diff --git a/doc/google/google.md b/doc/google/google.md index 3cf7e3c8f..f77a8bba4 100644 --- a/doc/google/google.md +++ b/doc/google/google.md @@ -21,17 +21,17 @@ gcloud beta publicca external-account-keys create ```shell Created an external account key -[b64MacKey: xxxxxxxxxxxxx -keyId: xxxxxxxxx] +[b64MacKey: xxxxxxxxxxxxxxxx +keyId: xxxxxxxxxxxxx] ``` -记录以上信息备用 +记录以上信息备用(注意keyId是不带中括号的) ## 3、 创建证书流水线 选择证书提供商为google, 开启使用代理 ## 4、 将key信息作为EAB授权信息 -google证书需要EAB授权, 使用第二步中的 keyId 和 b64MacKey 信息创建一条EAB授权记录 - +google证书需要EAB授权, 使用第二步中的 keyId 和 b64MacKey 信息创建一条EAB授权记录 +注意:keyId没有`]`结尾,不要把`]`也复制了 ## 5、 其他就跟正常申请证书一样了 diff --git a/packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts b/packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts index 5df20137b..8c295766a 100644 --- a/packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts +++ b/packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts @@ -12,6 +12,7 @@ export type CertInfo = { crt: string; key: string; csr: string; + ic?: string; pfx?: string; der?: string; }; @@ -276,8 +277,9 @@ export class AcmeService { signal: this.options.signal, }); + const crtString = crt.toString(); const cert: CertInfo = { - crt: crt.toString(), + crt: crtString, key: key.toString(), csr: csr.toString(), }; diff --git a/packages/plugins/plugin-cert/src/plugin/cert-plugin/base.ts b/packages/plugins/plugin-cert/src/plugin/cert-plugin/base.ts index 26efb8953..54a7798e6 100644 --- a/packages/plugins/plugin-cert/src/plugin/cert-plugin/base.ts +++ b/packages/plugins/plugin-cert/src/plugin/cert-plugin/base.ts @@ -175,6 +175,7 @@ export abstract class CertApplyBasePlugin extends AbstractTaskPlugin { const zip = new JSZip(); zip.file("cert.crt", cert.crt); zip.file("cert.key", cert.key); + zip.file("intermediate.crt", cert.ic); if (cert.pfx) { zip.file("cert.pfx", Buffer.from(cert.pfx, "base64")); } diff --git a/packages/plugins/plugin-cert/src/plugin/cert-plugin/cert-reader.ts b/packages/plugins/plugin-cert/src/plugin/cert-plugin/cert-reader.ts index 606a2aa47..bb6d92bfa 100644 --- a/packages/plugins/plugin-cert/src/plugin/cert-plugin/cert-reader.ts +++ b/packages/plugins/plugin-cert/src/plugin/cert-plugin/cert-reader.ts @@ -6,7 +6,14 @@ import { crypto } from "@certd/acme-client"; import { ILogger } from "@certd/pipeline"; import dayjs from "dayjs"; -export type CertReaderHandleContext = { reader: CertReader; tmpCrtPath: string; tmpKeyPath: string; tmpPfxPath?: string; tmpDerPath?: string }; +export type CertReaderHandleContext = { + reader: CertReader; + tmpCrtPath: string; + tmpKeyPath: string; + tmpPfxPath?: string; + tmpDerPath?: string; + tmpIcPath?: string; +}; export type CertReaderHandle = (ctx: CertReaderHandleContext) => Promise; export type HandleOpts = { logger: ILogger; handle: CertReaderHandle }; export class CertReader { @@ -14,6 +21,7 @@ export class CertReader { crt: string; key: string; csr: string; + ic: string; //中间证书 detail: any; expires: number; @@ -23,11 +31,30 @@ export class CertReader { this.key = certInfo.key; this.csr = certInfo.csr; + this.ic = certInfo.ic; + if (!this.ic) { + this.ic = this.getIc(); + this.cert.ic = this.ic; + } + const { detail, expires } = this.getCrtDetail(this.cert.crt); this.detail = detail; this.expires = expires.getTime(); } + getIc() { + //中间证书ic, 就是crt的第一个 -----END