lkddi/certd
1
0
Fork 0
mirror of https://github.com/certd/certd.git synced 2026-04-15 13:32:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

perf: 支持http校验方式申请证书

Browse Source
This commit is contained in:
xiaojunnuo
2025-01-02 00:28:13 +08:00
parent 67af67b92d
commit 405591c5d0
42 changed files with 820 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
packages/plugins/plugin-cert/package.json
View File

@@ -18,6 +18,7 @@
"@certd/acme-client": "^1.29.2",
"@certd/basic": "^1.29.2",
"@certd/pipeline": "^1.29.2",
"@certd/plugin-lib": "^1.29.2",
"@google-cloud/publicca": "^1.3.0",
"dayjs": "^1.11.7",
"jszip": "^3.10.1",

68
packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts
View File

@@ -6,6 +6,7 @@ import { Challenge } from "@certd/acme-client/types/rfc8555";
import { IContext } from "@certd/pipeline";
import { ILogger, utils } from "@certd/basic";
import { IDnsProvider, parseDomain } from "../../dns-provider/index.js";
import { HttpChallengeUploader } from "./uploads/api.js";
export type CnameVerifyPlan = {
domain: string;
@@ -15,7 +16,7 @@ export type CnameVerifyPlan = {
export type DomainVerifyPlan = {
domain: string;
type: "cname" | "dns";
type: "cname" | "dns" | "http";
dnsProvider?: IDnsProvider;
cnameVerifyPlan?: Record<string, CnameVerifyPlan>;
};
@@ -23,6 +24,12 @@ export type DomainsVerifyPlan = {
[key: string]: DomainVerifyPlan;
};
export type Providers = {
dnsProvider?: IDnsProvider;
domainsVerifyPlan?: DomainsVerifyPlan;
httpUploader?: HttpChallengeUploader;
};
export type CertInfo = {
crt: string; //fullchain证书
key: string; //私钥
@@ -155,20 +162,17 @@ export class AcmeService {
return key.toString();
}
async challengeCreateFn(authz: any, challenge: any, keyAuthorization: string, dnsProvider: IDnsProvider, domainsVerifyPlan: DomainsVerifyPlan) {
async challengeCreateFn(authz: any, challenge: any, keyAuthorization: string, providers: Providers) {
this.logger.info("Triggered challengeCreateFn()");
/* http-01 */
const fullDomain = authz.identifier.value;
if (challenge.type === "http-01") {
const filePath = `/var/www/html/.well-known/acme-challenge/${challenge.token}`;
const filePath = `.well-known/acme-challenge/${challenge.token}`;
const fileContents = keyAuthorization;
this.logger.info(`Creating challenge response for ${fullDomain} at path: ${filePath}`);
/* Replace this */
this.logger.info(`Would write "${fileContents}" to path "${filePath}"`);
// await fs.writeFileAsync(filePath, fileContents);
this.logger.info(`校验 ${fullDomain} ,准备上传文件:${filePath}`);
await providers.httpUploader.upload(filePath, fileContents);
this.logger.info(`上传文件【${filePath}】成功`);
} else if (challenge.type === "dns-01") {
/* dns-01 */
let fullRecord = `_acme-challenge.${fullDomain}`;
@@ -181,9 +185,10 @@ export class AcmeService {
let domain = parseDomain(fullDomain);
this.logger.info("解析到域名domain=" + domain);
if (domainsVerifyPlan) {
let dnsProvider = providers.dnsProvider;
if (providers.domainsVerifyPlan) {
//按照计划执行
const domainVerifyPlan = domainsVerifyPlan[domain];
const domainVerifyPlan = providers.domainsVerifyPlan[domain];
if (domainVerifyPlan) {
if (domainVerifyPlan.type === "dns") {
