feat: 【破坏性更新】插件改为metadata加载模式，plugin-cert、plugin-lib包部分代码转移到certd-server中，影响自定义插件，需要修改相关import引用

ssh、aliyun、tencent、qiniu、oss等 access和client需要转移import
2026-04-21 10:27:25 +08:00 · 2025-12-31 17:01:37 +08:00
parent 9c26598831
commit a3fb24993d
312 changed files with 14321 additions and 597 deletions
@@ -0,0 +1,462 @@
+// @ts-ignore
+import * as acme from "@certd/acme-client";
+import { ClientExternalAccountBindingOptions, UrlMapping } from "@certd/acme-client";
+import * as _ from "lodash-es";
+import { Challenge } from "@certd/acme-client/types/rfc8555.js";
+import { IContext } from "@certd/pipeline";
+import { ILogger, utils } from "@certd/basic";
+import punycode from "punycode.js";
+import { IOssClient } from "../../../plugin-lib/index.js";
+import { IDnsProvider, IDomainParser } from "@certd/plugin-lib";
+export type CnameVerifyPlan = {
+  type?: string;
+  domain: string;
+  fullRecord: string;
+  dnsProvider: IDnsProvider;
+};
+
+export type HttpVerifyPlan = {
+  type: string;
+  domain: string;
+  httpUploader: IOssClient;
+};
+
+export type DomainVerifyPlan = {
+  domain: string;
+  mainDomain: string;
+  type: "cname" | "dns" | "http";
+  dnsProvider?: IDnsProvider;
+  cnameVerifyPlan?: CnameVerifyPlan;
+  httpVerifyPlan?: HttpVerifyPlan;
+};
+export type DomainsVerifyPlan = {
+  [key: string]: DomainVerifyPlan;
+};
+
+export type Providers = {
+  dnsProvider?: IDnsProvider;
+  domainsVerifyPlan?: DomainsVerifyPlan;
+};
+
+export type CertInfo = {
+  crt: string; //fullchain证书
+  key: string; //私钥
+  csr: string; //csr
+  oc?: string; //仅证书，非fullchain证书
+  ic?: string; //中间证书
+  pfx?: string;
+  der?: string;
+  jks?: string;
+  one?: string;
+  p7b?: string;
+};
+export type SSLProvider = "letsencrypt" | "google" | "zerossl" | "sslcom" | "letsencrypt_staging";
+export type PrivateKeyType = "rsa_1024" | "rsa_2048" | "rsa_3072" | "rsa_4096" | "ec_256" | "ec_384" | "ec_521";
+type AcmeServiceOptions = {
+  userContext: IContext;
+  logger: ILogger;
+  sslProvider: SSLProvider;
+  eab?: ClientExternalAccountBindingOptions;
+  skipLocalVerify?: boolean;
+  useMappingProxy?: boolean;
+  reverseProxy?: string;
+  privateKeyType?: PrivateKeyType;
+  signal?: AbortSignal;
+  maxCheckRetryCount?: number;
+  userId: number;
+  domainParser: IDomainParser;
+  waitDnsDiffuseTime?: number;
+};
+
+export class AcmeService {
+  options: AcmeServiceOptions;
+  userContext: IContext;
+  logger: ILogger;
+  sslProvider: SSLProvider;
+  skipLocalVerify = true;
+  eab?: ClientExternalAccountBindingOptions;
+  constructor(options: AcmeServiceOptions) {
+    this.options = options;
+    this.userContext = options.userContext;
+    this.logger = options.logger;
+    this.sslProvider = options.sslProvider || "letsencrypt";
+    this.eab = options.eab;
+    this.skipLocalVerify = options.skipLocalVerify ?? false;
+    // acme.setLogger((message: any, ...args: any[]) => {
+    //   this.logger.info(message, ...args);
+    // });
+  }
+
+  async getAccountConfig(email: string, urlMapping: UrlMapping): Promise<any> {
+    const conf = (await this.userContext.getObj(this.buildAccountKey(email))) || {};
+    if (urlMapping && urlMapping.mappings) {
+      for (const key in urlMapping.mappings) {
+        if (Object.prototype.hasOwnProperty.call(urlMapping.mappings, key)) {
+          const element = urlMapping.mappings[key];
+          if (conf.accountUrl?.indexOf(element) > -1) {
+            //如果用了代理url，要替换回去
+            conf.accountUrl = conf.accountUrl.replace(element, key);
+          }
+        }
+      }
+    }
+    return conf;
+  }
+
+  buildAccountKey(email: string) {
+    return `acme.config.${this.sslProvider}.${email}`;
+  }
+
+  async saveAccountConfig(email: string, conf: any) {
+    await this.userContext.setObj(this.buildAccountKey(email), conf);
+  }
+
+  async getAcmeClient(email: string): Promise<acme.Client> {
+    const mappings = {};
+    if (this.sslProvider === "letsencrypt") {
+      mappings["acme-v02.api.letsencrypt.org"] = this.options.reverseProxy || "le.px.certd.handfree.work";
+    } else if (this.sslProvider === "google") {
+      mappings["dv.acme-v02.api.pki.goog"] = this.options.reverseProxy || "gg.px.certd.handfree.work";
+    }
+    const urlMapping: UrlMapping = {
+      enabled: false,
+      mappings,
+    };
+    const conf = await this.getAccountConfig(email, urlMapping);
+    if (conf.key == null) {
+      conf.key = await this.createNewKey();
+      await this.saveAccountConfig(email, conf);
+      this.logger.info(`创建新的Accountkey:${email}`);
+    }
+    const directoryUrl = acme.getDirectoryUrl({ sslProvider: this.sslProvider, pkType: this.options.privateKeyType });
+    if (this.options.useMappingProxy) {
+      urlMapping.enabled = true;
+    } else {
+      //测试directory是否可以访问
+      const isOk = await this.testDirectory(directoryUrl);
+      if (!isOk) {
+        this.logger.info("测试访问失败，自动使用代理");
+        urlMapping.enabled = true;
+      }
+    }
+    const client = new acme.Client({
+      sslProvider: this.sslProvider,
+      directoryUrl: directoryUrl,
+      accountKey: conf.key,
+      accountUrl: conf.accountUrl,
+      externalAccountBinding: this.eab,
+      backoffAttempts: this.options.maxCheckRetryCount || 20,
+      backoffMin: 5000,
+      backoffMax: 10000,
+      urlMapping,
+      signal: this.options.signal,
+      logger: this.logger,
+    });
+
+    if (conf.accountUrl == null) {
+      const accountPayload = {
+        termsOfServiceAgreed: true,
+        contact: [`mailto:${email}`],
+        externalAccountBinding: this.eab,
+      };
+      await client.createAccount(accountPayload);
+      conf.accountUrl = client.getAccountUrl();
+      await this.saveAccountConfig(email, conf);
+    }
+    return client;
+  }
+
+  async createNewKey() {
+    const key = await acme.crypto.createPrivateKey(2048);
+    return key.toString();
+  }
+
+  async challengeCreateFn(authz: any, keyAuthorizationGetter: (challenge: Challenge) => Promise<string>, providers: Providers) {
+    this.logger.info("Triggered challengeCreateFn()");
+
+    const fullDomain = authz.identifier.value;
+    let domain = await this.options.domainParser.parse(fullDomain);
+    this.logger.info("主域名为：" + domain);
+
+    const getChallenge = (type: string) => {
+      return authz.challenges.find((c: any) => c.type === type);
+    };
+
+    const doHttpVerify = async (challenge: any, httpUploader: IOssClient) => {
+      const keyAuthorization = await keyAuthorizationGetter(challenge);
+      this.logger.info("http校验");
+      const filePath = `.well-known/acme-challenge/${challenge.token}`;
+      const fileContents = keyAuthorization;
+      this.logger.info(`校验 ${fullDomain} ，准备上传文件：${filePath}`);
+      await httpUploader.upload(filePath, Buffer.from(fileContents));
+      this.logger.info(`上传文件【${filePath}】成功`);
+      return {
+        challenge,
+        keyAuthorization,
+        httpUploader,
+      };
+    };
+
+    const doDnsVerify = async (challenge: any, fullRecord: string, dnsProvider: IDnsProvider) => {
+      this.logger.info("dns校验");
+      const keyAuthorization = await keyAuthorizationGetter(challenge);
+
+      const mainDomain = dnsProvider.usePunyCode() ? domain : punycode.toUnicode(domain);
+      fullRecord = dnsProvider.usePunyCode() ? fullRecord : punycode.toUnicode(fullRecord);
+      const recordValue = keyAuthorization;
+      let hostRecord = fullRecord.replace(`${mainDomain}`, "");
+      if (hostRecord.endsWith(".")) {
+        hostRecord = hostRecord.substring(0, hostRecord.length - 1);
+      }
+
+      const recordReq = {
+        domain: mainDomain,
+        fullRecord,
+        hostRecord,
+        type: "TXT",
+        value: recordValue,
+      };
+      this.logger.info("添加 TXT 解析记录", JSON.stringify(recordReq));
+      const recordRes = await dnsProvider.createRecord(recordReq);
+      this.logger.info("添加 TXT 解析记录成功", JSON.stringify(recordRes));
+      return {
+        recordReq,
+        recordRes,
+        dnsProvider,
+        challenge,
+        keyAuthorization,
+      };
+    };
+
+    let dnsProvider = providers.dnsProvider;
+    let fullRecord = `_acme-challenge.${fullDomain}`;
+
