Keyfactor
diff --git a/‎AcmeCaPlugin/AcmeCaPlugin.cs‎
Lines changed: 120 additions & 23 deletions b/‎AcmeCaPlugin/AcmeCaPlugin.cs‎
Lines changed: 120 additions & 23 deletions
diff --git a/‎AcmeCaPlugin/AcmeCaPlugin.csproj‎
Lines changed: 1 addition & 0 deletions b/‎AcmeCaPlugin/AcmeCaPlugin.csproj‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎AcmeCaPlugin/AcmeCaPluginConfig.cs‎
Lines changed: 102 additions & 1 deletion b/‎AcmeCaPlugin/AcmeCaPluginConfig.cs‎
Lines changed: 102 additions & 1 deletion
diff --git a/‎AcmeCaPlugin/AcmeClientConfig.cs‎
Lines changed: 17 additions & 0 deletions b/‎AcmeCaPlugin/AcmeClientConfig.cs‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎AcmeCaPlugin/Clients/DNS/DnsProviderFactory.cs‎
Lines changed: 19 additions & 0 deletions b/‎AcmeCaPlugin/Clients/DNS/DnsProviderFactory.cs‎
Lines changed: 19 additions & 0 deletions
@@ -18,6 +18,10 @@
 using System.Text;
 using Keyfactor.Extensions.CAPlugin.Acme.Clients.DNS;
 using System.Text.RegularExpressions;
+using Org.BouncyCastle.Asn1;
+using Org.BouncyCastle.Asn1.Pkcs;
+using Org.BouncyCastle.Asn1.X509;
+using Org.BouncyCastle.Pkcs;
 
 namespace Keyfactor.Extensions.CAPlugin.Acme
 {
@@ -248,12 +252,12 @@ public async Task<EnrollmentResult> Enroll(
                 var acmeClient = new AcmeClient(_logger, config, httpClient, protocolClient.Directory,
                     new Clients.Acme.Account(accountDetails, signer));
 
-                // Extract domain
-                var cleanDomain = ExtractDomainFromSubject(subject);
-                var identifiers = new List<Identifier>
-        {
-            new Identifier { Type = "dns", Value = cleanDomain }
-        };
+                // Decode CSR first so we can extract all domains from it
+                var csrBytes = Convert.FromBase64String(csr);
+
+                // Extract all domains directly from CSR (CN + SANs) for the ACME order
+                // This ensures we authorize exactly what's in the CSR
+                var identifiers = ExtractDomainsFromCsr(csrBytes);
 
                 // Create order
                 var order = await acmeClient.CreateOrderAsync(identifiers, null);
@@ -264,8 +268,7 @@ public async Task<EnrollmentResult> Enroll(
                 // Process challenges
                 await ProcessAuthorizations(acmeClient, order, config);
 
-                // Finalize
-                var csrBytes = Convert.FromBase64String(csr);
+                // Finalize with original CSR bytes
                 order = await acmeClient.FinalizeOrderAsync(order, csrBytes);
 
                 // If order is valid immediately, download cert
@@ -331,6 +334,88 @@ private static string ExtractDomainFromSubject(string subject)
             throw new ArgumentException($"Could not extract CN from subject: {subject}", nameof(subject));
         }
 
