showRunStrategy: false
default:
strategy:
runStrategy: 0
input:
renewDays: 20
forceUpdate: false
name: CertApply
title: 证书申请(JS版)
icon: ph:certificate
group: cert
desc: 免费通配符域名证书申请,支持多个域名打到同一个证书上
input:
domains:
title: 证书域名
component:
name: domain-selector
vModel: value
mode: tags
placeholder: >-
请输入证书域名/IP,比如:foo.com , *.foo.com , *.sub.foo.com , *.bar.com ,
123.123.123.123
tokenSeparators:
- ','
- ' '
- ,
- 、
- '|'
search: true
pager: true
rules:
- type: domains
required: true
col:
span: 24
order: -999
helper: |-
1、支持多个域名打到一个证书上,例如: foo.com,*.foo.com,*.bar.com
2、子域名被通配符包含的不要填写,例如:www.foo.com已经被*.foo.com包含,不要填写www.foo.com
3、泛域名只能通配*号那一级(*.foo.com的证书不能用于foo.com且不能用于xxx.yyy.foo.com)
4、输入一个,空格之后,再输入下一个
5、如果设置了子域托管解析(比如免费的二级域名托管在CF或者阿里云),请先[设置托管子域名](#/certd/pipeline/subDomain)
email:
title: 邮箱
component:
name: email-selector
vModel: value
rules:
- type: email
message: 请输入正确的邮箱
required: true
order: -1
helper: 请输入邮箱
challengeType:
title: 域名验证方式
value: dns
component:
name: a-select
vModel: value
options:
- value: dns
label: DNS直接验证
- value: cname
label: CNAME代理验证
- value: http
label: HTTP文件验证(IP证书只能选它)
- value: dnses
label: 多DNS提供商
- value: auto
label: 自动匹配
required: true
helper: >
1. DNS直接验证:当域名dns解析已被本系统支持时(即下方DNS解析服务商选项中可选),推荐选择此方式
2.
CNAME代理验证:支持任何注册商的域名,第一次需要手动添加[CNAME记录](#/certd/cname/record)(如果经常申请失败,建议将DNS服务器修改为阿里云/腾讯云的,然后使用DNS直接验证)
3. HTTP文件验证:不支持泛域名,需要配置网站文件上传(IP证书必须选它)
4. 多DNS提供商:每个域名可以选择独立的DNS提供商
5. 自动匹配:此处无需选择校验方式,需要在[域名管理](#/certd/cert/domain)中提前配置好校验方式
order: 0
dnsProviderType:
title: DNS解析服务商
component:
name: dns-provider-selector
mergeScript: |2-
return {
show: ctx.compute(({form})=>{
return form.challengeType === 'dns'
}),
component:{
onSelectedChange: ctx.compute(({form})=>{
return ($event)=>{
form.dnsProviderAccessType = $event.accessType
}
})
}
}
required: true
helper: |-
您的域名注册商,或者域名的dns服务器属于哪个平台
如果这里没有,请选择CNAME代理验证校验方式
order: 0
dnsProviderAccess:
title: DNS解析授权
component:
name: access-selector
required: true
helper: 请选择dns解析服务商授权
mergeScript: |-
return {
component:{
type: ctx.compute(({form})=>{
return form.dnsProviderAccessType || form.dnsProviderType
})
},
show: ctx.compute(({form})=>{
return form.challengeType === 'dns'
})
}
order: 0
domainsVerifyPlan:
title: 域名验证配置
component:
name: domains-verify-plan-editor
rules:
- type: checkDomainVerifyPlan
required: true
col:
span: 24
mergeScript: |-
return {
component:{
domains: ctx.compute(({form})=>{
return form.domains
}),
defaultType: ctx.compute(({form})=>{
return form.challengeType || 'cname'
})
},
show: ctx.compute(({form})=>{
return form.challengeType === 'cname' || form.challengeType === 'http' || form.challengeType === 'dnses'
}),
helper: ctx.compute(({form})=>{
if(form.challengeType === 'cname' ){
return '请按照上面的提示,给要申请证书的域名添加CNAME记录,添加后,点击验证,验证成功后不要删除记录,申请和续期证书会一直用它'
}else if (form.challengeType === 'http'){
return '请按照上面的提示,给每个域名设置文件上传配置,证书申请过程中会上传校验文件到网站根目录的.well-known/acme-challenge/目录下'
}else if (form.challengeType === 'http'){
return '给每个域名单独配置dns提供商'
}
})
}
order: 0
sslProvider:
title: 证书颁发机构
value: letsencrypt
component:
name: icon-select
vModel: value