CERTIFICATE----- 之后的内容 + const endStr = "-----END CERTIFICATE-----"; + const firstBlockEndIndex = this.crt.indexOf(endStr); + + const start = firstBlockEndIndex + endStr.length + 1; + if (this.crt.length <= start) { + return ""; + } + const ic = this.crt.substring(start); + return ic.trim(); + } + toCertInfo(): CertInfo { return this.cert; } @@ -38,7 +65,7 @@ export class CertReader { return { detail, expires }; } - saveToFile(type: "crt" | "key" | "pfx" | "der", filepath?: string) { + saveToFile(type: "crt" | "key" | "pfx" | "der" | "ic", filepath?: string) { if (!this.cert[type]) { return; } @@ -52,7 +79,7 @@ export class CertReader { if (!fs.existsSync(dir)) { fs.mkdirSync(dir, { recursive: true }); } - if (type === "crt" || type === "key") { + if (type === "crt" || type === "key" || type === "ic") { fs.writeFileSync(filepath, this.cert[type]); } else { fs.writeFileSync(filepath, Buffer.from(this.cert[type], "base64")); @@ -66,8 +93,9 @@ export class CertReader { const tmpCrtPath = this.saveToFile("crt"); const tmpKeyPath = this.saveToFile("key"); const tmpPfxPath = this.saveToFile("pfx"); - const tmpDerPath = this.saveToFile("der"); + const tmpIcPath = this.saveToFile("ic"); logger.info("本地文件写入成功"); + const tmpDerPath = this.saveToFile("der"); try { return await opts.handle({ reader: this, @@ -75,6 +103,7 @@ export class CertReader { tmpKeyPath: tmpKeyPath, tmpPfxPath: tmpPfxPath, tmpDerPath: tmpDerPath, + tmpIcPath: tmpIcPath, }); } catch (err) { throw err; @@ -90,6 +119,7 @@ export class CertReader { removeFile(tmpKeyPath); removeFile(tmpPfxPath); removeFile(tmpDerPath); + removeFile(tmpIcPath); } } diff --git a/packages/ui/certd-client/src/views/sys/account/index.vue b/packages/ui/certd-client/src/views/sys/account/index.vue index be0afe269..463a53ff6 100644 --- a/packages/ui/certd-client/src/views/sys/account/index.vue +++ b/packages/ui/certd-client/src/views/sys/account/index.vue @@ -1,6 +1,6 @@ diff --git a/packages/ui/certd-server/src/plugins/plugin-host/plugin/upload-to-host/index.ts b/packages/ui/certd-server/src/plugins/plugin-host/plugin/upload-to-host/index.ts index 8065bb186..d8b1b60ce 100644 --- a/packages/ui/certd-server/src/plugins/plugin-host/plugin/upload-to-host/index.ts +++ b/packages/ui/certd-server/src/plugins/plugin-host/plugin/upload-to-host/index.ts @@ -9,7 +9,7 @@ import { SshAccess } from '../../access/index.js'; title: '上传证书到主机', icon: 'line-md:uploading-loop', group: pluginGroups.host.key, - desc: '也支持复制证书到本机', + desc: '支持上传完成后执行脚本命令', default: { strategy: { runStrategy: RunStrategy.SkipWhenSucceed, @@ -34,6 +34,15 @@ export class UploadCertToHostPlugin extends AbstractTaskPlugin { }) keyPath!: string; + @TaskInput({ + title: '中间证书保存路径', + helper: '需要有写入权限,路径要包含私钥文件名,文件名不能用*?!等特殊符号,例如:/tmp/intermediate.crt', + component: { + placeholder: '/root/deploy/nginx/intermediate.crt', + }, + }) + icPath!: string; + @TaskInput({ title: 'PFX证书保存路径', helper: '用于IIS证书部署,需要有写入权限,路径要包含私钥文件名,文件名不能用*?!