+    // const origDomain = punycode.toUnicode(domain);
+    const origFullDomain = punycode.toUnicode(fullDomain);
+
+    const isIp = utils.domain.isIp(origFullDomain);
+    function checkIpChallenge(type: string) {
+      if (isIp) {
+        throw new Error(`IP证书不支持${type}校验方式，请选择HTTP方式校验`);
+      }
+    }
+    if (providers.domainsVerifyPlan) {
+      //按照计划执行
+      const domainVerifyPlan = providers.domainsVerifyPlan[origFullDomain];
+      if (domainVerifyPlan) {
+        if (domainVerifyPlan.type === "dns") {
+          checkIpChallenge("dns");
+          dnsProvider = domainVerifyPlan.dnsProvider;
+        } else if (domainVerifyPlan.type === "cname") {
+          checkIpChallenge("cname");
+          const cname: CnameVerifyPlan = domainVerifyPlan.cnameVerifyPlan;
+          if (cname) {
+            dnsProvider = cname.dnsProvider;
+            domain = await this.options.domainParser.parse(cname.domain);
+            fullRecord = cname.fullRecord;
+          } else {
+            this.logger.error(`未找到域名${fullDomain}的CNAME校验计划，请修改证书申请配置`);
+          }
+          if (dnsProvider == null) {
+            throw new Error(`未找到域名${fullDomain}CNAME校验计划的DnsProvider，请修改证书申请配置`);
+          }
+        } else if (domainVerifyPlan.type === "http") {
+          const plan: HttpVerifyPlan = domainVerifyPlan.httpVerifyPlan;
+          if (plan) {
+            const httpChallenge = getChallenge("http-01");
+            if (httpChallenge == null) {
+              throw new Error("该域名不支持http-01方式校验");
+            }
+            return await doHttpVerify(httpChallenge, plan.httpUploader);
+          } else {
+            throw new Error("未找到域名【" + fullDomain + "】的http校验配置");
+          }
+        } else {
+          throw new Error("不支持的校验类型", domainVerifyPlan.type);
+        }
+      } else {
+        this.logger.warn(`未找到域名${fullDomain}的校验计划，使用默认的dnsProvider`);
+      }
+    }
+    if (!dnsProvider) {
+      throw new Error(`域名${fullDomain}没有匹配到任何校验方式，证书申请失败`);
+    }
+
+    const dnsChallenge = getChallenge("dns-01");
+    checkIpChallenge("dns");
+    return await doDnsVerify(dnsChallenge, fullRecord, dnsProvider);
+  }
+
+  /**
+   * Function used to remove an ACME challenge response
+   *
+   * @param {object} authz Authorization object
+   * @param {object} challenge Selected challenge
+   * @param {string} keyAuthorization Authorization key
+   * @param recordReq
+   * @param recordRes
+   * @param dnsProvider dnsProvider
+   * @param httpUploader
+   * @returns {Promise}
+   */
+
+  async challengeRemoveFn(authz: any, challenge: any, keyAuthorization: string, recordReq: any, recordRes: any, dnsProvider?: IDnsProvider, httpUploader?: IOssClient) {
+    this.logger.info("执行清理");
+
+    /* http-01 */
+    const fullDomain = authz.identifier.value;
+    if (challenge.type === "http-01") {
+      const filePath = `.well-known/acme-challenge/${challenge.token}`;
+      this.logger.info(`Removing challenge response for ${fullDomain} at file: ${filePath}`);
+      await httpUploader.remove(filePath);
+      this.logger.info(`删除文件【${filePath}】成功`);
+    } else if (challenge.type === "dns-01") {
+      this.logger.info(`删除 TXT 解析记录:${JSON.stringify(recordReq)} ,recordRes = ${JSON.stringify(recordRes)}`);
+      try {
+        await dnsProvider.removeRecord({
+          recordReq,
+          recordRes,
+        });
+        this.logger.info("删除解析记录成功");
+      } catch (e) {
+        this.logger.error("删除解析记录出错：", e);
+        throw e;
+      }
+    }
+  }
+
+  async order(options: {
+    email: string;
+    domains: string | string[];
+    dnsProvider?: any;
+    domainsVerifyPlan?: DomainsVerifyPlan;
+    httpUploader?: any;
+    csrInfo: any;
+    privateKeyType?: string;
+    profile?: string;
+    preferredChain?: string;
+  }): Promise<CertInfo> {
+    const { email, csrInfo, dnsProvider, domainsVerifyPlan, profile, preferredChain } = options;
+    const client: acme.Client = await this.getAcmeClient(email);
+
+    let domains = options.domains;
+    const encodingDomains = [];
+    for (const domain of domains) {
+      encodingDomains.push(punycode.toASCII(domain));
+    }
+    domains = encodingDomains;
+
+    /* Create CSR */
+    const { altNames } = this.buildCommonNameByDomains(domains);
+    let privateKey = null;
+    const privateKeyType = options.privateKeyType || "rsa_2048";
+    const privateKeyArr = privateKeyType.split("_");
+    const type = privateKeyArr[0];
+    let size = 2048;
+    if (privateKeyArr.length > 1) {
+      size = parseInt(privateKeyArr[1]);
+    }
+
+    let encodingType = "pkcs8";
+    if (privateKeyArr.length > 2) {
+      encodingType = privateKeyArr[2];
+    }
+
+    if (type == "ec") {
+      const name: any = "P-" + size;
+      privateKey = await acme.crypto.createPrivateEcdsaKey(name, encodingType);
+    } else {
+      privateKey = await acme.crypto.createPrivateRsaKey(size, encodingType);
+    }
+
+    let createCsr: any = acme.crypto.createCsr;
+    if (encodingType === "pkcs1") {
+      //兼容老版本
+      createCsr = acme.forge.createCsr;
+    }
+    const csrData: any = {
+      // commonName,
+      ...csrInfo,
+      altNames,
+      // emailAddress: email,
+    };
+    const [key, csr] = await createCsr(csrData, privateKey);
+
+    if (dnsProvider == null && domainsVerifyPlan == null) {
+      throw new Error("dnsProvider 、 domainsVerifyPlan不能都为空");
+    }
+
+    const providers: Providers = {
+      dnsProvider,
+      domainsVerifyPlan,
+    };
+    /* 自动申请证书 */
+    const crt = await client.auto({
+      csr,
+      email: email,
+      termsOfServiceAgreed: true,
+      skipChallengeVerification: this.skipLocalVerify,
+      challengePriority: ["dns-01", "http-01"],
+      challengeCreateFn: async (
+        authz: acme.Authorization,
+        keyAuthorizationGetter: (challenge: Challenge) => Promise<string>
+      ): Promise<{ recordReq?: any; recordRes?: any; dnsProvider?: any; challenge: Challenge; keyAuthorization: string }> => {
+        return await this.challengeCreateFn(authz, keyAuthorizationGetter, providers);
+      },
+      challengeRemoveFn: async (authz: acme.Authorization, challenge: Challenge, keyAuthorization: string, recordReq: any, recordRes: any, dnsProvider: IDnsProvider, httpUploader: IOssClient): Promise<any> => {
+        return await this.challengeRemoveFn(authz, challenge, keyAuthorization, recordReq, recordRes, dnsProvider, httpUploader);
+      },
+      signal: this.options.signal,
+      profile,
+      preferredChain,
+    });
+
+    const crtString = crt.toString();
+    const cert: CertInfo = {
+      crt: crtString,
+      key: key.toString(),
+      csr: csr.toString(),
+    };
+    /* Done */
+    this.logger.debug(`CSR:\n${cert.csr}`);
+    this.logger.debug(`Certificate:\n${cert.crt}`);
+    this.logger.info("证书申请成功");
+    return cert;
+  }
+
+  buildCommonNameByDomains(domains: string | string[]): {
+    commonName?: string;
+    altNames: string[] | undefined;
+  } {
+    if (typeof domains === "string") {
+      domains = domains.split(",");
+    }
+    if (domains.length === 0) {
+      throw new Error("domain can not be empty");
+    }
+    // const commonName = domains[0];
+    // let altNames: undefined | string[] = undefined;
+    // if (domains.length > 1) {
+    //   altNames = _.slice(domains, 1);
+    // }
+    return {
+      // commonName,
+      altNames: domains,
+    };
+  }
+
+  private async testDirectory(directoryUrl: string) {
+    try {
+      await utils.http.request({
+        url: directoryUrl,
+        method: "GET",
+        timeout: 10000,
+      });
+    } catch (e) {
+      this.logger.error(`${directoryUrl}，测试访问失败`, e.message);
+      return false;
+    }
+    this.logger.info(`${directoryUrl}，测试访问成功`);
+    return true;
+  }
+}
@@ -0,0 +1,211 @@
+import { AbstractTaskPlugin, FileItem, IContext, Step, TaskInput, TaskOutput } from "@certd/pipeline";
+import dayjs from "dayjs";
+import type { CertInfo } from "./acme.js";
+import { CertReader,CertConverter, EVENT_CERT_APPLY_SUCCESS } from "@certd/plugin-lib";
+import JSZip from "jszip";
+
+
+export abstract class CertApplyBaseConvertPlugin extends AbstractTaskPlugin {
+  @TaskInput({
+    title: "证书域名",
