I'm working on Keyfactor EJBCA certificate management integration and currently facing an error
Falied to validate all challenges. Please submit a new request.
I've implemented a routing policy with a custom bluecat DNS action copied from the Out of the box Godaddy
ACME DNS Challenge - Bluecat
I've confirmed that this action works and a DNS TXT record is being inserted in bluecat
Here are the implementation steps
Routing Policy with the Keyfactor ACME EJBCA CA
The error is generated in the Subflow
ACME-Certificate Management ==>> ACME - Populate and Attachments action in the script step
Step 2 - Validate Challenge and Download Certificate Chain [Script]
I've validated that the midserver has the CA certificate imported in the Midserver trust store , increased the DNS propagation time to 5 minutes and at one time 7 minutes "the default value was 2 minutes"
I've validated with the bluecat team that the DNS TXT record has been inserted
Here is the part of the code where the error is generated in the script step
try {
outputs.error = inputs.error;
if (JSUtil.notNil(outputs.error))
return;
var challenges = JSON.parse(inputs.challenges);
var csr = inputs.csr;
var finalizeUrl = inputs.finalize_url;
var orderUrl = inputs.order_url;
var url = inputs.url;
var credentialAlias = inputs.credential_alias;
var acmeutil = new ACMECertificateUtil();
acmeutil.getCredentialObject(credentialAlias)
acmeutil.getACMEDirectory(url);
var allDomainsValidated = true;
challenges.forEach(function(challenge) {
allDomainsValidated = allDomainsValidated && acmeutil.validateChallenge(challenge["challengeUrl"]);
});
var certDownloadUrl;
if (allDomainsValidated) {
var encodedCsr = acmeutil.base64UrlEncode(acmeutil.convertCSRStringToPKCS10(csr).getEncoded());
acmeutil.finalizeOrder(encodedCsr, finalizeUrl);
certDownloadUrl = acmeutil.checkOrderforCompletion(orderUrl);
}
else {
outputs.error = "Falied to validate all challenges. Please submit a new request.";
return;
}
Here is the full script in the script step
Validate Challenge and Download Certificate Chain [Script] in ACME populate and attatchments
(function execute(inputs, outputs) {
try {
outputs.error = inputs.error;
if (JSUtil.notNil(outputs.error))
return;
var challenges = JSON.parse(inputs.challenges);
var csr = inputs.csr;
var finalizeUrl = inputs.finalize_url;
var orderUrl = inputs.order_url;
var url = inputs.url;
var credentialAlias = inputs.credential_alias;
var acmeutil = new ACMECertificateUtil();
acmeutil.getCredentialObject(credentialAlias)
acmeutil.getACMEDirectory(url);
var allDomainsValidated = true;
challenges.forEach(function(challenge) {
allDomainsValidated = allDomainsValidated && acmeutil.validateChallenge(challenge["challengeUrl"]);
});
var certDownloadUrl;
if (allDomainsValidated) {
var encodedCsr = acmeutil.base64UrlEncode(acmeutil.convertCSRStringToPKCS10(csr).getEncoded());
acmeutil.finalizeOrder(encodedCsr, finalizeUrl);
certDownloadUrl = acmeutil.checkOrderforCompletion(orderUrl);
}
else {
outputs.error = "Falied to validate all challenges. Please submit a new request.";
return;
}
var certInfo = {};
certInfo.url = certDownloadUrl;
certInfo.credAliasName = credentialAlias;
certInfo.baseUrl = url;
certInfo.isKeepOriginalCert = true;
var acmeChain = new ACMESSLCertificate().execute(certInfo);
var params = {
'taskId': inputs.task_id,
'taskTable': inputs.task_table,
'caSysId': inputs.ca_sys_id,
'certificateOwnerGroup': inputs.certificate_owner_group,
'certificateOwner': inputs.certificate_owner,
'renewalTracking': inputs.renewal_tracking,
'environment': inputs.environment
};
var certUtilObj = new SSLCertificateUtil();
var certPayloadFormat = certUtilObj.generateCertPayloadFormat(acmeChain, params);
var orderPayloadList = [];
if (certPayloadFormat.certXmlPayload)
orderPayloadList.push(certPayloadFormat.certXmlPayload);
outputs.order_payload_list = JSON.stringify({
'orderList': orderPayloadList
});
} catch(ex) {
outputs.error = "Request failed. An error occurred while trying to populate certificate (mid side). Exception:- " + ex;
}
})(inputs, outputs);Thanks in advance
