From 1a5ddfc300b05fb012ab49605be6074ffeaac82f Mon Sep 17 00:00:00 2001 From: Mark Kachkaev Date: Fri, 27 Feb 2026 14:37:34 -0500 Subject: [PATCH 1/8] Update to provide "Enabled" flag support for SAAS deployment. --- .../keyfactor-bootstrap-workflow.yml | 29 ++++++++++++++ README.md | 9 +++-- .../Client/GlobalSignApiClient.cs | 7 ++++ globalsign-mssl-caplugin/Constants.cs | 1 + .../GlobalSignCAConfig.cs | 2 +- .../GlobalSignCAPlugin.cs | 38 ++++++++++++++++++- integration-manifest.json | 4 ++ 7 files changed, 83 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/keyfactor-bootstrap-workflow.yml diff --git a/.github/workflows/keyfactor-bootstrap-workflow.yml b/.github/workflows/keyfactor-bootstrap-workflow.yml new file mode 100644 index 0000000..56756c6 --- /dev/null +++ b/.github/workflows/keyfactor-bootstrap-workflow.yml @@ -0,0 +1,29 @@ +name: Keyfactor Bootstrap Workflow + +on: + workflow_dispatch: + pull_request: + types: [opened, closed, synchronize, edited, reopened] + push: + create: + branches: + - 'release-*.*' + +jobs: + call-starter-workflow: + uses: keyfactor/actions/.github/workflows/starter.yml@v4 + permissions: + contents: write # Explicitly grant write permission + with: + command_token_url: ${{ vars.COMMAND_TOKEN_URL }} + command_hostname: ${{ vars.COMMAND_HOSTNAME }} + command_base_api_path: ${{ vars.COMMAND_API_PATH }} + secrets: + token: ${{ secrets.V2BUILDTOKEN}} + gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} + gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} + scan_token: ${{ secrets.SAST_TOKEN }} + entra_username: ${{ secrets.DOCTOOL_ENTRA_USERNAME }} + entra_password: ${{ secrets.DOCTOOL_ENTRA_PASSWD }} + command_client_id: ${{ secrets.COMMAND_CLIENT_ID }} + command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }} \ No newline at end of file diff --git a/README.md b/README.md index 35a37ad..b2621da 100644 --- a/README.md +++ b/README.md @@ -5,9 +5,9 @@

Integration Status: production -Release -Issues -GitHub Downloads (all assets, all releases) +Release +Issues +GitHub Downloads (all assets, all releases)

@@ -60,7 +60,7 @@ This extension uses the contact information of the GCC Domain point of contact f 1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm). -2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [GlobalSign MSSL Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/globalsign-mssl-caplugin/releases/latest) from GitHub. +2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [GlobalSign MSSL Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/globalsign-mssl-caplugin-dev/releases/latest) from GitHub. 3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory: @@ -103,6 +103,7 @@ This extension uses the contact information of the GCC Domain point of contact f * **RetryCount** - This is the number of times the AnyGateway will attempt to pickup an new certificate before reporting an error. Default is 5. * **SyncIntervalDays** - OPTIONAL: Required if SyncStartDate is used. Specifies how to page the certificate sync. Should be a value such that no interval of that length contains > 500 certificate enrollments. * **SyncStartDate** - If provided, full syncs will start at the specified date. + * **Enabled** - Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available. 2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID. The GlobalSign MSSL Gateway plugin supports the following product IDs: diff --git a/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs b/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs index 0c54492..9e03321 100644 --- a/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs +++ b/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs @@ -26,6 +26,13 @@ public GlobalSignApiClient(GlobalSignCAConfig config, ILogger logger) Logger = logger; Config = config; // Logger = LogHandler.GetClassLogger(this.GetType()); + var enabled =config.Enabled; + if (enabled) + { + Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping config validation and