+    component: {
+      name: "a-select",
+      vModel: "value",
+      mode: "tags",
+      open: false,
+      placeholder: "foo.com / *.foo.com / *.bar.com",
+      tokenSeparators: [",", " ", "，", "、", "|"],
+    },
+    rules: [{ type: "domains" }],
+    required: true,
+    col: {
+      span: 24,
+    },
+    order: -999,
+    helper:
+      "1、支持多个域名打到一个证书上，例如： foo.com，*.foo.com，*.bar.com\n" +
+      "2、子域名被通配符包含的不要填写，例如：www.foo.com已经被*.foo.com包含，不要填写www.foo.com\n" +
+      "3、泛域名只能通配*号那一级（*.foo.com的证书不能用于xxx.yyy.foo.com、不能用于foo.com）\n" +
+      "4、输入一个，空格之后，再输入下一个 \n" +
+      "5、如果设置了子域托管解析（比如免费的二级域名托管在CF或者阿里云），请先[设置托管子域名](#/certd/pipeline/subDomain)",
+  })
+  domains!: string[];
+
+  @TaskInput({
+    title: "证书加密密码",
+    component: {
+      name: "input-password",
+      vModel: "value",
+    },
+    required: false,
+    order: 100,
+    helper: "转换成PFX、jks格式证书是否需要加密\njks必须设置密码，不传则默认123456\npfx不传则为空密码",
+  })
+  pfxPassword!: string;
+
+  @TaskInput({
+    title: "PFX证书转换参数",
+    value: "-macalg SHA1 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES",
+    component: {
+      name: "a-auto-complete",
+      vModel: "value",
+      options: [
+        { value: "", label: "兼容 Windows Server 最新" },
+        { value: "-macalg SHA1 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES", label: "兼容 Windows Server 2016" },
+        { value: "-nomac -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES", label: "兼容 Windows Server 2008" },
+      ],
+    },
+    required: false,
+    order: 100,
+    helper: "兼容Windows Server各个版本",
+  })
+  pfxArgs = "-macalg SHA1 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES";
+
+  userContext!: IContext;
+  lastStatus!: Step;
+
+  @TaskOutput({
+    title: "域名证书",
+    type: "cert",
+  })
+  cert?: CertInfo;
+
+  @TaskOutput({
+    title: "域名证书压缩文件",
+    type: "certZip",
+  })
+  certZip?: FileItem;
+
+  async onInstance() {
+    this.userContext = this.ctx.userContext;
+    this.lastStatus = this.ctx.lastStatus as Step;
+    await this.onInit();
+  }
+
+  abstract onInit(): Promise<void>;
+
+  //必须output之后执行
+  async emitCertApplySuccess() {
+    const emitter = this.ctx.emitter;
+    const value = {
+      cert: this.cert,
+      file: this._result.files[0].path,
+    };
+    await emitter.emit(EVENT_CERT_APPLY_SUCCESS, value);
+  }
+
+  async output(certReader: CertReader, isNew: boolean) {
+    const cert: CertInfo = certReader.toCertInfo();
+    this.cert = cert;
+
+    this._result.pipelineVars.certEffectiveTime = dayjs(certReader.detail.notBefore).valueOf();
+    this._result.pipelineVars.certExpiresTime = dayjs(certReader.detail.notAfter).valueOf();
+    if (!this._result.pipelinePrivateVars) {
+      this._result.pipelinePrivateVars = {};
+    }
+    this._result.pipelinePrivateVars.cert = cert;
+
+    if (isNew) {
+      try {
+        const converter = new CertConverter({ logger: this.logger });
+        const res = await converter.convert({
+          cert,
+          pfxPassword: this.pfxPassword,
+          pfxArgs: this.pfxArgs,
+        });
+        if (cert.pfx == null && res.pfx) {
+          cert.pfx = res.pfx;
+        }
+
+        if (cert.der == null && res.der) {
+          cert.der = res.der;
+        }
+
+        if (cert.jks == null && res.jks) {
+          cert.jks = res.jks;
+        }
+
+        if (cert.p7b == null && res.p7b) {
+          cert.p7b = res.p7b;
+        }
+
+        this.logger.info("转换证书格式成功");
+      } catch (e) {
+        this.logger.error("转换证书格式失败", e);
+      }
+    }
+
+    if (isNew) {
+      const zipFileName = certReader.buildCertFileName("zip", certReader.detail.notBefore);
+      await this.zipCert(cert, zipFileName);
+    } else {
+      this.extendsFiles();
+    }
+    this.certZip = this._result.files[0];
+  }
+
+  async zipCert(cert: CertInfo, filename: string) {
+    const zip = new JSZip();
+    zip.file("证书.pem", cert.crt);
+    zip.file("私钥.pem", cert.key);
+    zip.file("中间证书.pem", cert.ic);
+    zip.file("cert.crt", cert.crt);
+    zip.file("cert.key", cert.key);
+    zip.file("intermediate.crt", cert.ic);
+    zip.file("origin.crt", cert.oc);
+    zip.file("one.pem", cert.one);
+    zip.file("cert.p7b", cert.p7b);
+    if (cert.pfx) {
+      zip.file("cert.pfx", Buffer.from(cert.pfx, "base64"));
+    }
+    if (cert.der) {
+      zip.file("cert.der", Buffer.from(cert.der, "base64"));
+    }
+    if (cert.jks) {
+      zip.file("cert.jks", Buffer.from(cert.jks, "base64"));
+    }
+
+    zip.file(
+      "说明.txt",
+      `证书文件说明
+cert.crt：证书文件，包含证书链，pem格式
+cert.key：私钥文件，pem格式
+intermediate.crt：中间证书文件，pem格式
+origin.crt：原始证书文件，不含证书链，pem格式
+one.pem： 证书和私钥简单合并成一个文件，pem格式，crt正文+key正文
+cert.pfx：pfx格式证书文件，iis服务器使用
+cert.der：der格式证书文件
+cert.jks：jks格式证书文件，java服务器使用
+    `
+    );
+
+    const content = await zip.generateAsync({ type: "nodebuffer" });
+    this.saveFile(filename, content);
+    this.logger.info(`已保存文件:${filename}`);
+  }
+
+  formatCert(pem: string) {
+    pem = pem.replace(/\r/g, "");
+    pem = pem.replace(/\n\n/g, "\n");
+    pem = pem.replace(/\n$/g, "");
+    return pem;
+  }
+
+  formatCerts(cert: { crt: string; key: string; csr: string }) {
+    const newCert: CertInfo = {
+      crt: this.formatCert(cert.crt),
+      key: this.formatCert(cert.key),
+      csr: this.formatCert(cert.csr),
+    };
+    return newCert;
+  }
+
+  async readLastCert(): Promise<CertReader | undefined> {
+    const cert = this.lastStatus?.status?.output?.cert;
+    if (cert == null) {
+      this.logger.info("没有找到上次的证书");
+      return undefined;
+    }
+    return new CertReader(cert);
+  }
+}
@@ -0,0 +1,171 @@
+import { NotificationBody, Step, TaskInput } from "@certd/pipeline";
+import dayjs from "dayjs";
+import { CertReader } from "@certd/plugin-lib";
+import { pick } from "lodash-es";
+import { CertApplyBaseConvertPlugin } from "./base-convert.js";
+
+export abstract class CertApplyBasePlugin extends CertApplyBaseConvertPlugin {
+  @TaskInput({
+    title: "邮箱",
+    component: {
+      name: "email-selector",
+      vModel: "value",
+    },
+    rules: [{ type: "email", message: "请输入正确的邮箱" }],
+    required: true,
+    order: -1,
+    helper: "请输入邮箱",
+  })
+  email!: string;
+
+  @TaskInput({
+    title: "更新天数",
+    value: 18,
+    component: {
+      name: "a-input-number",
+      vModel: "value",
+    },
+    required: true,
+    order: 100,
+    helper: "到期前多少天后更新证书，注意：流水线默认不会自动运行，请设置定时器，每天定时运行本流水线",
+  })
+  renewDays!: number;
+
+  @TaskInput({
+    title: "证书申请成功通知",
+    value: false,
+    component: {
+      name: "a-switch",
+      vModel: "checked",
+    },
+    order: 100,
+    helper: "证书申请成功后是否发送通知，优先使用默认通知渠道",
+  })
+  successNotify = false;
+
+  // @TaskInput({
+  //   title: "CsrInfo",
+  //   helper: "暂时没有用",
+  // })
+  csrInfo!: string;
+
+  async onInstance() {
+    this.userContext = this.ctx.userContext;
+    this.lastStatus = this.ctx.lastStatus as Step;
+    await this.onInit();
+  }
+
+  abstract onInit(): Promise<void>;
+
+  abstract doCertApply(): Promise<CertReader>;
+
+  async execute(): Promise<string | void> {
+    const oldCert = await this.condition();
+    if (oldCert != null) {
+      await this.output(oldCert, false);
+      return "skip";
+    }
+    const cert = await this.doCertApply();
+    if (cert != null) {
+      await this.output(cert, true);
+
+      await this.emitCertApplySuccess();
+      //清空后续任务的状态，让后续任务能够重新执行
+      this.clearLastStatus();
+
+      if (this.successNotify) {
+        await this.sendSuccessNotify();
+      }
+    } else {
+      throw new Error("申请证书失败");
+    }
+  }
+
+  getCheckChangeInputKeys() {
+    //插件哪些字段参与校验是否需要更新
+    return ["domains", "sslProvider", "privateKeyType", "dnsProviderType", "pfxPassword"];
+  }
+  /**
+   * 是否更新证书
+   */
+  async condition() {
+    // if (this.forceUpdate) {
+    //   this.logger.info("强制更新证书选项已勾选，准备申请新证书");
+    //   this.logger.warn("申请完之后，切记取消强制更新，避免申请过多证书。");
+    //   return null;
+    // }
+
+    const checkInputChanges = this.getCheckChangeInputKeys();
+    const oldInput = JSON.stringify(pick(this.lastStatus?.input, checkInputChanges));
+    const thisInput = JSON.stringify(pick(this, checkInputChanges));