options:
- value: letsencrypt
label: Let's Encrypt(免费,新手推荐,支持IP证书)
icon: simple-icons:letsencrypt
- value: google
label: Google(免费)
icon: flat-color-icons:google
- value: zerossl
label: ZeroSSL(免费)
icon: emojione:digit-zero
- value: litessl
label: litessl(免费)
icon: roentgen:free
- value: sslcom
label: SSL.com(仅主域名和www免费)
icon: la:expeditedssl
- value: letsencrypt_staging
label: Let's Encrypt测试环境(仅供测试)
icon: simple-icons:letsencrypt
helper: |-
Let's Encrypt:申请最简单
Google:大厂光环,兼容性好,仅首次需要翻墙获取EAB授权
ZeroSSL:需要EAB授权,无需翻墙
SSL.com:仅主域名和www免费,必须设置CAA记录
required: true
order: 0
googleCommonEabAccessId:
title: Google公共EAB授权
isSys: true
show: false
order: 0
zerosslCommonEabAccessId:
title: ZeroSSL公共EAB授权
isSys: true
show: false
order: 0
sslcomCommonEabAccessId:
title: SSL.com公共EAB授权
isSys: true
show: false
order: 0
litesslCommonEabAccessId:
title: litessl公共EAB授权
isSys: true
show: false
order: 0
eabAccessId:
title: EAB授权
component:
name: access-selector
type: eab
maybeNeed: false
required: false
helper: >-
需要提供EAB授权
ZeroSSL:请前往[zerossl开发者中心](https://app.zerossl.com/developer),生成 'EAB
Credentials'
Google:请查看[google获取eab帮助文档](https://certd.docmirror.cn/guide/use/google/),用过一次后会绑定邮箱,后续复用EAB要用同一个邮箱
SSL.com:[SSL.com账号页面](https://secure.ssl.com/account),然后点击api
credentials链接,然后点击编辑按钮,查看Secret key和HMAC key
litessl:[litesslEAB页面](https://freessl.cn/automation/eab-manager),然后点击新增EAB
mergeScript: |2-
return {
show: ctx.compute(({form})=>{
return (form.sslProvider === 'zerossl' && !form.zerosslCommonEabAccessId)
|| (form.sslProvider === 'google' && !form.googleCommonEabAccessId)
|| (form.sslProvider === 'sslcom' && !form.sslcomCommonEabAccessId)
|| (form.sslProvider === 'litessl' && !form.litesslCommonEabAccessId)
})
}
order: 0
googleAccessId:
title: 服务账号授权
component:
name: access-selector
type: google
maybeNeed: false
required: false
helper: >-
google服务账号授权与EAB授权选填其中一个,[服务账号授权获取方法](https://certd.docmirror.cn/guide/use/google/)
服务账号授权需要配置代理或者服务器本身在海外
mergeScript: |2-
return {
show: ctx.compute(({form})=>{
return form.sslProvider === 'google' && !form.googleCommonEabAccessId
})
}
order: 0
privateKeyType:
title: 加密算法
value: rsa_2048
component:
name: a-select
vModel: value
options:
- value: rsa_1024
label: RSA 1024
- value: rsa_2048
label: RSA 2048
- value: rsa_3072
label: RSA 3072
- value: rsa_4096
label: RSA 4096
- value: rsa_2048_pkcs1
label: RSA 2048 pkcs1 (旧版)
- value: ec_256
label: EC 256
- value: ec_384
label: EC 384
helper: |-
如无特殊需求,默认即可
选择RSA 2048 pkcs1可以获得旧版RSA证书
maybeNeed: false
required: true
order: 0
certProfile:
title: 证书配置
value: classic
component:
name: a-select
vModel: value
options:
- value: classic
label: 经典(classic)
- value: tlsserver
label: TLS服务器(tlsserver)
- value: shortlived
label: 短暂的(shortlived)
helper: 如无特殊需求,默认即可
required: false
maybeNeed: true
mergeScript: |2-
return {
show: ctx.compute(({form})=>{
return form.sslProvider === 'letsencrypt'
})
}
order: 0
preferredChain:
title: 首选链
component:
name: a-select
vModel: value
options:
- value: ISRG Root X1
label: ISRG Root X1
- value: ISRG Root X2
label: ISRG Root X2
helper: 如无特殊需求保持默认即可