MSSL Client creation..."); + Logger.MethodExit(); + return; + } QueryService = new GASV1Client { Endpoint = { Address = new EndpointAddress(config.GetUrl(GlobalSignServiceType.QUERY)), Name = "QUERY" } diff --git a/globalsign-mssl-caplugin/Constants.cs b/globalsign-mssl-caplugin/Constants.cs index 108da49..d9c517a 100644 --- a/globalsign-mssl-caplugin/Constants.cs +++ b/globalsign-mssl-caplugin/Constants.cs @@ -21,6 +21,7 @@ internal class Constants public static string PICKUPDELAY = "DelayTime"; public static string SYNCSTARTDATE = "SyncStartDate"; public static string SYNCINTERNVALDAYS = "SyncIntervalDays"; + public static string Enabled = "Enabled"; } public static class EnrollmentConfigConstants diff --git a/globalsign-mssl-caplugin/GlobalSignCAConfig.cs b/globalsign-mssl-caplugin/GlobalSignCAConfig.cs index 0340b09..1147e54 100644 --- a/globalsign-mssl-caplugin/GlobalSignCAConfig.cs +++ b/globalsign-mssl-caplugin/GlobalSignCAConfig.cs @@ -32,7 +32,7 @@ public class GlobalSignCAConfig public string SyncStartDate { get; set; } = ""; public int SyncIntervalDays { get; set; } = 0; - + public bool Enabled { get; set; } = true; public string GetUrl(GlobalSignServiceType queryType) { diff --git a/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs b/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs index e4cfde3..20278bc 100644 --- a/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs +++ b/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs @@ -23,16 +23,24 @@ public class GlobalSignCAPlugin : IAnyCAPlugin private ICertificateDataReader? _certificateDataReader; private ILogger Logger; - private GlobalSignCAConfig Config { get; set; } = new(); - + private GlobalSignCAConfig Config { get; set; } = new(); + private bool _enabled = false; public void Initialize(IAnyCAPluginConfigProvider configProvider, ICertificateDataReader certificateDataReader) { Logger = LogHandler.GetClassLogger(GetType()); Logger.MethodEntry(); + _enabled = (bool)configProvider.CAConnectionData["Enabled"]; + if (!_enabled) + { + Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping config validation and MSSL Client creation..."); + Logger.MethodExit(); + return; + } Config = new GlobalSignCAConfig { IsTest = bool.Parse((string)configProvider.CAConnectionData["TestAPI"]), + Enabled = bool.Parse((string)configProvider.CAConnectionData["Enabled"]), Password = (string)configProvider.CAConnectionData["GlobalSignPassword"], Username = (string)configProvider.CAConnectionData["GlobalSignUsername"], PickupDelay = int.Parse((string)configProvider.CAConnectionData["DelayTime"]), @@ -426,6 +434,12 @@ public async Task Enroll(string csr, string subject, Dictionar public async Task Ping() { Logger.MethodEntry(); + if (!_enabled) + { + Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping config validation and MSSL Client creation..."); + Logger.MethodExit(); + return; + } try { Logger.LogInformation("Ping reqeuest recieved"); @@ -443,6 +457,19 @@ public async Task ValidateCAConnectionInfo(Dictionary connection { Logger = LogHandler.GetClassLogger(GetType()); Logger.MethodEntry(); + try + { + if (!(bool)connectionInfo["Enabled"]) + { + Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping validation..."); + Logger.MethodExit(LogLevel.Trace); + return; + } + } + catch (Exception ex) + { + Logger.LogError($"Exception: {LogHandler.FlattenException(ex)}"); + } Config = new GlobalSignCAConfig { IsTest = bool.Parse((string)connectionInfo["TestAPI"]), @@ -592,6 +619,13 @@ public Dictionary GetCAConnectorAnnotations() Hidden = false, DefaultValue = "2000-01-01", Type = "Integer" + }, + [Constants.Enabled] = new() + { + Comments = "Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available.", + Hidden = false, + DefaultValue = true, + Type = "Boolean" } }; } diff --git a/integration-manifest.json b/integration-manifest.json index 49a628a..793eecf 100644 --- a/integration-manifest.json +++ b/integration-manifest.json @@ -60,6 +60,10 @@ { "name": "SyncStartDate", "description": "If provided, full syncs will start at the specified date." + }, + { + "name": "Enabled", + "description": "Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available." } ], "enrollment_config": [ From f9d677046a05d4c4be874f507d665bc164e76593 Mon Sep 17 00:00:00 2001 From: Keyfactor Date: Fri, 27 Feb 2026 19:39:06 +0000 Subject: [PATCH 2/8] Update generated docs --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b2621da..705c6a9 100644 --- a/README.md +++ b/README.md @@ -5,9 +5,9 @@

