@@ -13,6 +13,10 @@
     "about": {
         "carest": {
             "ca_plugin_config": [
+                {
+                    "name": "Enabled",
+                    "description": "Enable or disable this CA connector. When disabled, all operations (ping, enroll, sync) are skipped."
+                },
                 {
                     "name": "DirectoryUrl",
                     "description": "ACME directory URL (e.g. Let's Encrypt, ZeroSSL, etc.)"