Add skip dns ownership verification field

backend/src/server/routes/v1/certificate-profiles-router.ts

@@ -47,7 +47,11 @@ export const registerCertificateProfilesRouter = async (server: FastifyZodProvid
               renewBeforeDays: z.number().min(1).max(30).optional()
             })
             .optional(),
-          acmeConfig: z.object({}).optional(),
+          acmeConfig: z
+            .object({
+              skipDnsOwnershipVerification: z.boolean().optional()
+            })
+            .optional(),
           externalConfigs: ExternalConfigUnionSchema
         })
         .refine(

backend/src/services/certificate-profile/certificate-profile-dal.ts

@@ -168,7 +168,11 @@ export const certificateProfileDALFactory = (db: TDbClient) => {
           db.ref("autoRenew").withSchema(TableName.PkiApiEnrollmentConfig).as("apiConfigAutoRenew"),
           db.ref("renewBeforeDays").withSchema(TableName.PkiApiEnrollmentConfig).as("apiConfigRenewBeforeDays"),
           db.ref("id").withSchema(TableName.PkiAcmeEnrollmentConfig).as("acmeConfigId"),
-          db.ref("encryptedEabSecret").withSchema(TableName.PkiAcmeEnrollmentConfig).as("acmeConfigEncryptedEabSecret")
+          db.ref("encryptedEabSecret").withSchema(TableName.PkiAcmeEnrollmentConfig).as("acmeConfigEncryptedEabSecret"),
+          db
+            .ref("skipDnsOwnershipVerification")
+            .withSchema(TableName.PkiAcmeEnrollmentConfig)
+            .as("acmeConfigSkipDnsOwnershipVerification")
         )
         .where(`${TableName.PkiCertificateProfile}.id`, id)
         .first();
@@ -198,7 +202,8 @@ export const certificateProfileDALFactory = (db: TDbClient) => {
       const acmeConfig = result.acmeConfigId
         ? ({
             id: result.acmeConfigId,
-            encryptedEabSecret: result.acmeConfigEncryptedEabSecret
+            encryptedEabSecret: result.acmeConfigEncryptedEabSecret,
+            skipDnsOwnershipVerification: result.acmeConfigSkipDnsOwnershipVerification ?? false
           } as TCertificateProfileWithConfigs["acmeConfig"])
         : undefined;
 

backend/src/services/certificate-profile/certificate-profile-schemas.ts

@@ -30,7 +30,11 @@ export const createCertificateProfileSchema = z
         renewBeforeDays: z.number().min(1).max(30).optional()
       })
       .optional(),
-    acmeConfig: z.object({}).optional()
+    acmeConfig: z
+      .object({
+        skipDnsOwnershipVerification: z.boolean().optional()
+      })
+      .optional()
   })
   .refine(
     (data) => {
@@ -155,6 +159,11 @@ export const updateCertificateProfileSchema = z
         autoRenew: z.boolean().default(false),
         renewBeforeDays: z.number().min(1).max(30).optional()
       })
+      .optional(),
+    acmeConfig: z
+      .object({
+        skipDnsOwnershipVerification: z.boolean().optional()
+      })
       .optional()
   })
   .refine(

backend/src/services/certificate-profile/certificate-profile-service.ts

@@ -403,7 +403,13 @@ export const certificateProfileServiceFactory = ({
         apiConfigId = apiConfig.id;
       } else if (data.enrollmentType === EnrollmentType.ACME && data.acmeConfig) {
         const { encryptedEabSecret } = await generateAndEncryptAcmeEabSecret(projectId, kmsService, projectDAL);
-        const acmeConfig = await acmeEnrollmentConfigDAL.create({ encryptedEabSecret }, tx);
+        const acmeConfig = await acmeEnrollmentConfigDAL.create(
+          {
+            encryptedEabSecret,
+            skipDnsOwnershipVerification: data.acmeConfig.skipDnsOwnershipVerification ?? false
+          },
+          tx
+        );
         acmeConfigId = acmeConfig.id;
       }
 
@@ -505,7 +511,7 @@ export const certificateProfileServiceFactory = ({
     const updatedData =
       finalIssuerType === IssuerType.SELF_SIGNED && existingProfile.caId ? { ...data, caId: null } : data;
 
-    const { estConfig, apiConfig, ...profileUpdateData } = updatedData;
+    const { estConfig, apiConfig, acmeConfig, ...profileUpdateData } = updatedData;
 
     const updatedProfile = await certificateProfileDAL.transaction(async (tx) => {
       if (estConfig && existingProfile.estConfigId) {
@@ -547,6 +553,16 @@ export const certificateProfileServiceFactory = ({
         );
       }
 
+      if (acmeConfig && existingProfile.acmeConfigId) {
+        await acmeEnrollmentConfigDAL.updateById(
+          existingProfile.acmeConfigId,
+          {
+            skipDnsOwnershipVerification: acmeConfig.skipDnsOwnershipVerification ?? false
+          },
+          tx
+        );
+      }
+
       const profileResult = await certificateProfileDAL.updateById(profileId, profileUpdateData, tx);
       return profileResult;
     });

backend/src/services/certificate-profile/certificate-profile-types.ts

@@ -83,6 +83,7 @@ export type TCertificateProfileWithConfigs = TCertificateProfile & {
     id: string;
     directoryUrl: string;
     encryptedEabSecret?: Buffer;
+    skipDnsOwnershipVerification?: boolean;
   };
 };