Integration Status: production -Release -Issues -GitHub Downloads (all assets, all releases) +Release +Issues +GitHub Downloads (all assets, all releases)

@@ -60,7 +60,7 @@ This extension uses the contact information of the GCC Domain point of contact f 1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm). -2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [GlobalSign MSSL Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/globalsign-mssl-caplugin-dev/releases/latest) from GitHub. +2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [GlobalSign MSSL Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/globalsign-mssl-caplugin/releases/latest) from GitHub. 3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory: From ba0e2fd7972cd45ce09f7e2c87538a7bf4fb1356 Mon Sep 17 00:00:00 2001 From: Mark Kachkaev Date: Fri, 27 Feb 2026 14:41:29 -0500 Subject: [PATCH 3/8] Fixing build. --- .../keyfactor-bootstrap-workflow-v3.yml | 20 ------------------- 1 file changed, 20 deletions(-) delete mode 100644 .github/workflows/keyfactor-bootstrap-workflow-v3.yml diff --git a/.github/workflows/keyfactor-bootstrap-workflow-v3.yml b/.github/workflows/keyfactor-bootstrap-workflow-v3.yml deleted file mode 100644 index 64919a4..0000000 --- a/.github/workflows/keyfactor-bootstrap-workflow-v3.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: Keyfactor Bootstrap Workflow - -on: - workflow_dispatch: - pull_request: - types: [opened, closed, synchronize, edited, reopened] - push: - create: - branches: - - 'release-*.*' - -jobs: - call-starter-workflow: - uses: keyfactor/actions/.github/workflows/starter.yml@v3 - secrets: - token: ${{ secrets.V2BUILDTOKEN}} - APPROVE_README_PUSH: ${{ secrets.APPROVE_README_PUSH}} - gpg_key: ${{ secrets.KF_GPG_PRIVATE_KEY }} - gpg_pass: ${{ secrets.KF_GPG_PASSPHRASE }} - scan_token: ${{ secrets.SAST_TOKEN }} From 0ca63d84eb8405d0fa42479e0f500c89677f930e Mon Sep 17 00:00:00 2001 From: Mark Kachkaev Date: Wed, 11 Mar 2026 13:29:03 -0400 Subject: [PATCH 4/8] Fixes for enabled. --- .../Client/GlobalSignApiClient.cs | 2 +- .../GlobalSignCAPlugin.cs | 34 +++++++++++++------ 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs b/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs index 9e03321..f95140b 100644 --- a/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs +++ b/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs @@ -27,7 +27,7 @@ public GlobalSignApiClient(GlobalSignCAConfig config, ILogger logger) Config = config; // Logger = LogHandler.GetClassLogger(this.GetType()); var enabled =config.Enabled; - if (enabled) + if (!enabled) { Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping config validation and MSSL Client creation..."); Logger.MethodExit(); diff --git a/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs b/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs index 20278bc..6439c71 100644 --- a/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs +++ b/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs @@ -457,19 +457,18 @@ public async Task ValidateCAConnectionInfo(Dictionary connection { Logger = LogHandler.GetClassLogger(GetType()); Logger.MethodEntry(); - try - { - if (!