+    const inputChanged = oldInput !== thisInput;
+
+    this.logger.info(`旧参数：${oldInput}`);
+    this.logger.info(`新参数：${thisInput}`);
+    if (inputChanged) {
+      this.logger.info("输入参数变更，准备申请新证书");
+      return null;
+    } else {
+      this.logger.info("输入参数未变更，检查证书是否过期");
+    }
+
+    let oldCert: CertReader | undefined = undefined;
+    try {
+      this.logger.info("读取上次证书");
+      oldCert = await this.readLastCert();
+    } catch (e) {
+      this.logger.warn("读取cert失败：", e);
+    }
+    if (oldCert == null) {
+      this.logger.info("还未申请过，准备申请新证书");
+      return null;
+    }
+
+    const ret = this.isWillExpire(oldCert.expires, this.renewDays);
+    if (!ret.isWillExpire) {
+      this.logger.info(`证书还未过期：过期时间${dayjs(oldCert.expires).format("YYYY-MM-DD HH:mm:ss")},剩余${ret.leftDays}天`);
+      return oldCert;
+    }
+    this.logger.info("即将过期，开始更新证书");
+    return null;
+  }
+
+  /**
+   * 检查是否过期，默认提前35天
+   * @param expires
+   * @param maxDays
+   */
+  isWillExpire(expires: number, maxDays = 20) {
+    if (expires == null) {
+      throw new Error("过期时间不能为空");
+    }
+    // 检查有效期
+    const leftDays = Math.floor((expires - dayjs().valueOf()) / (1000 * 60 * 60 * 24));
+    this.logger.info(`证书剩余天数：${leftDays}`);
+    return {
+      isWillExpire: leftDays <= maxDays,
+      leftDays,
+    };
+  }
+  async sendSuccessNotify() {
+    this.logger.info("发送证书申请成功通知");
+    const url = await this.ctx.urlService.getPipelineDetailUrl(this.pipeline.id, this.ctx.runtime.id);
+    const body: NotificationBody = {
+      title: `证书申请成功【${this.pipeline.title}】`,
+      content: `域名：${this.domains.join(",")}`,
+      url: url,
+      notificationType: "certApplySuccess",
+    };
+    try {
+      await this.ctx.notificationService.send({
+        useDefault: true,
+        useEmail: true,
+        emailAddress: this.email,
+        logger: this.logger,
+        body,
+      });
+    } catch (e) {
+      this.logger.error("证书申请成功通知发送失败", e);
+    }
+  }
+}
@@ -0,0 +1,193 @@
+import { IsTaskPlugin, pluginGroups, RunStrategy, Step, TaskInput, TaskOutput } from "@certd/pipeline";
+import type { CertInfo } from "../acme.js";
+import { CertReader } from "@certd/plugin-lib";
+import { CertApplyBaseConvertPlugin } from "../base-convert.js";
+import dayjs from "dayjs";
+
+export { CertReader };
+export type { CertInfo };
+
+@IsTaskPlugin({
+  name: "CertApplyUpload",
+  icon: "ph:certificate",
+  title: "商用证书托管",
+  group: pluginGroups.cert.key,
+  desc: "手动上传自定义证书后，自动部署（每次证书有更新，都需要手动上传一次）",
+  default: {
+    strategy: {
+      runStrategy: RunStrategy.AlwaysRun,
+    },
+  },
+  shortcut: {
+    certUpdate: {
+      title: "更新证书",
+      icon: "ion:upload",
+      action: "onCertUpdate",
+      form: {
+        columns: {
+          crt: {
+            title: "证书",
+            type: "text",
+            form: {
+              component: {
+                name: "pem-input",
+                vModel: "modelValue",
+                textarea: {
+                  rows: 4,
+                  placeholder: "-----BEGIN CERTIFICATE-----\n...\n...\n-----END CERTIFICATE-----",
+                },
+              },
+              rules: [{ required: true, message: "此项必填" }],
+              col: { span: 24 },
+            },
+          },
+          key: {
+            title: "私钥",
+            type: "text",
+            form: {
+              component: {
+                name: "pem-input",
+                vModel: "modelValue",
+                textarea: {
+                  rows: 4,
+                  placeholder: "-----BEGIN PRIVATE KEY-----\n...\n...\n-----END PRIVATE KEY----- ",
+                },
+              },
+              rules: [{ required: true, message: "此项必填" }],
+              col: { span: 24 },
+            },
+          },
+        },
+      },
+    },
+  },
+})
+export class CertApplyUploadPlugin extends CertApplyBaseConvertPlugin {
+  @TaskInput({
+    title: "过期前提醒",
+    value: 10,
+    component: {
+      name: "a-input-number",
+      vModel: "value",
+    },
+    required: true,
+    order: 100,
+    helper: "到期前多少天提醒",
+  })
+  renewDays!: number;
+
+  @TaskInput({
+    title: "手动上传证书",
+    component: {
+      name: "cert-info-updater",
+      vModel: "modelValue",
+    },
+    helper: "手动上传证书",
+    order: -9999,
+    required: true,
+    mergeScript: `
+    return {
+      component:{
+        on:{
+          updated(scope){
+            scope.form.input.domains = scope.$event?.domains
+          }
+        }
+      }
+    }
+    `,
+  })
+  uploadCert!: CertInfo;
+
+  @TaskOutput({
+    title: "证书MD5",
+    type: "certMd5",
+  })
+  certMd5?: string;
+
+  async onInstance() {
+    this.accessService = this.ctx.accessService;
+    this.logger = this.ctx.logger;
+    this.userContext = this.ctx.userContext;
+    this.lastStatus = this.ctx.lastStatus as Step;
+  }
+
+  async onInit(): Promise<void> {}
+
+  async getCertFromStore() {
+    let certReader = null;
+    try {
+      this.logger.info("读取上次证书");
+      certReader = await this.readLastCert();
+    } catch (e) {
+      this.logger.warn("读取cert失败：", e);
+    }
+    return certReader;
+  }
+
+  private checkExpires(certReader: CertReader) {
+    const renewDays = (this.renewDays ?? 10) * 24 * 60 * 60 * 1000;
+    if (certReader.expires) {
+      if (certReader.expires < new Date().getTime()) {
+        throw new Error("证书已过期，停止部署，请尽快上传新证书");
+      }
+      if (certReader.expires < new Date().getTime() + renewDays) {
+        throw new Error("证书即将已过期，停止部署，请尽快上传新证书");
+      }
+    }
+  }
+
+  async execute(): Promise<string | void> {
+    const oldCertReader = await this.getCertFromStore();
+    if (oldCertReader) {
+      const leftDays = dayjs(oldCertReader.expires).diff(dayjs(), "day");
+      this.logger.info(`证书过期时间${dayjs(oldCertReader.expires).format("YYYY-MM-DD HH:mm:ss")},剩余${leftDays}天`);
+      this.checkExpires(oldCertReader);
+      if (!this.ctx.inputChanged) {
+        this.logger.info("输入参数无变化");
+        const lastCrtMd5 = this.lastStatus?.status?.output?.certMd5;
+        const newCrtMd5 = this.ctx.utils.hash.md5(this.uploadCert.crt);
+        this.logger.info("证书MD5", newCrtMd5);
+        this.logger.info("上次证书MD5", lastCrtMd5);
+        if (lastCrtMd5 === newCrtMd5) {
+          this.logger.info("证书无变化，跳过");
+          //输出证书MD5
+          this.certMd5 = newCrtMd5;
+          await this.output(oldCertReader, false);
+          return "skip";
+        }
+        this.logger.info("证书有变化，重新部署");
+      } else {
+        this.logger.info("输入参数有变化，重新部署");
+      }
+    }
+
+    const newCertReader = new CertReader(this.uploadCert);
+    this.clearLastStatus();
+    //输出证书MD5
+    this.certMd5 = this.ctx.utils.hash.md5(newCertReader.cert.crt);
+    const newLeftDays = dayjs(newCertReader.expires).diff(dayjs(), "day");
+    this.logger.info(`新证书过期时间${dayjs(newCertReader.expires).format("YYYY-MM-DD HH:mm:ss")},剩余${newLeftDays}天`);
+    this.checkExpires(newCertReader);
+    await this.output(newCertReader, true);
+
+    //必须output之后执行
+    await this.emitCertApplySuccess();
+    return;
+  }
+
+  async onCertUpdate(data: any) {
+    const certReader = new CertReader(data);
+    return {
+      input: {
+        uploadCert: {
+          crt: data.crt,
+          key: data.key,
+        },
+        domains: certReader.getAllDomains(),
+      },
+    };
+  }
+}
+
+new CertApplyUploadPlugin();
@@ -0,0 +1,165 @@
+import { IsTaskPlugin, PageSearch, pluginGroups, RunStrategy, TaskInput } from "@certd/pipeline";
+import { AliyunAccess } from "../../../../plugin-lib/aliyun/access/index.js";
+import type { CertInfo } from "../acme.js";
+import { CertApplyBasePlugin } from "../base.js";
+import { CertReader, createRemoteSelectInputDefine } from "@certd/plugin-lib";
+import dayjs from "dayjs";
+
+export { CertReader };
+export type { CertInfo };
+
+@IsTaskPlugin({
+  name: "CertApplyGetFormAliyun",
+  icon: "ph:certificate",
+  title: "获取阿里云订阅证书",
+  group: pluginGroups.cert.key,
+  desc: "从阿里云拉取订阅模式的商用证书",
+  default: {
+    strategy: {
+      runStrategy: RunStrategy.AlwaysRun,
+    },
+  },
+})
+export class CertApplyGetFormAliyunPlugin extends CertApplyBasePlugin {
+  @TaskInput({
+    title: "Access授权",
