feat: 支持dns-persist-01持久化验证方式申请证书,优化Acme账号的存储方式

This commit is contained in:
xiaojunnuo
2026-05-24 05:42:51 +08:00
parent 8edb6f8727
commit 67b05e2d75
51 changed files with 3352 additions and 110 deletions
@@ -44,14 +44,28 @@ describe("AutoFix", () => {
return true;
},
} as any;
autoFix.legacyAcmeAccountAccessFix = {
async init() {
calls.push("legacy-acme");
return true;
},
} as any;
autoFix.commonEabToAcmeAccountFix = {
async init() {
calls.push("common-eab-acme");
return true;
},
} as any;
await autoFix.init();
assert.deepEqual(calls, ["google", "cert", "suite"]);
assert.deepEqual(calls, ["google", "cert", "suite", "legacy-acme", "common-eab-acme"]);
assert.equal(savedSetting.fixed["google-common-eab-account-key"], true);
assert.equal(savedSetting.fixed["oauth-subtype-bound-type"], true);
assert.equal(savedSetting.fixed["cert-info-wildcard-domain-count"], true);
assert.equal(savedSetting.fixed["suite-content-wildcard-domain-count"], true);
assert.equal(savedSetting.fixed["legacy-acme-account-access"], true);
assert.equal(savedSetting.fixed["common-eab-to-acme-account"], true);
});
it("initializes missing fixed map", async () => {
@@ -66,6 +80,8 @@ describe("AutoFix", () => {
autoFix.oauthSubtypeBoundTypeFix = { async init() {} } as any;
autoFix.certInfoWildcardDomainCountFix = { async init() {} } as any;
autoFix.suiteContentWildcardDomainCountFix = { async init() {} } as any;
autoFix.legacyAcmeAccountAccessFix = { async init() {} } as any;
autoFix.commonEabToAcmeAccountFix = { async init() {} } as any;
await autoFix.init();
});
@@ -4,6 +4,8 @@ import { GoogleCommonEabAccountKeyFix } from "./google-common-eab-account-key-fi
import { OauthSubtypeBoundTypeFix } from "./oauth-subtype-bound-type-fix.js";
import { CertInfoWildcardDomainCountFix } from "./cert-info-wildcard-domain-count-fix.js";
import { SuiteContentWildcardDomainCountFix } from "./suite-content-wildcard-domain-count-fix.js";
import { LegacyAcmeAccountAccessFix } from "./legacy-acme-account-access-fix.js";
import { CommonEabToAcmeAccountFix } from "./common-eab-to-acme-account-fix.js";
type AutoFixTask = {
key: string;
@@ -30,6 +32,12 @@ export class AutoFix {
@Inject()
suiteContentWildcardDomainCountFix: SuiteContentWildcardDomainCountFix;
@Inject()
legacyAcmeAccountAccessFix: LegacyAcmeAccountAccessFix;
@Inject()
commonEabToAcmeAccountFix: CommonEabToAcmeAccountFix;
async init() {
const setting = await this.sysSettingsService.getSetting<SysAutoFixSetting>(SysAutoFixSetting);
setting.fixed = setting.fixed || {};
@@ -50,6 +58,14 @@ export class AutoFix {
key: "suite-content-wildcard-domain-count",
fix: this.suiteContentWildcardDomainCountFix,
},
{
key: "legacy-acme-account-access",
fix: this.legacyAcmeAccountAccessFix,
},
{
key: "common-eab-to-acme-account",
fix: this.commonEabToAcmeAccountFix,
},
];
for (const task of tasks) {
@@ -0,0 +1,135 @@
import assert from "assert";
import { buildLegacyCommonEabAccountStorageWhere, CommonEabToAcmeAccountFix, parseEabAccountKey } from "./common-eab-to-acme-account-fix.js";
import { AcmeService } from "../../../plugins/plugin-cert/plugin/cert-plugin/acme.js";
describe("CommonEabToAcmeAccountFix", () => {
it("parses legacy EAB account key payload", () => {
assert.equal(
parseEabAccountKey(
JSON.stringify({
kid: "kid-1",
privateKey: "private-key",
})
),
"private-key"
);
});
it("builds legacy common EAB account storage query", () => {
assert.deepEqual(buildLegacyCommonEabAccountStorageWhere("google", 12), {
userId: 0,
scope: "user",
namespace: "0",
key: "acme.config.google.access.12",
});
});
it("creates common acme account from common eab and legacy storage", async () => {
let addParam: any;
const fix = new CommonEabToAcmeAccountFix();
fix.accessService = {
async getAccessById(id: number) {
assert.equal(id, 12);
return {
accountKey: JSON.stringify({
privateKey: "private-key",
}),