(bool)connectionInfo["Enabled"]) - { - Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping validation..."); - Logger.MethodExit(LogLevel.Trace); - return; - } - } - catch (Exception ex) + + // Handle Enabled flag - could be bool or string + var enabledValue = connectionInfo["Enabled"]; + bool isEnabled = enabledValue is bool ? (bool)enabledValue : bool.Parse((string)enabledValue); + + if (!isEnabled) { - Logger.LogError($"Exception: {LogHandler.FlattenException(ex)}"); + Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping validation..."); + Logger.MethodExit(LogLevel.Trace); + return; } + Config = new GlobalSignCAConfig { IsTest = bool.Parse((string)connectionInfo["TestAPI"]), @@ -482,6 +481,7 @@ public async Task ValidateCAConnectionInfo(Dictionary connection ORDER_TEST_URL = (string)connectionInfo["OrderAPITestURL"], QUERY_TEST_URL = (string)connectionInfo["QueryAPITestURL"], QUERY_PROD_URL = (string)connectionInfo["QueryAPIProdURL"], + Enabled = isEnabled, SyncStartDate = connectionInfo.TryGetValue("SyncStartDate", out object? value) ? (string)value : string.Empty, SyncIntervalDays = connectionInfo.TryGetValue("SyncIntervalDays", out var val) @@ -497,6 +497,17 @@ public async Task ValidateCAConnectionInfo(Dictionary connection public Task ValidateProductInfo(EnrollmentProductInfo productInfo, Dictionary connectionInfo) { + // Handle Enabled flag - could be bool or string + var enabledValue = connectionInfo["Enabled"]; + bool isEnabled = enabledValue is bool ? (bool)enabledValue : bool.Parse((string)enabledValue); + + if (!isEnabled) + { + Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping validation..."); + Logger.MethodExit(LogLevel.Trace); + return Task.CompletedTask; + } + Config = new GlobalSignCAConfig { IsTest = bool.Parse((string)connectionInfo["TestAPI"]), @@ -509,6 +520,7 @@ public Task ValidateProductInfo(EnrollmentProductInfo productInfo, Dictionary Date: Wed, 11 Mar 2026 17:31:06 +0000 Subject: [PATCH 5/8] Update generated docs --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 705c6a9..3c4305d 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@

- GlobalSign MSSL Gateway AnyCA Gateway REST Plugin + GlobalSign MSSL AnyCA Gateway REST Plugin

@@ -38,10 +38,10 @@ The GlobalSign CAPlugin enables the Synchronization, Enrollment, and Revocation ## Compatibility -The GlobalSign MSSL Gateway AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 25.2.0 and later. +The GlobalSign MSSL AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 25.2.0 and later. ## Support -The GlobalSign MSSL Gateway AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. +The GlobalSign MSSL AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com. > To report a problem or suggest a new feature, use the **[Issues](../../issues)** tab. If you want to contribute actual bug fixes or proposed enhancements, use the **[Pull requests](../../pulls)** tab. @@ -60,7 +60,7 @@ This extension uses the contact information of the GCC Domain point of contact f 1. Install the AnyCA Gateway REST per the [official Keyfactor documentation](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/InstallIntroduction.htm). -2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [GlobalSign MSSL Gateway AnyCA Gateway REST plugin](https://github.com/Keyfactor/globalsign-mssl-caplugin/releases/latest) from GitHub. +2. On the server hosting the AnyCA Gateway REST, download and unzip the latest [GlobalSign MSSL AnyCA Gateway REST plugin](https://github.com/Keyfactor/globalsign-mssl-caplugin/releases/latest) from GitHub. 3. Copy the unzipped directory (usually called `net6.0` or `net8.0`) to the Extensions directory: @@ -71,11 +71,11 @@ This extension uses the contact information of the GCC Domain point of contact f Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions ``` - > The directory containing the GlobalSign MSSL Gateway AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory. + > The directory containing the GlobalSign MSSL AnyCA Gateway REST plugin DLLs (`net6.0` or `net8.0`) can be named anything, as long as it is unique within the `Extensions` directory. 