+    helper: "阿里云授权AccessKeyId、AccessKeySecret",
+    component: {
+      name: "access-selector",
+      type: "aliyun",
+    },
+    required: true,
+  })
+  accessId!: string;
+
+  @TaskInput(
+    createRemoteSelectInputDefine({
+      title: "证书订单ID",
+      helper: "订阅模式的证书订单Id",
+      typeName: "CertApplyGetFormAliyun",
+      component: {
+        name: "RemoteAutoComplete",
+        vModel: "value",
+      },
+      action: CertApplyGetFormAliyunPlugin.prototype.onGetOrderList.name,
+    })
+  )
+  orderId!: string;
+
+  async onInit(): Promise<void> {}
+
+  async doCertApply(): Promise<CertReader> {
+    const access = await this.getAccess<AliyunAccess>(this.accessId);
+    const client = await access.getClient("cas.aliyuncs.com");
+    this.logger.info(`开始获取证书,orderId:${this.orderId}`);
+    let orderId: any = this.orderId;
+    if (!orderId) {
+      throw new Error("请先输入证书订单ID");
+    }
+    if (typeof orderId !== "string") {
+      orderId = parseInt(orderId);
+    }
+    const certState = await this.getCertificateState(client, orderId);
+    this.logger.info(`获取到证书Id:${JSON.stringify(certState.CertId)}`);
+    const certDetail = await this.getCertDetail(client, certState.CertId);
+    this.logger.info(`获取到证书:${certDetail.getAllDomains()}, 过期时间：${dayjs(certDetail.expires).format("YYYY-MM-DD HH:mm:ss")}`);
+    return certDetail;
+  }
+
+  async getCertDetail(client: any, certId: any) {
+    const res = await client.doRequest({
+      // 接口名称
+      // 接口名称
+      action: "GetUserCertificateDetail",
+      // 接口版本
+      version: "2020-04-07",
+      // 接口协议
+      protocol: "HTTPS",
+      // 接口 HTTP 方法
+      method: "POST",
+      authType: "AK",
+      style: "RPC",
+      // 接口 PATH
+      pathname: `/`,
+      data: {
+        query: {
+          CertId: certId,
+        },
+      },
+    });
+
+    const crt = res.Cert;
+    const key = res.Key;
+
+    return new CertReader({
+      crt,
+      key,
+      csr: "",
+    });
+  }
+
+  async getCertificateState(client: any, orderId: any): Promise<{ CertId: string; Type: string; Domain: string }> {
+    const res = await client.doRequest({
+      // 接口名称
+      action: "DescribeCertificateState",
+      // 接口版本
+      version: "2020-04-07",
+      // 接口协议
+      protocol: "HTTPS",
+      // 接口 HTTP 方法
+      method: "POST",
+      authType: "AK",
+      style: "RPC",
+      // 接口 PATH
+      pathname: `/`,
+      data: {
+        query: {
+          OrderId: orderId,
+        },
+      },
+    });
+
+    return res;
+  }
+
+  async onGetOrderList(req: PageSearch) {
+    if (!this.accessId) {
+      throw new Error("请先选择Access授权");
+    }
+    const access = await this.getAccess<AliyunAccess>(this.accessId);
+
+    const client = await access.getClient("cas.aliyuncs.com");
+
+    const res = await client.doRequest({
+      // 接口名称
+      action: "ListUserCertificateOrder",
+      // 接口版本
+      version: "2020-04-07",
+      method: "POST",
+      authType: "AK",
+      style: "RPC",
+      // 接口 PATH
+      pathname: `/`,
+      data: {
+        query: {
+          Status: "ISSUED",
+        },
+      },
+    });
+    const list = res?.CertificateOrderList || [];
+    if (!list || list.length === 0) {
+      throw new Error("没有找到已签发的证书订单");
+    }
+
+    return list.map((item: any) => {
+      const label = `${item.Domain}<${item.OrderId}>`;
+      return {
+        label: label,
+        value: item.OrderId,
+        Domain: item.Domain,
+      };
+    });
+  }
+}
+
+new CertApplyGetFormAliyunPlugin();
@@ -0,0 +1,668 @@
+import { CancelError, IsTaskPlugin, pluginGroups, RunStrategy, TaskInput } from "@certd/pipeline";
+import { utils } from "@certd/basic";
+
+import { AcmeService, DomainsVerifyPlan, DomainVerifyPlan, PrivateKeyType, SSLProvider } from "./acme.js";
+import * as _ from "lodash-es";
+import { createDnsProvider, DnsProviderContext, DnsVerifier, DomainVerifiers, HttpVerifier, IDnsProvider, IDomainVerifierGetter, ISubDomainsGetter } from "@certd/plugin-lib";
+import { CertReader } from "@certd/plugin-lib";
+import { CertApplyBasePlugin } from "./base.js";
+import { GoogleClient } from "../../libs/google.js";
+import { EabAccess } from "../../access/index.js";
+import { DomainParser } from "@certd/plugin-lib";
+import { ossClientFactory } from "../../../plugin-lib/oss/factory.js";
+
+export * from "./base.js";
+export type CnameRecordInput = {
+  id: number;
+  status: string;
+};
+
+export type HttpRecordInput = {
+  domain: string;
+  httpUploaderType: string;
+  httpUploaderAccess: number;
+  httpUploadRootDir: string;
+};
+export type DomainVerifyPlanInput = {
+  domain: string;
+  type: "cname" | "dns" | "http";
+  dnsProviderType?: string;
+  dnsProviderAccessType?: string;
+  dnsProviderAccessId?: number;
+  cnameVerifyPlan?: Record<string, CnameRecordInput>;
+  httpVerifyPlan?: Record<string, HttpRecordInput>;
+};
+export type DomainsVerifyPlanInput = {
+  [key: string]: DomainVerifyPlanInput;
+};
+
+const preferredChainConfigs = {
+  letsencrypt: {
+    helper: "如无特殊需求保持默认即可",
+    options: [
+      { value: "ISRG Root X1", label: "ISRG Root X1" },
+      { value: "ISRG Root X2", label: "ISRG Root X2" },
+    ],
+  },
+  google: {
+    helper: "GlobalSign 提供对老旧设备更好的兼容性，但证书链会变长",
+    options: [
+      { value: "GTS Root R1", label: "GTS Root R1" },
+      { value: "GlobalSign", label: "GlobalSign" },
+    ],
+  },
+} as const;
+
+const preferredChainSupportedProviders = Object.keys(preferredChainConfigs);
+
+const preferredChainMergeScript = (() => {
+  const configs = JSON.stringify(preferredChainConfigs);
+  const supportedProviders = JSON.stringify(preferredChainSupportedProviders);
+  const defaultProvider = JSON.stringify(preferredChainSupportedProviders[0]);
+  return `
+    const chainConfigs = ${configs};
+    const supportedProviders = ${supportedProviders};
+    const defaultProvider = ${defaultProvider};
+    const getConfig = (provider)=> chainConfigs[provider] || chainConfigs[defaultProvider];
+    return {
+        show: ctx.compute(({form})=> supportedProviders.includes(form.sslProvider)),
+        component: {
+            options: ctx.compute(({form})=> getConfig(form.sslProvider).options)
+        },
+        helper: ctx.compute(({form})=> getConfig(form.sslProvider).helper),
+        value: ctx.compute(({form})=>{
+            const { options } = getConfig(form.sslProvider);
+            const allowed = options.map(item=>item.value);
+            const current = form.preferredChain;
+            if(allowed.includes(current)){
+                return current;
+            }
+            return allowed[0];
+        })
+    };
+  `;
+})();
+
+@IsTaskPlugin({
+  name: "CertApply",
+  title: "证书申请（JS版）",
+  icon: "ph:certificate",
+  group: pluginGroups.cert.key,
+  desc: "免费通配符域名证书申请，支持多个域名打到同一个证书上",
+  default: {
+    input: {
+      renewDays: 18,
+      forceUpdate: false,
+    },
+    strategy: {
+      runStrategy: RunStrategy.AlwaysRun,
+    },
+  },
+})
+export class CertApplyPlugin extends CertApplyBasePlugin {
+  @TaskInput({
+    title: "域名验证方式",
+    value: "dns",
+    component: {
+      name: "a-select",
+      vModel: "value",
+      options: [
+        { value: "dns", label: "DNS直接验证" },
+        { value: "cname", label: "CNAME代理验证" },
+        { value: "http", label: "HTTP文件验证（IP证书只能选它）" },
+        { value: "dnses", label: "多DNS提供商" },
+        { value: "auto", label: "自动匹配" },
+      ],
+    },
+    required: true,
+    helper: `1. <b>DNS直接验证</b>：当域名dns解析已被本系统支持时（即下方DNS解析服务商选项中可选），推荐选择此方式
+2.  <b>CNAME代理验证</b>：支持任何注册商的域名，第一次需要手动添加[CNAME记录](#/certd/cname/record)（如果经常申请失败，建议将DNS服务器修改为阿里云/腾讯云的，然后使用DNS直接验证）
+3.  <b>HTTP文件验证</b>：不支持泛域名，需要配置网站文件上传（IP证书必须选它）
+4.  <b>多DNS提供商</b>：每个域名可以选择独立的DNS提供商
+5.  <b>自动匹配</b>：此处无需选择校验方式，需要在[域名管理](#/certd/cert/domain)中提前配置好校验方式
+`,
+  })
+  challengeType!: string;
+
+  @TaskInput({
+    title: "证书颁发机构",
+    value: "letsencrypt",
+    component: {
+      name: "icon-select",
+      vModel: "value",
+      options: [
+        { value: "letsencrypt", label: "Let's Encrypt（免费，新手推荐，支持IP证书）", icon: "simple-icons:letsencrypt" },
+        { value: "google", label: "Google（免费）", icon: "flat-color-icons:google" },
