From 5c6fe69f5f5324828099203b19f6cf212604a812 Mon Sep 17 00:00:00 2001 From: WETOOP <37586574+WETOOP@users.noreply.github.com> Date: Fri, 30 Mar 2018 02:31:02 +0800 Subject: [PATCH 1/6] Add deployment script for AliCDN --- deploy/cdn_ali.sh | 138 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 138 insertions(+) create mode 100644 deploy/cdn_ali.sh diff --git a/deploy/cdn_ali.sh b/deploy/cdn_ali.sh new file mode 100644 index 00000000..b1cb7bf3 --- /dev/null +++ b/deploy/cdn_ali.sh @@ -0,0 +1,138 @@ +#!/usr/bin/env sh + +Alicdn_API="https://cdn.aliyuncs.com/" + +#DEPLOY_CDN_Ali_Key="" +#DEPLOY_CDN_Ali_Secret="" +#DEPLOY_CDN_Ali_Prefix="" + +######## Public functions ##################### + +#domain keyfile certfile cafile fullchain + +cdn_ali_deploy() { + _cdomain="$1" + _ckey="$2" + _ccert="$3" + _cca="$4" + _cfullchain="$5" + + _debug _cdomain "$_cdomain" + _debug _ckey "$_ckey" + _debug _ccert "$_ccert" + _debug _cca "$_cca" + _debug _cfullchain "$_cfullchain" + + DEPLOY_CDN_Ali_Key="${DEPLOY_CDN_Ali_Key:-$(_readdomainconf DEPLOY_CDN_Ali_Key)}" + DEPLOY_CDN_Ali_Secret="${DEPLOY_CDN_Ali_Secret:-$(_readdomainconf DEPLOY_CDN_Ali_Secret)}" + DEPLOY_CDN_Ali_Prefix="${DEPLOY_CDN_Ali_Prefix:-$(_readdomainconf DEPLOY_CDN_Ali_Prefix)}" + if [ -z "$DEPLOY_CDN_Ali_Key" ] || [ -z "$DEPLOY_CDN_Ali_Secret" ]; then + DEPLOY_CDN_Ali_Key="" + DEPLOY_CDN_Ali_Secret="" + _err "You don't specify alicdn api key and secret yet." + return 1 + fi + + #save the api key and secret to the account conf file. + _savedomainconf DEPLOY_CDN_Ali_Key "$DEPLOY_CDN_Ali_Key" + _savedomainconf DEPLOY_CDN_Ali_Secret "$DEPLOY_CDN_Ali_Secret" + _savedomainconf DEPLOY_CDN_Ali_Prefix "$DEPLOY_CDN_Ali_Prefix" + + # read cert and key files and urlencode both + _certnamestr=$DEPLOY_CDN_Ali_Prefix$_cdomain'-'$(sha1sum "$_ccert" | cut -c1-20) + _certtext=$(cat "$_cfullchain" | sed '/^$/d') + _keytext=$(cat "$_ckey" | sed '/^$/d') + _certstr=$(_urlencode "$_certtext") + _keystr=$(_urlencode "$_keytext") + + _debug _certname "$_certnamestr" + _debug2 _cert "$_certstr" + _debug2 _key "$_keystr" + + _debug "Set Cert" + _set_cert_query $(_urlencode "$DEPLOY_CDN_Ali_Prefix$_cdomain") $(_urlencode "$_certnamestr") "$_certstr" "$_keystr" && _ali_rest "Set Cert" + return 0 +} + +######## Private functions ##################### + +_set_cert_query() { + query='' + query=$query'AccessKeyId='$DEPLOY_CDN_Ali_Key + query=$query'&Action=SetDomainServerCertificate' + query=$query'&CertName='$2 + query=$query'&DomainName='$1 + query=$query'&Format=json' + query=$query'&PrivateKey='$4 + query=$query'&ServerCertificate='$3 + query=$query'&ServerCertificateStatus=on' + query=$query'&SignatureMethod=HMAC-SHA1' + query=$query"&SignatureNonce=$(_ali_nonce)" + query=$query'&SignatureVersion=1.0' + query=$query'&Timestamp='$(_timestamp) + query=$query'&Version=2014-11-11' + + _debug2 query "$query" +} + +_ali_rest() { + signature=$(printf "%s" "GET&%2F&$(_ali_urlencode "$query")" | _hmac "sha1" "$(printf "%s" "$DEPLOY_CDN_Ali_Secret&" | _hex_dump | tr -d " ")" | _base64) + signature=$(_ali_urlencode "$signature") + url="$Alicdn_API?$query&Signature=$signature" + + if ! response="$(_get "$url")"; then + _err "Error <$1>" + return 1 + fi + + _debug2 response "$response" + if [ -z "$2" ]; then + message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")" + if [ "$message" ]; then + _err "$message" + return 1 + fi + fi +} + +_ali_urlencode() { + _str="$1" + _str_len=${#_str} + _u_i=1 + while [ "$_u_i" -le "$_str_len" ]; do + _str_c="$(printf "%s" "$_str" | cut -c "$_u_i")" + case $_str_c in [a-zA-Z0-9.