Site Status Listing fails with Generated Certs

[kireledan]

I've encountered an issue with terraform planning with sites that contain a generated SSL certificate.

Error: Error parsing site status JSON response for domain <redacted> (site id: 1019071): json: cannot unmarshal object into Go struct field .ssl.generated_certificate.validation_data of type []struct { DNSRecordName string "json:\"dns_record_name\""; SetTypeTo string "json:\"set_type_to\""; SetDataTo []string "json:\"set_data_to\"" }

I'm suspecting this is because the API doesn't return as expected.

The struct is expecting these fields within the validation_data blob.

        GeneratedCertificate struct {
            Ca               string `json:"ca"`
            ValidationMethod string `json:"validation_method"`
            ValidationData   []struct {
                DNSRecordName string   `json:"dns_record_name"`
                SetTypeTo     string   `json:"set_type_to"`
                SetDataTo     []string `json:"set_data_to"`
            } `json:"validation_data"`
            San              []string `json:"san"`
            ValidationStatus string   `json:"validation_status"`
        } `json:"generated_certificate"`

Hitting the api though (https://my.incapsula.com/api/prov/v1/sites/status) , the validation_data does not contain these fields.

    "generated_certificate": {
      "ca": "GS",
      "validation_method": "html",
      "validation_data": {
        "http://<redacted>/.well-known/pki-validation/gsdv.txt": [
          "<meta name=\"_globalsign-domain-verification\" content=\"<redacted>" />"
        ]
      },
      "san": [
        "*.<redacted>"
      ],
      "validation_status": "done"
    }

[anandkunal]

Hi @kireledan - I think I see what's going on.

I assumed when writing the provider that generated_certificate would be the same regardless of the validation method. I was wrong.

Per the documentation, here's the example for HTML validation (and what you're doing based on the return value from the API):

"generated_certificate" : {
    "ca" : "globalsign",
    "validation_method" : "html",
    "validation_data" : "<meta name="globalsign-domain-verification" content="rgwlWGF7wQsdWdhbd54pGGruzskFMVezwMvnUtRAzW" />",
    "san" : ["*.example.com", "example.com"],
    "validation_status" : "pending_user_action"
}

Here's the example for DNS validation:

"generated_certificate" : {
    "ca" : "globalsign",
    "validation_method" : "dns",
    "validation_data" : [
        {"dns_record_name": "www.example.com", "set_type_to": "TXT", "set_data_to": "globalsign-domain-verification=rgwlWGF7wQsdWdhbd54pGGruzskFMVezwMvnUtRAzW"},
        ...
    ],
    "san" : ["*.example.com", "example.com"],
    "validation_status" : "pending_user_action"
}

We really shouldn't be changing the inner structure of the validation data like this and instead be using different field names. I'll bring this up with our PD team separately. In the mean time, let me see if I can change out validation_data to be an interface{} and do on-the-fly casting based on validation_method.

Best, Kunal

[anandkunal]

Just pushed the fix to the repository. Verified locally with a few different sites. Example from my own domain for testing:

resource "incapsula_site" "example-site-html" {
    data_storage_region                      = "US"
    dns_a_record_value                       = []
    domain                                   = "--redacted--"
    domain_validation                        = "html"
    domain_verification                      = "<meta name=\"_globalsign-domain-verification\" content=\"-rRHZbEu8sjtBhcr6Iqwhbed0tlJ__Uv88hthYzuZ3\" />"
    ....
}

Please note, that if your domain has already been validated in the past, editing validation to a new option will not work. You'll need to contact customer support for that one. I assume you're not in this boat as you already had a successful JSON blob (as indicated in your issue above).

Let me know if you run into additional issues with this.

[kireledan]

Awesome! Thanks for the followup