+        /// <summary>
+        /// Extracts all DNS names (CN + SANs) directly from the CSR.
+        /// This ensures the ACME order authorizes exactly what's in the CSR.
+        /// </summary>
+        /// <param name="csrBytes">DER-encoded CSR bytes</param>
+        /// <returns>List of ACME identifiers for all domains in the CSR</returns>
+        private List<Identifier> ExtractDomainsFromCsr(byte[] csrBytes)
+        {
+            var domains = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+
+            try
+            {
+                // Parse the CSR using BouncyCastle
+                var pkcs10 = new Pkcs10CertificationRequest(csrBytes);
+                var csrInfo = pkcs10.GetCertificationRequestInfo();
+
+                // Extract CN from subject
+                var subject = csrInfo.Subject;
+                var cnValues = subject.GetValueList(X509Name.CN);
+                if (cnValues != null && cnValues.Count > 0)
+                {
+                    var cn = cnValues[0]?.ToString();
+                    if (!string.IsNullOrWhiteSpace(cn))
+                    {
+                        domains.Add(cn);
+                        _logger.LogDebug("Extracted CN from CSR: {Domain}", cn);
+                    }
+                }
+
+                // Extract SANs from CSR attributes
+                var attributes = csrInfo.Attributes;
+                if (attributes != null)
+                {
+                    foreach (var attr in attributes)
+                    {
+                        var attribute = Org.BouncyCastle.Asn1.Pkcs.AttributePkcs.GetInstance(attr);
+                        if (attribute.AttrType.Equals(PkcsObjectIdentifiers.Pkcs9AtExtensionRequest))
+                        {
+                            // This attribute contains extension requests
+                            var extensions = X509Extensions.GetInstance(attribute.AttrValues[0]);
+                            var sanExtension = extensions.GetExtension(X509Extensions.SubjectAlternativeName);
+
+                            if (sanExtension != null)
+                            {
+                                var sanNames = GeneralNames.GetInstance(sanExtension.GetParsedValue());
+                                foreach (var name in sanNames.GetNames())
+                                {
+                                    // TagNo 2 = dNSName
+                                    if (name.TagNo == GeneralName.DnsName)
+                                    {
+                                        var dnsName = name.Name.ToString();
+                                        if (!string.IsNullOrWhiteSpace(dnsName))
+                                        {
+                                            domains.Add(dnsName);
+                                            _logger.LogDebug("Extracted SAN from CSR: {Domain}", dnsName);
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex, "Failed to parse CSR for domain extraction");
+                throw new InvalidOperationException("Failed to parse CSR to extract domains", ex);
+            }
+
+            if (domains.Count == 0)
+            {
+                _logger.LogError("No DNS names found in CSR. CSR may be malformed or missing CN/SANs.");
+                throw new InvalidOperationException("No DNS names found in CSR (neither CN nor SANs)");
+            }
+
+            var identifiers = domains.Select(d => new Identifier { Type = "dns", Value = d }).ToList();
+            _logger.LogInformation("CSR domain extraction complete. Creating ACME order for {Count} domain(s): [{Domains}]",
+                identifiers.Count, string.Join(", ", domains));
+
+            return identifiers;
+        }
+
         /// <summary>
         /// Processes ACME authorizations for domain validation
         /// Currently hardcoded to use DNS-01 challenge with Google DNS provider
@@ -345,7 +430,7 @@ private async Task ProcessAuthorizations(AcmeClient acmeClient, OrderDetails ord
                 throw new InvalidOperationException("Missing or invalid authorization list in order payload.");
             }
 
-            var dnsVerifier = new DnsVerificationHelper(_logger);
+            var dnsVerifier = new DnsVerificationHelper(_logger, config.DnsVerificationServer);
             var pendingChallenges = new List<(Authorization authz, Challenge challenge, Dns01ChallengeValidationDetails validation)>();
 
             // First pass: Create all DNS records
@@ -370,7 +455,7 @@ private async Task ProcessAuthorizations(AcmeClient acmeClient, OrderDetails ord
                 if (validation == null)
                     throw new InvalidOperationException($"Failed to decode {DNS_CHALLENGE_TYPE} challenge validation details");
 
-                // Create DNS record
+                // Create DNS record (will throw exception with details if it fails)
                 var dnsProvider = DnsProviderFactory.Create(config, _logger);
                 await dnsProvider.CreateRecordAsync(validation.DnsRecordName, validation.DnsRecordValue);
 
@@ -383,22 +468,34 @@ private async Task ProcessAuthorizations(AcmeClient acmeClient, OrderDetails ord
             // Second pass: Wait for DNS propagation and submit challenges
             foreach (var (authz, challenge, validation) in pendingChallenges)
             {
-                _logger.LogInformation("Waiting for DNS propagation for {Domain}...", authz.Identifier.Value);
-
-                // Wait for DNS propagation with verification
-                var propagated = await dnsVerifier.WaitForDnsPropagationAsync(
-                    validation.DnsRecordName,
-                    validation.DnsRecordValue,
-                    minimumServers: 3 // Require at least 3 DNS servers to confirm
-                );
+                // Skip external DNS verification for Infoblox since it cannot ping external DNS providers
+                bool isInfoblox = config.DnsProvider?.Trim().Equals("infoblox", StringComparison.OrdinalIgnoreCase) ?? false;
 