email: "common@example.com",
};
},
async findOne() {
return null;
},
async add(param: any) {
addParam = param;
return { id: 99 };
},
} as any;
fix.storageService = {
getRepository() {
return {
async findOne(options: any) {
assert.deepEqual(options.where, buildLegacyCommonEabAccountStorageWhere("google", 12));
return {
value: JSON.stringify({
value: {
accountUrl: "https://example.com/acct/1",
},
}),
};
},
};
},
} as any;
const id = await fix.createCommonAcmeAccountFromEab("google", 12);
assert.equal(id, 99);
assert.equal(addParam.userId, 0);
assert.equal(addParam.type, "acmeAccount");
const setting = JSON.parse(addParam.setting);
const account = JSON.parse(setting.account);
assert.equal(account.accountKey, "private-key");
assert.equal(account.accountUri, "https://example.com/acct/1");
});
it("creates common acme account by resolving account uri from eab private key", async () => {
const original = AcmeService.prototype.getAcmeClient;
const calls: string[] = [];
AcmeService.prototype.getAcmeClient = async function (email: string) {
calls.push(email);
return {
getAccountUrl() {
return "https://example.com/acct/generated";
},
} as any;
};
try {
let addParam: any;
const fix = new CommonEabToAcmeAccountFix();
fix.accessService = {
async getAccessById(id: number) {
assert.equal(id, 12);
return {
id: 12,
kid: "kid-1",
hmacKey: "hmac-1",
accountKey: JSON.stringify({
kid: "kid-1",
privateKey: "private-key",
}),
email: "common@example.com",
};
},
async findOne() {
return null;
},
async add(param: any) {
addParam = param;
return { id: 100 };
},
} as any;
fix.storageService = {
getRepository() {
return {
async findOne() {
return null;
},
};
},
} as any;
const id = await fix.createCommonAcmeAccountFromEab("google", 12);
assert.equal(id, 100);
assert.deepEqual(calls, ["common@example.com"]);
const setting = JSON.parse(addParam.setting);
const account = JSON.parse(setting.account);
assert.equal(account.accountKey, "private-key");
assert.equal(account.accountUri, "https://example.com/acct/generated");
} finally {
AcmeService.prototype.getAcmeClient = original;
}
});
});
@@ -0,0 +1,188 @@
import { logger } from "@certd/basic";
import { AccessService } from "@certd/lib-server";
import { Inject, Provide, Scope, ScopeEnum } from "@midwayjs/core";
import { PluginConfigService } from "../../plugin/service/plugin-config-service.js";
import { StorageService } from "../../pipeline/service/storage-service.js";
import { AcmeService } from "../../../plugins/plugin-cert/plugin/cert-plugin/acme.js";
import { buildAcmeAccountSetting, LegacyAcmeAccountConfig } from "./legacy-acme-account-access-fix.js";
import { parseStorageValue } from "./google-common-eab-account-key-fix.js";
const COMMON_EAB_TO_ACME_ACCOUNT_FIELDS = [
{
caType: "google",
eabField: "googleCommonEabAccessId",
acmeField: "googleCommonAcmeAccountAccessId",
},
{
caType: "zerossl",
eabField: "zerosslCommonEabAccessId",
acmeField: "zerosslCommonAcmeAccountAccessId",
},
{
caType: "sslcom",
eabField: "sslcomCommonEabAccessId",
acmeField: "sslcomCommonAcmeAccountAccessId",
},
{
caType: "litessl",
eabField: "litesslCommonEabAccessId",
acmeField: "litesslCommonAcmeAccountAccessId",
},
];
export function parseEabAccountKey(accountKey?: string) {
if (!accountKey) {
return null;
}
try {
const parsed = JSON.parse(accountKey);
return parsed?.privateKey || parsed?.accountKey || parsed?.key || accountKey;
} catch {
return accountKey;
}
}
export function buildLegacyCommonEabAccountStorageWhere(caType: string, accessId: number) {
return {
userId: 0,
scope: "user",
namespace: "0",
key: `acme.config.${caType}.access.${accessId}`,
};
}
@Provide()
@Scope(ScopeEnum.Request, { allowDowngrade: true })
export class CommonEabToAcmeAccountFix {
@Inject()
pluginConfigService: PluginConfigService;
@Inject()
accessService: AccessService;
@Inject()
storageService: StorageService;