4. Restart the AnyCA Gateway REST service. -5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the GlobalSign MSSL Gateway plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal. +5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the GlobalSign MSSL plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal. ## Configuration @@ -105,7 +105,7 @@ This extension uses the contact information of the GCC Domain point of contact f * **SyncStartDate** - If provided, full syncs will start at the specified date. * **Enabled** - Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available. -2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID. The GlobalSign MSSL Gateway plugin supports the following product IDs: +2. Define [Certificate Profiles](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCP-Gateway.htm) and [Certificate Templates](https://software.keyfactor.com/Guides/AnyCAGatewayREST/Content/AnyCAGatewayREST/AddCA-Gateway.htm) for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID. The GlobalSign MSSL plugin supports the following product IDs: * **PEV_SHA2** * **PEV** From c58cc5ef5250c6655e00af781d7f633d0888360a Mon Sep 17 00:00:00 2001 From: Mark Kachkaev Date: Wed, 11 Mar 2026 13:33:28 -0400 Subject: [PATCH 6/8] More fixes. --- globalsign-mssl-caplugin/GlobalSignCAPlugin.cs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs b/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs index 6439c71..b7310cb 100644 --- a/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs +++ b/globalsign-mssl-caplugin/GlobalSignCAPlugin.cs @@ -30,8 +30,9 @@ public void Initialize(IAnyCAPluginConfigProvider configProvider, ICertificateDa { Logger = LogHandler.GetClassLogger(GetType()); Logger.MethodEntry(); - _enabled = (bool)configProvider.CAConnectionData["Enabled"]; - if (!_enabled) + var enabledValue = configProvider.CAConnectionData["Enabled"]; + bool isEnabled = enabledValue is bool ? (bool)enabledValue : bool.Parse((string)enabledValue); + if (!isEnabled) { Logger.LogWarning($"The CA is currently in the Disabled state. It must be Enabled to perform operations. Skipping config validation and MSSL Client creation..."); Logger.MethodExit(); @@ -40,7 +41,7 @@ public void Initialize(IAnyCAPluginConfigProvider configProvider, ICertificateDa Config = new GlobalSignCAConfig { IsTest = bool.Parse((string)configProvider.CAConnectionData["TestAPI"]), - Enabled = bool.Parse((string)configProvider.CAConnectionData["Enabled"]), + Enabled = isEnabled, Password = (string)configProvider.CAConnectionData["GlobalSignPassword"], Username = (string)configProvider.CAConnectionData["GlobalSignUsername"], PickupDelay = int.Parse((string)configProvider.CAConnectionData["DelayTime"]), From 2cf44071f017a82a203aa435f97c69ba8eade285 Mon Sep 17 00:00:00 2001 From: David Galey Date: Mon, 27 Apr 2026 13:02:51 -0400 Subject: [PATCH 7/8] remove retry logic for reissue pickup --- .../Client/GlobalSignApiClient.cs | 100 ++++++++++-------- 1 file changed, 54 insertions(+), 46 deletions(-) diff --git a/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs b/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs index ef4c468..8e3e6ad 100644 --- a/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs +++ b/globalsign-mssl-caplugin/Client/GlobalSignApiClient.cs @@ -157,64 +157,63 @@ public async Task PickupCertificateById(string caRequest } }; - var retryCounter = 0; - while (retryCounter <= Config.PickupRetries) + var wrapper = new GetOrderByOrderID(request); + var responseWrapper = await QueryService.GetOrderByOrderIDAsync(wrapper); + var response = responseWrapper.Response; + + if (response.OrderResponseHeader.SuccessCode == 0) { - var wrapper = new GetOrderByOrderID(request); - var responseWrapper = await QueryService.GetOrderByOrderIDAsync(wrapper); - var response = responseWrapper.Response; + Logger.LogDebug($"Order with order ID {caRequestId} successfully picked up"); + var orderStatus = (GlobalSignOrderStatus)Enum.Parse( + typeof(GlobalSignOrderStatus), + response.OrderDetail.CertificateInfo.CertificateStatus); - if (response.OrderResponseHeader.SuccessCode == 0) + if (orderStatus == GlobalSignOrderStatus.Issued) { - Logger.LogDebug($"Order