-                if (!propagated)
+                if (isInfoblox)
+                {
+                    _logger.LogInformation("Skipping external DNS propagation check for Infoblox provider for {Domain}. Adding short delay...", authz.Identifier.Value);
+                    // Add a short delay to allow Infoblox to process the record internally
+                    await Task.Delay(TimeSpan.FromSeconds(5));
+                }
+                else
                 {
-                    _logger.LogWarning("DNS record may not have fully propagated for {Domain}. Proceeding anyway...",
-                        authz.Identifier.Value);
+                    _logger.LogInformation("Waiting for DNS propagation for {Domain}...", authz.Identifier.Value);
 
-                    // Optional: Add a final delay as fallback
-                    await Task.Delay(TimeSpan.FromSeconds(30));
+                    // Wait for DNS propagation with verification
+                    var propagated = await dnsVerifier.WaitForDnsPropagationAsync(
+                        validation.DnsRecordName,
+                        validation.DnsRecordValue,
+                        minimumServers: 3 // Require at least 3 DNS servers to confirm
+                    );
+
+                    if (!propagated)
+                    {
+                        _logger.LogWarning("DNS record may not have fully propagated for {Domain}. Proceeding anyway...",
+                            authz.Identifier.Value);
+
+                        // Optional: Add a final delay as fallback
+                        await Task.Delay(TimeSpan.FromSeconds(30));
+                    }
                 }
 
                 // Submit challenge response
 
@@ -16,6 +16,7 @@
         <PackageReference Include="Azure.ResourceManager.Cdn" Version="1.4.0"/>
         <PackageReference Include="Azure.ResourceManager.Dns" Version="1.1.1"/>
         <PackageReference Include="DnsClient" Version="1.8.0"/>
+        <PackageReference Include="ARSoft.Tools.Net" Version="3.6.0"/>
         <PackageReference Include="Google.Apis.Dns.v1" Version="1.69.0.3753"/>
         <PackageReference Include="Keyfactor.AnyGateway.IAnyCAPlugin" Version="3.0.0"/>
         <PackageReference Include="Keyfactor.Logging" Version="1.1.1"/>
 
@@ -46,7 +46,7 @@ public static Dictionary<string, PropertyConfigInfo> GetPluginAnnotations()
                 },
                 ["DnsProvider"] = new PropertyConfigInfo()
                 {
-                    Comments = "DNS Provider to use for ACME DNS-01 challenges (options Google, Cloudflare, AwsRoute53, Azure, Ns1)",
+                    Comments = "DNS Provider to use for ACME DNS-01 challenges (options: Google, Cloudflare, AwsRoute53, Azure, Ns1, Rfc2136, Infoblox)",
                     Hidden = false,
                     DefaultValue = "Google",
                     Type = "String"
@@ -144,6 +144,107 @@ public static Dictionary<string, PropertyConfigInfo> GetPluginAnnotations()
                     Hidden = true,
                     DefaultValue = "",
                     Type = "String"
+                },
+
+                // RFC 2136 Dynamic DNS (BIND/Microsoft DNS)
+                ["Rfc2136_Server"] = new PropertyConfigInfo()
+                {
+                    Comments = "RFC 2136 DNS: Server hostname or IP address (Optional)",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                },
+                ["Rfc2136_Port"] = new PropertyConfigInfo()
+                {
+                    Comments = "RFC 2136 DNS: Server port (default 53) (Optional)",
+                    Hidden = false,
+                    DefaultValue = "53",
+                    Type = "Number"
+                },
+                ["Rfc2136_Zone"] = new PropertyConfigInfo()
+                {
+                    Comments = "RFC 2136 DNS: Zone name (e.g., example.com) (Optional)",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                },
+                ["Rfc2136_TsigKeyName"] = new PropertyConfigInfo()
+                {
+                    Comments = "RFC 2136 DNS: TSIG key name for authentication (Optional)",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                },
+                ["Rfc2136_TsigKey"] = new PropertyConfigInfo()
+                {
+                    Comments = "RFC 2136 DNS: TSIG key (base64 encoded) for authentication (Optional)",
+                    Hidden = true,
+                    DefaultValue = "",
+                    Type = "Secret"
+                },
+                ["Rfc2136_TsigAlgorithm"] = new PropertyConfigInfo()
+                {
+                    Comments = "RFC 2136 DNS: TSIG algorithm (default hmac-sha256) (Optional)",
+                    Hidden = false,
+                    DefaultValue = "hmac-sha256",
+                    Type = "String"
+                },
+
+                // DNS Verification Settings
+                ["DnsVerificationServer"] = new PropertyConfigInfo()
+                {
+                    Comments = "DNS server to use for verifying TXT record propagation. For private/local DNS zones, set this to your authoritative DNS server IP (e.g., 10.3.10.37). Leave empty to use public DNS servers (Google, Cloudflare, etc.).",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                }
+
+                //Infoblox DNS
+                ,
+                ["Infoblox_Host"] = new PropertyConfigInfo()
+                {
+                    Comments = "Infoblox DNS: API URL (e.g., https://infoblox.example.com/wapi/v2.12) only if using Infoblox DNS (Optional)",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                },
+                ["Infoblox_Username"] = new PropertyConfigInfo()
+                {
+                    Comments = "Infoblox DNS: Username for authentication only if using Infoblox DNS (Optional)",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                },
+                ["Infoblox_Password"] = new PropertyConfigInfo()
+                {
+                    Comments = "Infoblox DNS: Password for authentication only if using Infoblox DNS (Optional)",
+                    Hidden = true,
+                    DefaultValue = "",
+                    Type = "Secret"
+                }
+
+                //Infoblox DNS
+                ,
+                ["Infoblox_Host"] = new PropertyConfigInfo()
+                {
+                    Comments = "Infoblox DNS: API URL (e.g., https://infoblox.example.com/wapi/v2.12) only if using Infoblox DNS (Optional)",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                },
+                ["Infoblox_Username"] = new PropertyConfigInfo()
+                {
+                    Comments = "Infoblox DNS: Username for authentication only if using Infoblox DNS (Optional)",
+                    Hidden = false,
+                    DefaultValue = "",
+                    Type = "String"
+                },
+                ["Infoblox_Password"] = new PropertyConfigInfo()
+                {
+                    Comments = "Infoblox DNS: Password for authentication only if using Infoblox DNS (Optional)",
+                    Hidden = true,
+                    DefaultValue = "",
+                    Type = "Secret"
                 }
 