async init() {
try {
const certApplyConfig = await this.pluginConfigService.getPluginConfig({
name: "CertApply",
type: "builtIn",
});
const input = certApplyConfig.sysSetting.input || {};
let changed = false;
for (const item of COMMON_EAB_TO_ACME_ACCOUNT_FIELDS) {
if (input[item.acmeField]) {
continue;
}
const eabAccessId = input[item.eabField];
if (!eabAccessId) {
continue;
}
const acmeAccessId = await this.createCommonAcmeAccountFromEab(item.caType, eabAccessId);
if (acmeAccessId) {
input[item.acmeField] = acmeAccessId;
changed = true;
}
}
if (changed) {
await this.pluginConfigService.savePluginConfig({
name: "CertApply",
disabled: certApplyConfig.disabled,
sysSetting: {
...certApplyConfig.sysSetting,
input,
},
});
}
return true;
} catch (e: any) {
logger.error("公共EAB迁移为公共ACME账号失败", e);
return false;
}
}
async createCommonAcmeAccountFromEab(caType: string, eabAccessId: number) {
const eabAccess = await this.accessService.getAccessById(eabAccessId, false);
const privateKey = parseEabAccountKey(eabAccess.accountKey);
const accountConfig = await this.getLegacyCommonEabAccountConfig(caType, eabAccessId);
const accountUri = await this.resolveAccountUriByPrivateKey(caType, eabAccess, accountConfig?.accountUri || accountConfig?.accountUrl);
if (!privateKey || !accountUri) {
logger.info(`公共${caType} EAB缺少可迁移的accountKey或无法获取accountUri,跳过生成公共ACME账号`);
return null;
}
const email = eabAccess.email || `${caType}@common.certd.local`;
const exists = await this.accessService.findOne({
where: {
userId: 0,
projectId: null,
type: "acmeAccount",
subtype: caType,
name: `公共${caType} ACME账号`,
} as any,
});
if (exists) {
return exists.id;
}
const setting = buildAcmeAccountSetting({
caType,
email,
config: {
privateKey,
accountUri,
},
});
const { id } = await this.accessService.add({
userId: 0,
projectId: null,
type: "acmeAccount",
name: `公共${caType} ACME账号`,
setting: JSON.stringify(setting),
});
logger.info(`已根据公共${caType} EAB生成公共ACME账号,accessId=${id}`);
return id;
}
async resolveAccountUriByPrivateKey(caType: string, eabAccess: any, accountUri?: string | null) {
if (accountUri) {
return accountUri;
}
const privateKey = parseEabAccountKey(eabAccess.accountKey);
if (!privateKey || !eabAccess?.kid) {
return null;
}
const acmeService = new AcmeService({
userId: 0,
userContext: {
async getObj() {
return null;
},
async setObj() {},
} as any,
logger: logger as any,
sslProvider: caType as any,
eab: {
id: eabAccess.id || eabAccess.accessId || eabAccess.eabAccessId || 0,
kid: eabAccess.kid,
hmacKey: eabAccess.hmacKey,
accountKey: JSON.stringify({
kid: eabAccess.kid,
privateKey,
}),
} as any,
domainParser: {} as any,
privateKeyType: "rsa_2048",
});
const client = await acmeService.getAcmeClient(eabAccess.email || `${caType}@common.certd.local`);
return client.getAccountUrl() || null;
}
async getLegacyCommonEabAccountConfig(caType: string, accessId: number): Promise<LegacyAcmeAccountConfig | null> {
const repository = this.storageService.getRepository();
const record = await repository.findOne({
where: buildLegacyCommonEabAccountStorageWhere(caType, accessId),
});
return parseStorageValue(record?.value) as LegacyAcmeAccountConfig;
}
}
@@ -0,0 +1,48 @@
import assert from "assert";
import { buildAcmeAccountAccessName, buildAcmeAccountSetting, maskAcmeAccountEmail, parseLegacyAcmeStorageKey } from "./legacy-acme-account-access-fix.js";
describe("LegacyAcmeAccountAccessFix", () => {
it("parses legacy storage account key", () => {
assert.deepEqual(parseLegacyAcmeStorageKey("acme.config.letsencrypt.user@example.com"), {
caType: "letsencrypt",
email: "user@example.com",
});
});
it("skips EAB access cache keys", () => {
assert.equal(parseLegacyAcmeStorageKey("acme.config.google.access.12"), null);
});
it("builds acme account access setting from legacy config", () => {
const setting = buildAcmeAccountSetting({