required: false
maybeNeed: true
mergeScript: |2-
const chainConfigs = {"letsencrypt":{"helper":"如无特殊需求保持默认即可","options":[{"value":"ISRG Root X1","label":"ISRG Root X1"},{"value":"ISRG Root X2","label":"ISRG Root X2"}]},"google":{"helper":"GlobalSign 提供对老旧设备更好的兼容性,但证书链会变长","options":[{"value":"GTS Root R1","label":"GTS Root R1"},{"value":"GlobalSign","label":"GlobalSign"}]}};
const supportedProviders = ["letsencrypt","google"];
const defaultProvider = "letsencrypt";
const getConfig = (provider)=> chainConfigs[provider] || chainConfigs[defaultProvider];
return {
show: ctx.compute(({form})=> supportedProviders.includes(form.sslProvider)),
component: {
options: ctx.compute(({form})=> getConfig(form.sslProvider).options)
},
helper: ctx.compute(({form})=> getConfig(form.sslProvider).helper),
value: ctx.compute(({form})=>{
const { options } = getConfig(form.sslProvider);
const allowed = options.map(item=>item.value);
const current = form.preferredChain;
if(allowed.includes(current)){
return current;
}
return allowed[0];
})
};
order: 0
useProxy:
title: 使用代理
value: false
component:
name: a-switch
vModel: checked
maybeNeed: true
helper: |-
如果acme-v02.api.letsencrypt.org或dv.acme-v02.api.pki.goog被墙无法访问,请尝试开启此选项
默认情况会进行测试,如果无法访问,将会自动使用代理
order: 0
reverseProxy:
title: 自定义反代地址
component:
placeholder: google.yourproxy.com
maybeNeed: true
helper: |-
填写你的自定义反代地址,不要带http://
letsencrypt反代目标:acme-v02.api.letsencrypt.org
google反代目标:dv.acme-v02.api.pki.goog
order: 0
skipLocalVerify:
title: 跳过本地校验DNS
value: false
component:
name: a-switch
vModel: checked
maybeNeed: true
helper: 跳过本地校验可以加快申请速度,同时也会增加失败概率。
order: 0
maxCheckRetryCount:
title: 检查解析重试次数
value: 20
component:
name: a-input-number
vModel: value
maybeNeed: true
helper: 检查域名验证解析记录重试次数,如果你的域名服务商解析生效速度慢,可以适当增加此值
order: 0
waitDnsDiffuseTime:
title: 等待解析生效时长
value: 30
component:
name: a-input-number
vModel: value
maybeNeed: true
helper: 等待解析生效时长(秒),如果使用CNAME方式校验,本地验证失败,可以尝试延长此时间(比如5-10分钟)
order: 0
pfxPassword:
title: 证书加密密码
component:
name: input-password
vModel: value
required: false
order: 100
helper: |-
转换成PFX、jks格式证书是否需要加密
不传则pfx格式默认空密码,jks格式默认123456
pfxArgs:
title: PFX证书转换参数
value: '-macalg SHA1 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES'
component:
name: a-auto-complete
vModel: value
options:
- value: ''
label: 兼容 Windows Server 最新
- value: '-macalg SHA1 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES'
label: 兼容 Windows Server 2016
- value: '-nomac -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES'
label: 兼容 Windows Server 2008
required: false
order: 100
maybeNeed: true
helper: 兼容Windows Server各个版本
renewDays:
title: 更新天数
component:
name: a-input-number
vModel: value
required: true
order: 100
helper: 到期前多少天后更新证书,注意:流水线默认不会自动运行,请设置定时器,每天定时运行本流水线
successNotify:
title: 证书申请成功通知
value: false
component:
name: a-switch
vModel: checked
order: 100
maybeNeed: true
helper: 证书申请成功后是否发送通知,优先使用默认通知渠道
output:
cert:
title: 域名证书
type: cert
certZip:
title: 域名证书压缩文件
type: certZip
pluginType: deploy
type: builtIn
scriptFilePath: /plugins/plugin-cert/plugin/cert-plugin/apply.js