with order ID {caRequestId} successfully picked up"); - var orderStatus = (GlobalSignOrderStatus)Enum.Parse( - typeof(GlobalSignOrderStatus), - response.OrderDetail.CertificateInfo.CertificateStatus); - - if (orderStatus == GlobalSignOrderStatus.Issued) + var orderDate = DateTime.TryParse( + response.OrderDetail.OrderInfo.OrderDate, + out var od) + ? od + : (DateTime?)null; + var completeDate = DateTime.TryParse( + response.OrderDetail.OrderInfo.OrderCompleteDate, + out var cd) + ? cd + : (DateTime?)null; + var deactivateDate = DateTime.TryParse( + response.OrderDetail.OrderInfo.OrderDeactivatedDate, + out var de) + ? de + : (DateTime?)null; + + Logger.MethodExit(); + return new AnyCAPluginCertificate { - var orderDate = DateTime.TryParse( - response.OrderDetail.OrderInfo.OrderDate, - out var od) - ? od - : (DateTime?)null; - var completeDate = DateTime.TryParse( - response.OrderDetail.OrderInfo.OrderCompleteDate, - out var cd) - ? cd - : (DateTime?)null; - var deactivateDate = DateTime.TryParse( - response.OrderDetail.OrderInfo.OrderDeactivatedDate, - out var de) - ? de - : (DateTime?)null; - - Logger.MethodExit(); - return new AnyCAPluginCertificate - { - CARequestID = caRequestId, - ProductID = response.OrderDetail.OrderInfo.ProductCode, - Status = OrderStatus.ConvertToKeyfactorStatus(orderStatus), - CSR = response.OrderDetail.Fulfillment.OriginalCSR, - Certificate = response.OrderDetail.Fulfillment.ServerCertificate.X509Cert, - RevocationReason = 0, - RevocationDate = orderStatus == GlobalSignOrderStatus.Revoked ? deactivateDate : null - }; - } + CARequestID = caRequestId, + ProductID = response.OrderDetail.OrderInfo.ProductCode, + Status = OrderStatus.ConvertToKeyfactorStatus(orderStatus), + CSR = response.OrderDetail.Fulfillment.OriginalCSR, + Certificate = response.OrderDetail.Fulfillment.ServerCertificate.X509Cert, + RevocationReason = 0, + RevocationDate = orderStatus == GlobalSignOrderStatus.Revoked ? deactivateDate : null + }; } - - retryCounter++; - Logger.LogDebug( - $"Pickup certificate failed for order ID {caRequestId}. Attempt {retryCounter} of {Config.PickupRetries}.{(retryCounter < Config.PickupRetries ? " Retrying..." : string.Empty)}"); - await Task.Delay(TimeSpan.FromSeconds(Config.PickupDelay)); } + Logger.LogInformation( + $"Certificate for order ID {caRequestId} was not immediately available. Once issued, it should be picked up by the next gateway sync."); + + var gsError = GlobalSignErrorIndex.GetGlobalSignError(-9916); var errorMsg = "Unable to pickup certificate during configured pickup window. Check for required approvals in GlobalSign portal. This can also be caused by a delay with GlobalSign, in which case the certificate will get picked up by a future sync"; Logger.LogError(errorMsg); Logger.LogError(gsError.DetailedMessage); - throw new Exception(errorMsg); + return new AnyCAPluginCertificate() + { + CARequestID = caRequestId, + Status = (int)EndEntityStatus.INPROCESS + }; } public async Task> GetDomains() @@ -418,6 +417,15 @@ public async Task Reissue(GlobalSignReissueRequest reissueRequ // Pick up the certificate after reissue var pickupResponse = await PickupCertificateById(response.OrderID); + + if (pickupResponse.Status == (int)EndEntityStatus.INPROCESS) + { + return new EnrollmentResult + { + CARequestID = response.OrderID, + Status = (int)EndEntityStatus.INPROCESS + }; + } var cert = CertificateConverterFactory.FromPEM(pickupResponse.Certificate).ToX509Certificate2(); // If newly generated or serial differs, return success From 4329343215e2f4ea9b2e1239918df63e3374f4e1 Mon Sep 17 00:00:00 2001 From: David Galey Date: Mon, 27 Apr 2026 13:03:40 -0400 Subject: [PATCH 8/8] changelog --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index faffcc3..95948b2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,2 +1,5 @@ v1.0 --Initial Release. \ No newline at end of file +-Initial Release. + +1.1 +Remove retry logic around reissue pickups \ No newline at end of file