+        { value: "zerossl", label: "ZeroSSL（免费）", icon: "emojione:digit-zero" },
+        { value: "litessl", label: "litessl（免费）", icon: "roentgen:free" },
+        { value: "sslcom", label: "SSL.com（仅主域名和www免费）", icon: "la:expeditedssl" },
+        { value: "letsencrypt_staging", label: "Let's Encrypt测试环境（仅供测试）", icon: "simple-icons:letsencrypt" },
+      ],
+    },
+    helper: "Let's Encrypt：申请最简单\nGoogle：大厂光环，兼容性好，仅首次需要翻墙获取EAB授权\nZeroSSL：需要EAB授权，无需翻墙\nSSL.com：仅主域名和www免费,必须设置CAA记录",
+    required: true,
+  })
+  sslProvider!: SSLProvider;
+
+  @TaskInput({
+    title: "DNS解析服务商",
+    component: {
+      name: "dns-provider-selector",
+    },
+    mergeScript: `
+    return {
+      show: ctx.compute(({form})=>{
+          return form.challengeType === 'dns'
+      }),
+      component:{
+        onSelectedChange: ctx.compute(({form})=>{
+          return ($event)=>{
+           form.dnsProviderAccessType = $event.accessType
+          }
+        })
+      }
+    }
+    `,
+    required: true,
+    helper: "您的域名注册商，或者域名的dns服务器属于哪个平台\n如果这里没有，请选择CNAME代理验证校验方式",
+  })
+  dnsProviderType!: string;
+
+  // dns解析授权类型,勿删
+  dnsProviderAccessType!: string;
+
+  @TaskInput({
+    title: "DNS解析授权",
+    component: {
+      name: "access-selector",
+    },
+    required: true,
+    helper: "请选择dns解析服务商授权",
+    mergeScript: `return {
+      component:{
+        type: ctx.compute(({form})=>{
+            return form.dnsProviderAccessType || form.dnsProviderType
+        })
+      },
+      show: ctx.compute(({form})=>{
+          return form.challengeType === 'dns'
+      })
+    }
+    `,
+  })
+  dnsProviderAccess!: number;
+
+  @TaskInput({
+    title: "域名验证配置",
+    component: {
+      name: "domains-verify-plan-editor",
+    },
+    rules: [{ type: "checkDomainVerifyPlan" }],
+    required: true,
+    col: {
+      span: 24,
+    },
+    mergeScript: `return {
+      component:{
+        domains: ctx.compute(({form})=>{
+            return form.domains
+        }),
+        defaultType: ctx.compute(({form})=>{
+            return form.challengeType || 'cname'
+        })
+      },
+      show: ctx.compute(({form})=>{
+          return form.challengeType === 'cname' ||  form.challengeType === 'http' ||  form.challengeType === 'dnses'
+      }),
+      helper: ctx.compute(({form})=>{
+          if(form.challengeType === 'cname' ){
+              return '请按照上面的提示，给要申请证书的域名添加CNAME记录，添加后，点击验证，验证成功后不要删除记录，申请和续期证书会一直用它'
+          }else if (form.challengeType === 'http'){
+              return '请按照上面的提示，给每个域名设置文件上传配置，证书申请过程中会上传校验文件到网站根目录的.well-known/acme-challenge/目录下'
+          }else if (form.challengeType === 'http'){
+              return '给每个域名单独配置dns提供商'
+          }
+      })
+    }
+    `,
+  })
+  domainsVerifyPlan!: DomainsVerifyPlanInput;
+
+  @TaskInput({
+    title: "Google公共EAB授权",
+    isSys: true,
+    show: false,
+  })
+  googleCommonEabAccessId!: number;
+
+  @TaskInput({
+    title: "ZeroSSL公共EAB授权",
+    isSys: true,
+    show: false,
+  })
+  zerosslCommonEabAccessId!: number;
+
+  @TaskInput({
+    title: "SSL.com公共EAB授权",
+    isSys: true,
+    show: false,
+  })
+  sslcomCommonEabAccessId!: number;
+
+  @TaskInput({
+    title: "litessl公共EAB授权",
+    isSys: true,
+    show: false,
+  })
+  litesslCommonEabAccessId!: number;
+
+  @TaskInput({
+    title: "EAB授权",
+    component: {
+      name: "access-selector",
+      type: "eab",
+    },
+    maybeNeed: true,
+    required: false,
+    helper:
+      "需要提供EAB授权" +
+      "\nZeroSSL：请前往[zerossl开发者中心](https://app.zerossl.com/developer),生成 'EAB Credentials'" +
+      "\nGoogle:请查看[google获取eab帮助文档](https://certd.docmirror.cn/guide/use/google/)，用过一次后会绑定邮箱，后续复用EAB要用同一个邮箱" +
+      "\nSSL.com:[SSL.com账号页面](https://secure.ssl.com/account),然后点击api credentials链接，然后点击编辑按钮，查看Secret key和HMAC key" +
+      "\nlitessl:[litesslEAB页面](https://freessl.cn/automation/eab-manager),然后点击新增EAB",
+    mergeScript: `
+    return {
+        show: ctx.compute(({form})=>{
+            return (form.sslProvider === 'zerossl' && !form.zerosslCommonEabAccessId)
+            || (form.sslProvider === 'google' && !form.googleCommonEabAccessId)
+            || (form.sslProvider === 'sslcom' && !form.sslcomCommonEabAccessId)
+            || (form.sslProvider === 'litessl' && !form.litesslCommonEabAccessId)
+        })
+    }
+    `,
+  })
+  eabAccessId!: number;
+
+  @TaskInput({
+    title: "服务账号授权",
+    component: {
+      name: "access-selector",
+      type: "google",
+    },
+    maybeNeed: true,
+    required: false,
+    helper: "google服务账号授权与EAB授权选填其中一个，[服务账号授权获取方法](https://certd.docmirror.cn/guide/use/google/)\n服务账号授权需要配置代理或者服务器本身在海外",
+    mergeScript: `
+    return {
+        show: ctx.compute(({form})=>{
+            return form.sslProvider === 'google' && !form.googleCommonEabAccessId
+        })
+    }
+    `,
+  })
+  googleAccessId!: number;
+
+  @TaskInput({
+    title: "加密算法",
+    value: "rsa_2048",
+    component: {
+      name: "a-select",
+      vModel: "value",
+      options: [
+        { value: "rsa_1024", label: "RSA 1024" },
+        { value: "rsa_2048", label: "RSA 2048" },
+        { value: "rsa_3072", label: "RSA 3072" },
+        { value: "rsa_4096", label: "RSA 4096" },
+        { value: "rsa_2048_pkcs1", label: "RSA 2048 pkcs1 (旧版)" },
+        { value: "ec_256", label: "EC 256" },
+        { value: "ec_384", label: "EC 384" },
+        // { value: "ec_521", label: "EC 521" },
+      ],
+    },
+    helper: "如无特殊需求，默认即可\n选择RSA 2048 pkcs1可以获得旧版RSA证书",
+    required: true,
+  })
+  privateKeyType!: PrivateKeyType;
+
+  @TaskInput({
+    title: "证书配置",
+    value: "classic",
+    component: {
+      name: "a-select",
+      vModel: "value",
+      options: [
+        { value: "classic", label: "经典（classic）" },
+        { value: "tlsserver", label: "TLS服务器（tlsserver）" },
+        { value: "shortlived", label: "短暂的（shortlived）" },
+      ],
+    },
+    helper: "如无特殊需求，默认即可",
+    required: false,
+    mergeScript: `
+    return {
+        show: ctx.compute(({form})=>{
+            return form.sslProvider === 'letsencrypt'
+        })
+    }
+    `,
+  })
+  certProfile!: string;
+
+  @TaskInput({
+    title: "首选链",
+    component: {
+      name: "a-select",
+      vModel: "value",
+      options: preferredChainConfigs.letsencrypt.options,
+    },
+    helper: preferredChainConfigs.letsencrypt.helper,
+    required: false,
+    mergeScript: preferredChainMergeScript,
+  })
+  preferredChain!: string;
+
+  @TaskInput({
+    title: "使用代理",
+    value: false,
+    component: {
+      name: "a-switch",
+      vModel: "checked",
+    },
+    helper: "如果acme-v02.api.letsencrypt.org或dv.acme-v02.api.pki.goog被墙无法访问，请尝试开启此选项\n默认情况会进行测试，如果无法访问，将会自动使用代理",
+  })
+  useProxy = false;
+
+  @TaskInput({
+    title: "自定义反代地址",
+    component: {
+      placeholder: "google.yourproxy.com",
+    },
+    helper: "填写你的自定义反代地址，不要带http://\nletsencrypt反代目标：acme-v02.api.letsencrypt.org\ngoogle反代目标：dv.acme-v02.api.pki.goog",
+  })
+  reverseProxy = "";
+
+  @TaskInput({
+    title: "跳过本地校验DNS",
+    value: false,
+    component: {
+      name: "a-switch",
+      vModel: "checked",
+    },
+    helper: "跳过本地校验可以加快申请速度，同时也会增加失败概率。",
+  })
+  skipLocalVerify = false;
+
+  @TaskInput({
+    title: "检查解析重试次数",
+    value: 20,
+    component: {
+      name: "a-input-number",
+      vModel: "value",
+    },
+    helper: "检查域名验证解析记录重试次数，如果你的域名服务商解析生效速度慢，可以适当增加此值",
+  })
+  maxCheckRetryCount = 20;
+
+  @TaskInput({
+    title: "等待解析生效时长",
+    value: 30,
+    component: {
+      name: "a-input-number",
+      vModel: "value",
+    },
+    helper: "等待解析生效时长（秒），如果使用CNAME方式校验，本地验证失败，可以尝试延长此时间（比如5-10分钟）",
+  })
+  waitDnsDiffuseTime = 30;
+
+  acme!: AcmeService;
+
+  eab!: EabAccess;
+
+  async onInit() {
+    let eab: EabAccess = null;
+
+    if (this.sslProvider && !this.sslProvider.startsWith("letsencrypt")) {
+      if (this.sslProvider === "google" && this.googleAccessId) {
+        this.logger.info("当前正在使用 google服务账号授权获取EAB");
+        const googleAccess = await this.getAccess(this.googleAccessId);
+        const googleClient = new GoogleClient({
+          access: googleAccess,
+          logger: this.logger,
+        });