等特殊符号,例如:/tmp/cert.pfx', @@ -85,10 +94,24 @@ export class UploadCertToHostPlugin extends AbstractTaskPlugin { }) mkdirs = true; + @TaskInput({ + title: 'shell脚本命令', + component: { + name: 'a-textarea', + vModel: 'value', + rows: 6, + }, + helper: '上传后执行脚本命令,不填则不执行\n注意:如果目标主机是windows,且终端是cmd,系统会自动将多行命令通过“&&”连接成一行', + required: false, + }) + script!: string; + @TaskInput({ title: '仅复制到当前主机', helper: - '开启后,将直接复制到当前主机某个目录,不上传到主机,由于是docker启动,实际上是复制到docker容器内的“证书保存路径”,你需要事先在docker-compose.yaml中配置主机目录映射: volumes: /your_target_path:/your_target_path', + '注意:本配置即将废弃\n' + + '开启后,将直接复制到当前主机某个目录,不上传到主机,由于是docker启动,实际上是复制到docker容器内的“证书保存路径”\n' + + '你需要事先在docker-compose.yaml中配置主机目录映射: volumes: /your_target_path:/your_target_path', value: false, component: { name: 'a-switch', @@ -107,6 +130,10 @@ export class UploadCertToHostPlugin extends AbstractTaskPlugin { }) hostKeyPath!: string; + @TaskOutput({ + title: '中间证书保存路径', + }) + hostIcPath!: string; @TaskOutput({ title: 'PFX保存路径', }) @@ -129,63 +156,76 @@ export class UploadCertToHostPlugin extends AbstractTaskPlugin { fs.mkdirSync(dir, { recursive: true }); } fs.copyFileSync(srcFile, destFile); + this.logger.info(`复制文件:${srcFile} => ${destFile}`); } async execute(): Promise { const { crtPath, keyPath, cert, accessId } = this; const certReader = new CertReader(cert); + const connectConf: SshAccess = await this.accessService.getById(accessId); + const sshClient = new SshClient(this.logger); const handle = async (opts: CertReaderHandleContext) => { - const { tmpCrtPath, tmpKeyPath, tmpDerPath, tmpPfxPath } = opts; + const { tmpCrtPath, tmpKeyPath, tmpDerPath, tmpPfxPath, tmpIcPath } = opts; if (this.copyToThisHost) { this.logger.info('复制到目标路径'); this.copyFile(tmpCrtPath, crtPath); this.copyFile(tmpKeyPath, keyPath); + this.copyFile(tmpIcPath, this.icPath); this.copyFile(tmpPfxPath, this.pfxPath); this.copyFile(tmpDerPath, this.derPath); - - this.logger.info(`证书复制成功:crtPath=${crtPath},keyPath=${keyPath},pfxPath=${this.pfxPath},derPath=${this.derPath}`); } else { if (!accessId) { throw new Error('主机登录授权配置不能为空'); } this.logger.info('准备上传文件到服务器'); - const connectConf: SshAccess = await this.accessService.getById(accessId); - const sshClient = new SshClient(this.logger); + const transports: any = []; if (crtPath) { transports.push({ localPath: tmpCrtPath, remotePath: crtPath, }); + this.logger.info(`上传证书到主机:${crtPath}`); } if (keyPath) { transports.push({ localPath: tmpKeyPath, remotePath: keyPath, }); + this.logger.info(`上传私钥到主机:${keyPath}`); + } + if (this.icPath) { + transports.push({ + localPath: tmpIcPath, + remotePath: this.icPath, + }); + this.logger.info(`上传中间证书到主机:${this.icPath}`); } if (this.pfxPath) { transports.push({ localPath: tmpPfxPath, remotePath: this.pfxPath, }); + this.logger.info(`上传PFX证书到主机:${this.pfxPath}`); } if (this.derPath) { transports.push({ localPath: tmpDerPath, remotePath: this.derPath, }); + this.logger.info(`上传DER证书到主机:${this.derPath}`); } + this.logger.info('开始上传文件到服务器'); await sshClient.uploadFiles({ connectConf, transports, mkdirs: this.mkdirs, }); - this.logger.info(`证书上传成功:crtPath=${crtPath},keyPath=${keyPath},pfxPath=${this.pfxPath},derPath=${this.derPath}`); - + this.logger.info('上传文件到服务器成功'); //输出 this.hostCrtPath = crtPath; this.hostKeyPath = keyPath; + this.hostIcPath = this.icPath; this.hostPfxPath = this.pfxPath; this.hostDerPath = this.derPath; } @@ -194,6 +234,15 @@ export class UploadCertToHostPlugin extends AbstractTaskPlugin { logger: this.logger, handle, }); + + if (this.script.trim()) { + this.logger.info('执行脚本命令'); + const scripts = this.script.split('\n'); + await sshClient.exec({ + connectConf, + script: scripts, + }); + } } }