             };
 
@@ -37,6 +37,23 @@ public class AcmeClientConfig
 
         // Container Deployment Support
         public string AccountStoragePath { get; set; } = null;
+        // RFC 2136 Dynamic DNS (BIND)
+        public string Rfc2136_Server { get; set; } = null;
+        public int Rfc2136_Port { get; set; } = 53;
+        public string Rfc2136_Zone { get; set; } = null;
+        public string Rfc2136_TsigKeyName { get; set; } = null;
+        public string Rfc2136_TsigKey { get; set; } = null;
+        public string Rfc2136_TsigAlgorithm { get; set; } = "hmac-sha256";
+
+        // Infoblox DNS
+        public string Infoblox_Host { get; set; } = null;
+        public string Infoblox_Username { get; set; } = null;
+        public string Infoblox_Password { get; set; } = null;
+        public string Infoblox_WapiVersion { get; set; } = "2.12";
+        public bool Infoblox_IgnoreSslErrors { get; set; } = false;
+
+        // DNS Verification Settings
+        public string DnsVerificationServer { get; set; } = null;
 
     }
 }
@@ -40,6 +40,25 @@ public static IDnsProvider Create(AcmeClientConfig config, ILogger logger)
                     return new Ns1DnsProvider(
                         config.Ns1_ApiKey
                     );
+                case "rfc2136":
+                    return new Rfc2136DnsProvider(
+                        config.Rfc2136_Server,
+                        config.Rfc2136_Zone,
+                        config.Rfc2136_TsigKeyName,
+                        config.Rfc2136_TsigKey,
+                        config.Rfc2136_TsigAlgorithm,
+                        config.Rfc2136_Port,
+                        logger
+                    );
+                case "infoblox":
+                    return new InfobloxDnsProvider(
+                        config.Infoblox_Host,
+                        config.Infoblox_Username,
+                        config.Infoblox_Password,
+                        config.Infoblox_WapiVersion,
+                        config.Infoblox_IgnoreSslErrors,
+                        logger
+                    );
                 default:
                     throw new NotSupportedException($"DNS provider '{config.DnsProvider}' is not supported.");
             }