+        eab = await googleClient.getEab();
+      } else {
+        const getEab = async (type: string) => {
+          if (this.eabAccessId) {
+            this.logger.info(`当前正在使用 ${type} EAB授权`);
+            eab = await this.getAccess(this.eabAccessId);
+          } else if (this[`${type}CommonEabAccessId`]) {
+            this.logger.info(`当前正在使用 ${type} 公共EAB授权`);
+            eab = await this.getAccess(this[`${type}CommonEabAccessId`], true);
+          } else {
+            throw new Error(`${type}需要配置EAB授权`);
+          }
+        };
+        await getEab(this.sslProvider);
+      }
+    }
+    this.eab = eab;
+    const subDomainsGetter = await this.ctx.serviceGetter.get<ISubDomainsGetter>("subDomainsGetter");
+    const domainParser = new DomainParser(subDomainsGetter, this.logger);
+    this.acme = new AcmeService({
+      userId: this.ctx.user.id,
+      userContext: this.userContext,
+      logger: this.logger,
+      sslProvider: this.sslProvider,
+      eab,
+      skipLocalVerify: this.skipLocalVerify,
+      useMappingProxy: this.useProxy,
+      reverseProxy: this.reverseProxy,
+      privateKeyType: this.privateKeyType,
+      signal: this.ctx.signal,
+      maxCheckRetryCount: this.maxCheckRetryCount,
+      domainParser,
+      waitDnsDiffuseTime: this.waitDnsDiffuseTime,
+    });
+  }
+
+  async doCertApply() {
+    let email = this.email;
+    if (this.eab && this.eab.email) {
+      email = this.eab.email;
+    }
+    const domains = this["domains"];
+
+    const csrInfo = _.merge(
+      {
+        // country: "CN",
+        // state: "GuangDong",
+        // locality: "ShengZhen",
+        // organization: "CertD Org.",
+        // organizationUnit: "IT Department",
+        // emailAddress: email,
+      },
+      this.csrInfo ? JSON.parse(this.csrInfo) : {}
+    );
+    this.logger.info("开始申请证书,", email, domains);
+
+    let dnsProvider: IDnsProvider = null;
+    let domainsVerifyPlan: DomainsVerifyPlan = null;
+    if (this.challengeType === "cname" || this.challengeType === "http" || this.challengeType === "dnses") {
+      domainsVerifyPlan = await this.createDomainsVerifyPlan(domains, this.domainsVerifyPlan);
+    } else if (this.challengeType === "auto") {
+      domainsVerifyPlan = await this.createDomainsVerifyPlanByAuto(domains);
+    } else {
+      const dnsProviderType = this.dnsProviderType;
+      const access = await this.getAccess(this.dnsProviderAccess);
+      dnsProvider = await this.createDnsProvider(dnsProviderType, access);
+    }
+
+    try {
+      const cert = await this.acme.order({
+        email,
+        domains,
+        dnsProvider,
+        domainsVerifyPlan,
+        csrInfo,
+        privateKeyType: this.privateKeyType,
+        profile: this.certProfile,
+        preferredChain: this.preferredChain,
+      });
+
+      const certInfo = this.formatCerts(cert);
+      return new CertReader(certInfo);
+    } catch (e: any) {
+      const message: string = e?.message;
+      if (message != null && message.indexOf("redundant with a wildcard domain in the same request") >= 0) {
+        this.logger.error(e);
+        throw new Error(`通配符域名已经包含了普通域名，请删除其中一个（${message}）`);
+      }
+      if (e.name === "CancelError") {
+        throw new CancelError(e.message);
+      }
+      throw e;
+    }
+  }
+
+  async createDnsProvider(dnsProviderType: string, dnsProviderAccess: any): Promise<IDnsProvider> {
+    const domainParser = this.acme.options.domainParser;
+    const context: DnsProviderContext = {
+      access: dnsProviderAccess,
+      logger: this.logger,
+      http: this.ctx.http,
+      utils,
+      domainParser,
+      serviceGetter: this.ctx.serviceGetter,
+    };
+    return await createDnsProvider({
+      dnsProviderType,
+      context,
+    });
+  }
+
+  async createDomainsVerifyPlan(domains: string[], verifyPlanSetting: DomainsVerifyPlanInput): Promise<DomainsVerifyPlan> {
+    const plan: DomainsVerifyPlan = {};
+
+    const domainParser = this.acme.options.domainParser;
+    for (const fullDomain of domains) {
+      const domain = fullDomain.replaceAll("*.", "");
+      const mainDomain = await domainParser.parse(domain);
+      const planSetting: DomainVerifyPlanInput = verifyPlanSetting[mainDomain];
+      if (planSetting == null) {
+        throw new Error(`没有找到域名（${domain}）的校验计划（如果您在流水线创建之后设置了子域名托管，需要重新编辑证书申请任务和重新校验cname记录的校验状态）`);
+      }
+      if (planSetting.type === "dns") {
+        plan[domain] = await this.createDnsDomainVerifyPlan(planSetting, domain, mainDomain);
+      } else if (planSetting.type === "cname") {
+        plan[domain] = await this.createCnameDomainVerifyPlan(domain, mainDomain);
+      } else if (planSetting.type === "http") {
+        plan[domain] = await this.createHttpDomainVerifyPlan(planSetting.httpVerifyPlan[domain], domain, mainDomain);
+      }
+    }
+    return plan;
+  }
+
+  private async createDomainsVerifyPlanByAuto(domains: string[]) {
+    //从数据库里面自动选择校验方式
+    // domain list
+    const domainList = new Set<string>();
+    //整理域名
+    for (let domain of domains) {
+      domain = domain.replaceAll("*.", "");
+      domainList.add(domain);
+    }
+    const domainVerifierGetter: IDomainVerifierGetter = await this.ctx.serviceGetter.get("domainVerifierGetter");
+
+    const verifiers: DomainVerifiers = await domainVerifierGetter.getVerifiers([...domainList]);
+
+    const plan: DomainsVerifyPlan = {};
+
+    for (const domain in verifiers) {
+      const verifier = verifiers[domain];
+      if (verifier == null) {
+        throw new Error(`没有找到与该域名（${domain}）匹配的校验方式，请先到‘域名管理’页面添加校验方式`);
+      }
+      if (verifier.type === "dns") {
+        plan[domain] = await this.createDnsDomainVerifyPlan(verifier.dns, domain, verifier.mainDomain);
+      } else if (verifier.type === "cname") {
+        plan[domain] = await this.createCnameDomainVerifyPlan(domain, verifier.mainDomain);
+      } else if (verifier.type === "http") {
+        plan[domain] = await this.createHttpDomainVerifyPlan(verifier.http, domain, verifier.mainDomain);
+      }
+    }
+    return plan;
+  }
+
+  private async createDnsDomainVerifyPlan(planSetting: DnsVerifier, domain: string, mainDomain: string): Promise<DomainVerifyPlan> {
+    const access = await this.getAccess(planSetting.dnsProviderAccessId);
+    return {
+      type: "dns",
+      mainDomain,
+      domain,
+      dnsProvider: await this.createDnsProvider(planSetting.dnsProviderType, access),
+    };
+  }
+
+  private async createHttpDomainVerifyPlan(httpSetting: HttpVerifier, domain: string, mainDomain: string): Promise<DomainVerifyPlan> {
+    const httpUploaderContext = {
+      accessService: this.ctx.accessService,
+      logger: this.logger,
+      utils,
+    };
+
+    const access = await this.getAccess(httpSetting.httpUploaderAccess);
+    let rootDir = httpSetting.httpUploadRootDir;
+    if (!rootDir.endsWith("/") && !rootDir.endsWith("\\")) {
+      rootDir = rootDir + "/";
+    }
+    this.logger.info("上传方式", httpSetting.httpUploaderType);
+    const httpUploader = await ossClientFactory.createOssClientByType(httpSetting.httpUploaderType, {
+      access,
+      rootDir: rootDir,
+      ctx: httpUploaderContext,
+    });
+    return {
+      type: "http",
+      domain,
+      mainDomain,
+      httpVerifyPlan: {
+        type: "http",
+        domain,
+        httpUploader,
+      },
+    };
+  }
+
+  private async createCnameDomainVerifyPlan(domain: string, mainDomain: string): Promise<DomainVerifyPlan> {
+    const cnameRecord = await this.ctx.cnameProxyService.getByDomain(domain);
+    if (cnameRecord == null) {
+      throw new Error(`请先配置${domain}的CNAME记录，并通过校验`);
+    }
+    if (cnameRecord.status !== "valid") {
+      throw new Error(`CNAME记录${domain}的校验状态为${cnameRecord.status}，请等待校验通过`);
+    }
+
+    // 主域名异常
+    if (cnameRecord.mainDomain && mainDomain && cnameRecord.mainDomain !== mainDomain) {
+      throw new Error(`CNAME记录${domain}的域名与配置的主域名不一致（${cnameRecord.mainDomain}≠${mainDomain}），请确认是否在流水线创建之后修改了子域名托管，您需要重新校验CNAME记录的校验状态`);
+    }
+
+    let dnsProvider = cnameRecord.commonDnsProvider;
+    if (cnameRecord.cnameProvider.id > 0) {