dnsProvider = domainVerifyPlan.dnsProvider;
@@ -239,22 +244,28 @@ export class AcmeService {
* @param recordReq
* @param recordRes
* @param dnsProvider dnsProvider
* @param httpUploader
* @returns {Promise}
*/
async challengeRemoveFn(authz: any, challenge: any, keyAuthorization: string, recordReq: any, recordRes: any, dnsProvider: IDnsProvider) {
this.logger.info("Triggered challengeRemoveFn()");
async challengeRemoveFn(
authz: any,
challenge: any,
keyAuthorization: string,
recordReq: any,
recordRes: any,
dnsProvider?: IDnsProvider,
httpUploader?: HttpChallengeUploader
) {
this.logger.info("执行清理");
/* http-01 */
const fullDomain = authz.identifier.value;
if (challenge.type === "http-01") {
const filePath = `/var/www/html/.well-known/acme-challenge/${challenge.token}`;
this.logger.info(`Removing challenge response for ${fullDomain} at path: ${filePath}`);
/* Replace this */
this.logger.info(`Would remove file on path "${filePath}"`);
// await fs.unlinkAsync(filePath);
const filePath = `.well-known/acme-challenge/${challenge.token}`;
this.logger.info(`Removing challenge response for ${fullDomain} at file: ${filePath}`);
await httpUploader.remove(filePath);
this.logger.info(`删除文件【${filePath}】成功`);
} else if (challenge.type === "dns-01") {
this.logger.info(`删除 TXT 解析记录:${JSON.stringify(recordReq)} ,recordRes = ${JSON.stringify(recordRes)}`);
try {
@@ -275,11 +286,12 @@ export class AcmeService {
domains: string | string[];
dnsProvider?: any;
domainsVerifyPlan?: DomainsVerifyPlan;
httpUploader?: any;
csrInfo: any;
isTest?: boolean;
privateKeyType?: string;
}): Promise<CertInfo> {
const { email, isTest, domains, csrInfo, dnsProvider, domainsVerifyPlan } = options;
const { email, isTest, domains, csrInfo, dnsProvider, domainsVerifyPlan, httpUploader } = options;
const client: acme.Client = await this.getAcmeClient(email, isTest);
/* Create CSR */
@@ -319,9 +331,15 @@ export class AcmeService {
privateKey
);
if (dnsProvider == null && domainsVerifyPlan == null) {
throw new Error("dnsProvider 、 domainsVerifyPlan 不能都为空");
if (dnsProvider == null && domainsVerifyPlan == null && httpUploader == null) {
throw new Error("dnsProvider 、 domainsVerifyPlan 、 httpUploader不能都为空");
}
const providers: Providers = {
dnsProvider,
domainsVerifyPlan,
httpUploader,
};
/* 自动申请证书 */
const crt = await client.auto({
csr,
@@ -334,7 +352,7 @@ export class AcmeService {
challenge: Challenge,
keyAuthorization: string
): Promise<{ recordReq: any; recordRes: any; dnsProvider: any }> => {
return await this.challengeCreateFn(authz, challenge, keyAuthorization, dnsProvider, domainsVerifyPlan);
return await this.challengeCreateFn(authz, challenge, keyAuthorization, providers);
},
challengeRemoveFn: async (
authz: acme.Authorization,
@@ -344,7 +362,7 @@ export class AcmeService {
recordRes: any,
dnsProvider: IDnsProvider
): Promise<any> => {
return await this.challengeRemoveFn(authz, challenge, keyAuthorization, recordReq, recordRes, dnsProvider);
return await this.challengeRemoveFn(authz, challenge, keyAuthorization, recordReq, recordRes, dnsProvider, httpUploader);
},
signal: this.options.signal,
});