caType: "letsencrypt",
email: "user@example.com",
config: {
key: "private-key",
accountUrl: "https://example.com/acct/1",
},
});
assert.equal(setting.caType, "letsencrypt");
const account = JSON.parse(setting.account);
assert.equal(account.accountKey, "private-key");
assert.equal(account.accountUri, "https://example.com/acct/1");
});
it("builds masked acme account access name", () => {
assert.equal(maskAcmeAccountEmail("xiaojunnuo@qq.com"), "xi*******qq.com");
assert.equal(buildAcmeAccountAccessName("zerossl", "xiaojunnuo@qq.com"), "zerossl-acme-xi*******qq.com");
});
it("skips incomplete legacy config", () => {
const setting = buildAcmeAccountSetting({
caType: "letsencrypt",
email: "user@example.com",
config: {
key: "private-key",
},
});
assert.equal(setting, null);
});
});
@@ -0,0 +1,131 @@
import { logger } from "@certd/basic";
import { AccessService } from "@certd/lib-server";
import { Inject, Provide, Scope, ScopeEnum } from "@midwayjs/core";
import { Like } from "typeorm";
import { StorageService } from "../../pipeline/service/storage-service.js";
import { parseStorageValue } from "./google-common-eab-account-key-fix.js";
export type LegacyAcmeAccountConfig = {
key?: string;
privateKey?: string;
accountKey?: string;
accountUrl?: string;
accountUri?: string;
};
export function parseLegacyAcmeStorageKey(key: string) {
const match = /^acme\.config\.([^.]+)\.(.+)$/.exec(key);
if (!match) {
return null;
}
if (match[2].startsWith("access.")) {
return null;
}
return {
caType: match[1],
email: match[2],
};
}
export function buildAcmeAccountSetting(req: { caType: string; email: string; config: LegacyAcmeAccountConfig }) {
const accountKey = req.config.privateKey || req.config.key || req.config.accountKey;
const accountUri = req.config.accountUri || req.config.accountUrl;
if (!accountKey || !accountUri) {
return null;
}
return {
caType: req.caType,
email: req.email,
account: JSON.stringify({
accountKey,
accountUri,
caType: req.caType,
email: req.email,
directoryUrl: "",
migratedFrom: "legacy-storage",
}),
};
}
export function maskAcmeAccountEmail(email: string) {
if (!email) {
return "unknown";
}
const atIndex = email.indexOf("@");
if (atIndex < 0) {
return email.length <= 2 ? `${email[0] || ""}*******` : `${email.substring(0, 2)}*******`;
}
const name = email.substring(0, atIndex);
const domain = email.substring(atIndex + 1);
const prefix = name.substring(0, Math.min(2, name.length));
return `${prefix}*******${domain}`;
}
export function buildAcmeAccountAccessName(caType: string, email: string) {
return `${caType}-acme-${maskAcmeAccountEmail(email)}`;
}
@Provide()
@Scope(ScopeEnum.Request, { allowDowngrade: true })
export class LegacyAcmeAccountAccessFix {
@Inject()
storageService: StorageService;
@Inject()
accessService: AccessService;
async init() {
try {
const repository = this.storageService.getRepository();
const records = await repository.find({
where: {
scope: "user",
key: Like("acme.config.%"),
},
});
let count = 0;
for (const record of records) {
const parsedKey = parseLegacyAcmeStorageKey(record.key);
if (!parsedKey) {
continue;
}
const config = parseStorageValue(record.value) as LegacyAcmeAccountConfig;
const setting = buildAcmeAccountSetting({
...parsedKey,
config,
});
if (!setting) {
continue;
}
const name = buildAcmeAccountAccessName(parsedKey.caType, parsedKey.email);
const exists = await this.accessService.findOne({
where: {
userId: record.userId,
projectId: record.projectId,
type: "acmeAccount",
subtype: parsedKey.caType,
name,
} as any,
});
if (exists) {
continue;
}
await this.accessService.add({
userId: record.userId,
projectId: record.projectId,
type: "acmeAccount",
subtype: parsedKey.caType,
name,
setting: JSON.stringify(setting),
});
count++;
}
logger.info(`旧ACME账号迁移完成,生成${count}个ACME账号授权`);
return true;
} catch (e: any) {
logger.error("旧ACME账号迁移失败", e);
return false;
}
}
}