+      dnsProvider = await this.createDnsProvider(cnameRecord.cnameProvider.dnsProviderType, cnameRecord.cnameProvider.access);
+    }
+
+    return {
+      type: "cname",
+      domain,
+      mainDomain,
+      cnameVerifyPlan: {
+        domain: cnameRecord.cnameProvider.domain,
+        fullRecord: cnameRecord.recordValue,
+        dnsProvider,
+      },
+    };
+  }
+}
+
+new CertApplyPlugin();
@@ -0,0 +1 @@
+export const dnsList = [];
@@ -0,0 +1,250 @@
+import { IsTaskPlugin, pluginGroups, RunStrategy, Step, TaskInput } from "@certd/pipeline";
+import type { CertInfo } from "../acme.js";
+import { CertReader } from "@certd/plugin-lib";
+import { CertApplyBasePlugin } from "../base.js";
+import fs from "fs";
+import { EabAccess } from "../../../access/index.js";
+import path from "path";
+import JSZip from "jszip";
+
+export { CertReader };
+export type { CertInfo };
+export type PrivateKeyType = "rsa2048" | "rsa3072" | "rsa4096" | "rsa8192" | "ec256" | "ec384";
+
+@IsTaskPlugin({
+  name: "CertApplyLego",
+  icon: "ph:certificate",
+  title: "证书申请（Lego）",
+  group: pluginGroups.cert.key,
+  desc: "支持海量DNS解析提供商，推荐使用，一样的免费通配符域名证书申请，支持多个域名打到同一个证书上",
+  default: {
+    input: {
+      renewDays: 35,
+      forceUpdate: false,
+    },
+    strategy: {
+      runStrategy: RunStrategy.AlwaysRun,
+    },
+  },
+})
+export class CertApplyLegoPlugin extends CertApplyBasePlugin {
+  // @TaskInput({
+  //   title: "ACME服务端点",
+  //   default: "https://acme-v02.api.letsencrypt.org/directory",
+  //   component: {
+  //     name: "a-select",
+  //     vModel: "value",
+  //     options: [
+  //       { value: "https://acme-v02.api.letsencrypt.org/directory", label: "Let's Encrypt" },
+  //       { value: "https://letsencrypt.proxy.handsfree.work/directory", label: "Let's Encrypt代理，letsencrypt.org无法访问时使用" },
+  //     ],
+  //   },
+  //   required: true,
+  // })
+  acmeServer!: string;
+
+  @TaskInput({
+    title: "DNS类型",
+    component: {
+      name: "a-input",
+      vModel: "value",
+      placeholder: "alidns",
+    },
+    helper: "你的域名是通过哪家提供商进行解析的，具体应该配置什么请参考lego文档：https://go-acme.github.io/lego/dns/",
+    required: true,
+  })
+  dnsType!: string;
+
+  @TaskInput({
+    title: "环境变量",
+    component: {
+      name: "a-textarea",
+      vModel: "value",
+      rows: 4,
+      placeholder: "ALICLOUD_ACCESS_KEY=abcdefghijklmnopqrstuvwx\nALICLOUD_SECRET_KEY=your-secret-key",
+    },
+    required: true,
+    helper: "一行一条，例如 appKeyId=xxxxx，具体配置请参考lego文档：https://go-acme.github.io/lego/dns/",
+  })
+  environment!: string;
+
+  @TaskInput({
+    title: "EAB授权",
+    component: {
+      name: "access-selector",
+      type: "eab",
+    },
+    maybeNeed: true,
+    helper: "如果需要提供EAB授权",
+  })
+  legoEabAccessId!: number;
+
+  @TaskInput({
+    title: "自定义LEGO全局参数",
+    component: {
+      name: "a-input",
+      vModel: "value",
+      placeholder: "--dns-timeout 30",
+    },
+    helper: "额外的lego全局命令行参数，参考文档：https://go-acme.github.io/lego/usage/cli/options/",
+    maybeNeed: true,
+  })
+  customArgs = "";
+
+  @TaskInput({
+    title: "自定义LEGO签名参数",
+    component: {
+      name: "a-input",
+      vModel: "value",
+      placeholder: "--no-bundle",
+    },
+    helper: "额外的lego签名命令行参数，参考文档：https://go-acme.github.io/lego/usage/cli/options/",
+    maybeNeed: true,
+  })
+  customCommandOptions = "";
+
+  @TaskInput({
+    title: "加密算法",
+    value: "ec256",
+    component: {
+      name: "a-select",
+      vModel: "value",
+      options: [
+        { value: "rsa2048", label: "RSA 2048" },
+        { value: "rsa3072", label: "RSA 3072" },
+        { value: "rsa4096", label: "RSA 4096" },
+        { value: "rsa8192", label: "RSA 8192" },
+        { value: "ec256", label: "EC 256" },
+        { value: "ec384", label: "EC 384" },
+        // { value: "ec_521", label: "EC 521" },
+      ],
+    },
+    helper: "如无特殊需求，默认即可",
+    required: true,
+  })
+  privateKeyType!: PrivateKeyType;
+
+  eab?: EabAccess;
+
+  getCheckChangeInputKeys() {
+    return ["domains", "privateKeyType", "dnsType"];
+  }
+
+  async onInstance() {
+    this.accessService = this.ctx.accessService;
+    this.logger = this.ctx.logger;
+    this.userContext = this.ctx.userContext;
+    this.lastStatus = this.ctx.lastStatus as Step;
+    if (this.legoEabAccessId) {
+      this.eab = await this.accessService.getById(this.legoEabAccessId);
+    }
+  }
+  async onInit(): Promise<void> {}
+
+  async doCertApply() {
+    const env: any = {};
+    const env_lines = this.environment.split("\n");
+    for (const line of env_lines) {
+      const [key, value] = line.trim().split("=");
+      env[key] = value.trim();
+    }
+
+    let domainArgs = "";
+    for (const domain of this.domains) {
+      domainArgs += ` -d "${domain}"`;
+    }
+    this.logger.info(`环境变量:${JSON.stringify(env)}`);
+    let eabArgs = "";
+    if (this.eab) {
+      eabArgs = ` --eab --kid "${this.eab.kid}" --hmac "${this.eab.hmacKey}"`;
+    }
+    const keyType = `-k ${this.privateKeyType?.replaceAll("_", "")}`;
+
+    const saveDir = `./data/.lego/pipeline_${this.pipeline.id}/`;
+    const savePathArgs = `--path "${saveDir}"`;
+    const os_type = process.platform === "win32" ? "windows" : "linux";
+    const legoDir = "./tools/lego";
+    const legoPath = path.resolve(legoDir, os_type === "windows" ? "lego.exe" : "lego");
+    if (!fs.existsSync(legoPath)) {
+      //解压缩
+      const arch = process.arch;
+      let platform = "amd64";
+      if (arch === "arm64" || arch === "arm") {
+        platform = "arm64";
+      }
+      const LEGO_VERSION = process.env.LEGO_VERSION;
+      let legoZipFileName = `lego_v${LEGO_VERSION}_windows_${platform}.zip`;
+      if (os_type === "linux") {
+        legoZipFileName = `lego_v${LEGO_VERSION}_linux_${platform}.tar.gz`;
+      }
+      const legoZipFilePath = `${legoDir}/${legoZipFileName}`;
+      if (!fs.existsSync(legoZipFilePath)) {
+        this.logger.info(`lego文件不存在:${legoZipFilePath},准备下载`);
+        const downloadUrl = `https://github.com/go-acme/lego/releases/download/v${LEGO_VERSION}/${legoZipFileName}`;
+        await this.ctx.download(
+          {
+            url: downloadUrl,
+            method: "GET",
+            logRes: false,
+          },
+          legoZipFilePath
+        );
+        this.logger.info("下载lego成功");
+      }
+
+      if (os_type === "linux") {
+        //tar是否存在
+        await this.ctx.utils.sp.spawn({
+          cmd: `tar -zxvf ${legoZipFilePath} -C ${legoDir}/`,
+        });
+        await this.ctx.utils.sp.spawn({
+          cmd: `chmod +x ${legoDir}/*`,
+        });
+        this.logger.info("解压lego成功");
+      } else {
+        const zip = new JSZip();
+        const data = fs.readFileSync(legoZipFilePath);
+        const zipData = await zip.loadAsync(data);
+        const files = Object.keys(zipData.files);
+        for (const file of files) {
+          const content = await zipData.files[file].async("nodebuffer");
+          fs.writeFileSync(`${legoDir}/${file}`, content);
+        }
+        this.logger.info("解压lego成功");
+      }
+    }
+    let serverArgs = "";
+    if (this.acmeServer) {
+      serverArgs = ` --server ${this.acmeServer}`;
+    }
+    const cmds = [`${legoPath} -a --email "${this.email}" --dns ${this.dnsType} ${keyType} ${domainArgs} ${serverArgs} ${eabArgs} ${savePathArgs} ${this.customArgs || ""} run ${this.customCommandOptions || ""}`];
+
+    await this.ctx.utils.sp.spawn({
+      cmd: cmds,
+      logger: this.logger,
+      env,
+    });
+
+    //读取证书文件
+    // example.com.crt
+    // example.com.issuer.crt
+    // example.com.json
+    // example.com.key
+
+    let domain1 = this.domains[0];
+    domain1 = domain1.replaceAll("*", "_");
+    const crtPath = path.resolve(saveDir, "certificates", `${domain1}.crt`);
+    if (fs.existsSync(crtPath) === false) {
+      throw new Error(`证书文件不存在,证书申请失败:${crtPath}`);
+    }
+    const crt = fs.readFileSync(crtPath, "utf8");
+    const keyPath = path.resolve(saveDir, "certificates", `${domain1}.key`);
+    const key = fs.readFileSync(keyPath, "utf8");
+    const csr = "";
+    const cert = { crt, key, csr };
+    const certInfo = this.formatCerts(cert);
+    return new CertReader(certInfo);
+  }
+}
+
+new CertApplyLegoPlugin();