3
packages/plugins/plugin-cert/src/plugin/cert-plugin/cert-reader.ts
View File

@@ -147,10 +147,11 @@ export class CertReader {
tmpOnePath,
});
} catch (err) {
logger.error("处理失败", err);
throw err;
} finally {
//删除临时文件
logger.info("删除临时文件");
logger.info("清理临时文件");
function removeFile(filepath?: string) {
if (filepath) {
fs.unlinkSync(filepath);

87
packages/plugins/plugin-cert/src/plugin/cert-plugin/index.ts
View File

@@ -1,4 +1,4 @@
import { IsTaskPlugin, pluginGroups, RunStrategy, TaskInput } from "@certd/pipeline";
import { CancelError, IsTaskPlugin, pluginGroups, RunStrategy, TaskInput } from "@certd/pipeline";
import { utils } from "@certd/basic";
import type { CertInfo, CnameVerifyPlan, DomainsVerifyPlan, PrivateKeyType, SSLProvider } from "./acme.js";
@@ -9,7 +9,8 @@ import { CertReader } from "./cert-reader.js";
import { CertApplyBasePlugin } from "./base.js";
import { GoogleClient } from "../../libs/google.js";
import { EabAccess } from "../../access";
import { CancelError } from "@certd/pipeline";
import { HttpChallengeUploader } from "./uploads/api";
import { httpChallengeUploaderFactory } from "./uploads/factory.js";
export type { CertInfo };
export * from "./cert-reader.js";
@@ -17,12 +18,20 @@ export type CnameRecordInput = {
id: number;
status: string;
};
export type HttpRecordInput = {
domain: string;
httpUploaderType: string;
httpUploaderAccess: number;
httpUploadRootDir: string;
};
export type DomainVerifyPlanInput = {
domain: string;
type: "cname" | "dns";
type: "cname" | "dns" | "http";
dnsProviderType?: string;
dnsProviderAccessId?: number;
cnameVerifyPlan?: Record<string, CnameRecordInput>;
httpVerifyPlan?: Record<string, HttpRecordInput>;
};
export type DomainsVerifyPlanInput = {
[key: string]: DomainVerifyPlanInput;
@@ -54,6 +63,7 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
options: [
{ value: "dns", label: "DNS直接验证" },
{ value: "cname", label: "CNAME代理验证" },
{ value: "http", label: "HTTP文件验证" },
],
},
required: true,
@@ -117,6 +127,67 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
})
dnsProviderAccess!: number;
@TaskInput({
title: "文件上传方式",
component: {
name: "a-select",
vModel: "value",
options: [
{ value: "ftp", label: "FTP" },
{ value: "sftp", label: "SFTP" },
{ value: "alioss", label: "阿里云OSS" },
{ value: "tencentcos", label: "腾讯云COS" },
{ value: "qiniuoss", label: "七牛OSS" },
],
},
mergeScript: `
return {
show: ctx.compute(({form})=>{
return form.challengeType === 'http'
})
}
`,
required: true,
helper: "您的域名注册商或者域名的dns服务器属于哪个平台\n如果这里没有请选择CNAME代理验证校验方式",
})
httpUploadType!: string;
@TaskInput({
title: "文件上传授权",
component: {
name: "access-selector",
},
required: true,
helper: "请选择文件上传授权",
mergeScript: `return {
component:{
type: ctx.compute(({form})=>{
return form.httpUploadType
})
},
show: ctx.compute(({form})=>{
return form.challengeType === 'http'
})
}
`,
})
httpUploadAccess!: number;
@TaskInput({
title: "网站根路径",
component: {
name: "a-input",
},
required: true,
helper: "请选择网站根路径,校验文件将上传到此目录下",
mergeScript: `return {
show: ctx.compute(({form})=>{
return form.challengeType === 'http'
})
}
`,
})
httpUploadRootDir!: string;
@TaskInput({
title: "域名验证配置",
component: {
@@ -320,10 +391,17 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
);
this.logger.info("开始申请证书,", email, domains);
let dnsProvider: any = null;
let dnsProvider: IDnsProvider = null;
let domainsVerifyPlan: DomainsVerifyPlan = null;
let httpUploader: HttpChallengeUploader = null;
if (this.challengeType === "cname") {
domainsVerifyPlan = await this.createDomainsVerifyPlan();
} else if (this.challengeType === "http") {
const access = await this.ctx.accessService.getById(this.httpUploadAccess);
httpUploader = await httpChallengeUploaderFactory.createUploaderByType(this.httpUploadType, {
rootDir: this.httpUploadRootDir,
access,
});
} else {
const dnsProviderType = this.dnsProviderType;
const access = await this.ctx.accessService.getById(this.dnsProviderAccess);
@@ -336,6 +414,7 @@ export class CertApplyPlugin extends CertApplyBasePlugin {
domains,
dnsProvider,
domainsVerifyPlan,
httpUploader,
csrInfo,
isTest: false,
privateKeyType: this.privateKeyType,

35
packages/plugins/plugin-cert/src/plugin/cert-plugin/uploads/api.ts Normal file
View File

@@ -0,0 +1,35 @@
import { IAccessService } from "@certd/pipeline";
import { ILogger, utils } from "@certd/basic";
export type HttpChallengeUploader = {
upload: (fileName: string, fileContent: string) => Promise<void>;
remove: (fileName: string) => Promise<void>;
};
export type HttpChallengeUploadContext = {
accessService: IAccessService;
logger: ILogger;
utils: typeof utils;
};
export abstract class BaseHttpChallengeUploader<A> implements HttpChallengeUploader {
rootDir: string;
access: A = null;
logger: ILogger;
utils: typeof utils;
ctx: HttpChallengeUploadContext;
protected constructor(opts: { rootDir: string; access: A }) {
this.rootDir = opts.rootDir;
this.access = opts.access;
}
async setCtx(ctx: any) {
// set context
this.ctx = ctx;
this.logger = ctx.logger;
this.utils = ctx.utils;
}
abstract remove(fileName: string): Promise<void>;
abstract upload(fileName: string, fileContent: string): Promise<void>;
}

26
packages/plugins/plugin-cert/src/plugin/cert-plugin/uploads/factory.ts Normal file
View File

@@ -0,0 +1,26 @@
export class HttpChallengeUploaderFactory {
async getClassByType(type: string) {
if (type === "alioss") {
return (await import("./impls/alioss.js")).AliossHttpChallengeUploader;
} else if (type === "ssh") {
return (await import("./impls/ssh.js")).SshHttpChallengeUploader;
} else if (type === "ftp") {
return (await import("./impls/ftp.js")).FtpHttpChallengeUploader;
} else if (type === "tencentcos") {
return (await import("./impls/tencentcos.js")).TencentCosHttpChallengeUploader;
} else if (type === "qiniuoss") {
return (await import("./impls/qiniuoss.js")).QiniuOssHttpChallengeUploader;
} else {
throw new Error(`暂不支持此文件上传方式: ${type}`);
}
}
createUploaderByType(type: string, opts: { rootDir: string; access: any }) {
const cls = this.getClassByType(type);
if (cls) {
// @ts-ignore
return new cls(opts);
}
}
}
export const httpChallengeUploaderFactory = new HttpChallengeUploaderFactory();

