Fix upstream skip validation

2026-01-07 22:53:55 -05:00 · 2025-11-13 11:36:51 -08:00
parent 73a3ee6b61
commit c183d91257
4 changed files with 5 additions and 3 deletions
--- a/.github/workflows/run-backend-bdd-tests.yml
+++ b/.github/workflows/run-backend-bdd-tests.yml
@@ -51,6 +51,9 @@ jobs:
          echo "ACME_DEVELOPMENT_MODE=true" >> .env
          echo "ACME_DEVELOPMENT_HTTP01_CHALLENGE_HOST_OVERRIDES={\"localhost\": \"host.docker.internal:8087\", \"infisical.com\": \"host.docker.internal:8087\", \"example.com\": \"host.docker.internal:8087\"}" >> .env
          echo "BDD_NOCK_API_ENABLED=true" >> .env
+          # Skip upstream validation, otherwise the ACME client for the upstream will try to
+          # validate the DNS records, which will fail because the DNS records are not actually created.
+          echo "ACME_SKIP_UPSTREAM_VALIDATION=true" >> .env
          # We are not using FIPS mode, need a different encryption key for BDD tests
          NEW_ENCRYPTION_KEY=6c1fe4e407b8911c104518103505b218
          sed -i "s#ENCRYPTION_KEY=.*#ENCRYPTION_KEY=$NEW_ENCRYPTION_KEY#" .env
--- a/backend/src/lib/config/env.ts
+++ b/backend/src/lib/config/env.ts
@@ -108,6 +108,7 @@ const envSchema = z
    DAILY_RESOURCE_CLEAN_UP_DEVELOPMENT_MODE: zodStrBool.default("false").optional(),
    BDD_NOCK_API_ENABLED: zodStrBool.default("false").optional(),
    ACME_DEVELOPMENT_MODE: zodStrBool.default("false").optional(),
+    ACME_SKIP_UPSTREAM_VALIDATION: zodStrBool.default("false").optional(),
    ACME_DEVELOPMENT_HTTP01_CHALLENGE_HOST_OVERRIDES: zpStr(
      z
        .string()
--- a/backend/src/services/certificate-authority/acme/acme-certificate-authority-fns.ts
+++ b/backend/src/services/certificate-authority/acme/acme-certificate-authority-fns.ts
@@ -243,7 +243,7 @@ export const orderCertificate = async (
    challengePriority: ["dns-01"],
    // For ACME development mode, we mock the DNS challenge API calls. So, no real DNS records are created.
    // We need to disable the challenge verification to avoid errors.
-    skipChallengeVerification: getConfig().isAcmeDevelopmentMode,
+    skipChallengeVerification: getConfig().isAcmeDevelopmentMode && getConfig().ACME_SKIP_UPSTREAM_VALIDATION,
    termsOfServiceAgreed: true,

    challengeCreateFn: async (authz, challenge, keyAuthorization) => {
--- a/backend/src/services/certificate-authority/acme/dns-providers/cloudflare.ts
+++ b/backend/src/services/certificate-authority/acme/dns-providers/cloudflare.ts
@@ -68,8 +68,6 @@ export const cloudflareDeleteTxtRecord = async (
      },
      params: {
        type: "TXT",
-        // TODO: this is incorrect. The domain seems need to be fqdn, but we are passing just the record name here.
-        //       as a result, we are not deleting the record correctly.
        name: domain,
        content: value
      }