36
packages/plugins/plugin-cert/src/plugin/cert-plugin/uploads/impls/alioss.ts Normal file
View File

@@ -0,0 +1,36 @@
import { BaseHttpChallengeUploader } from "../api";
import { AliossAccess, AliyunAccess } from "@certd/plugin-lib";
import { AliossClient } from "@certd/plugin-lib/dist/aliyun/lib/oss-client";
export class AliossHttpChallengeUploader extends BaseHttpChallengeUploader<AliossAccess> {
async upload(filePath: string, fileContent: string) {
const aliyunAccess = await this.ctx.accessService.getById<AliyunAccess>(this.access.accessId);
const client = new AliossClient({
access: aliyunAccess,
bucket: this.access.bucket,
region: this.access.region,
});
await client.uploadFile(filePath, Buffer.from(fileContent));
this.logger.info(`校验文件上传成功: ${filePath}`);
}
async remove(filePath: string) {
// remove file from alioss
const client = await this.getAliossClient();
await client.removeFile(filePath);
this.logger.info(`文件删除成功: ${filePath}`);
}
private async getAliossClient() {
const aliyunAccess = await this.ctx.accessService.getById<AliyunAccess>(this.access.accessId);
const client = new AliossClient({
access: aliyunAccess,
bucket: this.access.bucket,
region: this.access.region,
});
await client.init();
return client;
}
}

25
packages/plugins/plugin-cert/src/plugin/cert-plugin/uploads/impls/ftp.ts Normal file
View File

@@ -0,0 +1,25 @@
import { BaseHttpChallengeUploader } from "../api";
import { FtpAccess } from "@certd/plugin-lib";
import { FtpClient } from "@certd/plugin-lib/dist/ftp/client";
export class FtpHttpChallengeUploader extends BaseHttpChallengeUploader<FtpAccess> {
async upload(fileName: string, fileContent: string) {
const client = new FtpClient({
access: this.access,
logger: this.logger,
});
await client.connect(async (client) => {
await client.upload(fileName, fileContent);
});
}
async remove(fileName: string) {
const client = new FtpClient({
access: this.access,
logger: this.logger,
});
await client.connect(async (client) => {
await client.client.remove(fileName);
});
}
}

10
packages/plugins/plugin-cert/src/plugin/cert-plugin/uploads/impls/qiniuoss.ts Normal file
View File

@@ -0,0 +1,10 @@
import { BaseHttpChallengeUploader } from "../api";
import { FtpAccess } from "@certd/plugin-lib";
export class QiniuOssHttpChallengeUploader extends BaseHttpChallengeUploader<FtpAccess> {
async upload(fileName: string, fileContent: string) {
return null;
}
async remove(fileName: string) {}
}

38
packages/plugins/plugin-cert/src/plugin/cert-plugin/uploads/impls/ssh.ts Normal file
View File

@@ -0,0 +1,38 @@
import { BaseHttpChallengeUploader } from "../api";
import { SshAccess, SshClient } from "@certd/plugin-lib";
import path from "path";
import os from "os";
import fs from "fs";
export class SshHttpChallengeUploader extends BaseHttpChallengeUploader<SshAccess> {
async upload(fileName: string, fileContent: string) {
const tmpFilePath = path.join(os.tmpdir(), "cert", "http", fileName);
// Write file to temp path
fs.writeFileSync(tmpFilePath, fileContent);
try {
const client = new SshClient(this.logger);
await client.uploadFiles({
connectConf: this.access,
mkdirs: true,
transports: [
{
localPath: fileName,
remotePath: fileName,
},
],
});
} finally {
// Remove temp file
fs.unlinkSync(tmpFilePath);
}
}
async remove(filePath: string) {
const client = new SshClient(this.logger);
await client.removeFiles({
connectConf: this.access,
files: [filePath],
});
}
}

10
packages/plugins/plugin-cert/src/plugin/cert-plugin/uploads/impls/tencentcos.ts Normal file
View File

@@ -0,0 +1,10 @@
import { BaseHttpChallengeUploader } from "../api";
import { FtpAccess } from "@certd/plugin-lib";
export class TencentCosHttpChallengeUploader extends BaseHttpChallengeUploader<FtpAccess> {
async upload(fileName: string, fileContent: string) {
return null;
}
async remove(fileName: string) {}
}