~_-]) + printf "%s" "$_str_c" + ;; + *) + printf "%%%02X" "'$_str_c" + ;; + esac + _u_i="$(_math "$_u_i" + 1)" + done +} + +_ali_nonce() { + #_head_n 1 + old_lc_collate=$LC_COLLATE + LC_COLLATE=C + local length="${#1}" + for (( i = 0; i < length; i++ )); do + local c="${1:i:1}" + case $c in + [a-zA-Z0-9.~_-]) printf "$c" ;; + *) printf '%%%02X' "'$c" ;; + esac + done + LC_COLLATE=$old_lc_collate +} From af23a387f72d887709b728160b654215d829ea16 Mon Sep 17 00:00:00 2001 From: WETOOP <37586574+WETOOP@users.noreply.github.com> Date: Fri, 30 Mar 2018 02:57:37 +0800 Subject: [PATCH 2/6] Update Readme.md for AliCDN --- deploy/README.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/deploy/README.md b/deploy/README.md index 0b820dff..68d5ee3a 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -255,3 +255,41 @@ acme.sh --deploy -d fritzbox.example.com --deploy-hook fritzbox ```sh acme.sh --deploy -d ftp.example.com --deploy-hook strongswan ``` + +## 10. Deploy the cert to your AliCDN account + +You must specify the aliyun account credentials in order to deploy the certificate, optionally specify the prefix of your domain if you use wildcard in cdn domain, through the following environment variables: +```sh +export DEPLOY_CDN_Ali_Key="AK" +export DEPLOY_CDN_Ali_Secret="SK" +export DEPLOY_CDN_Ali_Prefix="" +``` + +After the first deployment, these values will be stored in your domain deploy conf. You may now deploy the certificate like this: + +```sh +acme.sh --deploy -d example.com --deploy-hook cdn_ali +``` + +If your cdn domain is cdn.example.com and cert domain is also cdn.example.com, you can leave the prefix empty in deployment: +```sh +export DEPLOY_CDN_Ali_Key="AK" +export DEPLOY_CDN_Ali_Secret="SK" +export DEPLOY_CDN_Ali_Prefix="" +acme.sh --deploy -d example.com --deploy-hook cdn_ali + +If your cdn domain is cdn.example.com but cert domain is example.com(subject alternative names: example.com,\*.example.com), you must specify the prefix in deployment: +```sh +export DEPLOY_CDN_Ali_Key="AK" +export DEPLOY_CDN_Ali_Secret="SK" +export DEPLOY_CDN_Ali_Prefix="cdn." +acme.sh --deploy -d example.com --deploy-hook cdn_ali +``` + +If your cdn domain is \*.example.com (added wildcard domain in AliCDN console) but cert domain is example.com(subject alternative names: example.com,\*.example.com), you must specify the prefix only a dot(.) in deployment: +```sh +export DEPLOY_CDN_Ali_Key="AK" +export DEPLOY_CDN_Ali_Secret="SK" +export DEPLOY_CDN_Ali_Prefix="." +acme.sh --deploy -d example.com --deploy-hook cdn_ali +``` From 1be61ffc550e6cdd2f1cfe437ab53623167052e6 Mon Sep 17 00:00:00 2001 From: WETOOP <37586574+WETOOP@users.noreply.github.com> Date: Fri, 30 Mar 2018 02:59:26 +0800 Subject: [PATCH 3/6] Fix format --- deploy/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/README.md b/deploy/README.md index 68d5ee3a..0833173c 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -277,6 +277,7 @@ export DEPLOY_CDN_Ali_Key="AK" export DEPLOY_CDN_Ali_Secret="SK" export DEPLOY_CDN_Ali_Prefix="" acme.sh --deploy -d example.com --deploy-hook cdn_ali +``` If your cdn domain is cdn.example.com but cert domain is example.com(subject alternative names: example.com,\*.example.com), you must specify the prefix in deployment: ```sh From cc9c4e5c28322d8a95c9f9f1beb6212a8ca8a5b8 Mon Sep 17 00:00:00 2001 From: WETOOP <37586574+WETOOP@users.noreply.github.com> Date: Sun, 29 Apr 2018 17:10:31 +0800 Subject: [PATCH 4/6] Clean code --- deploy/cdn_ali.sh | 52 +++++++++++++++++++---------------------------- 1 file changed, 21 insertions(+), 31 deletions(-) diff --git a/deploy/cdn_ali.sh b/deploy/cdn_ali.sh index b1cb7bf3..912272dd 100644 --- a/deploy/cdn_ali.sh +++ b/deploy/cdn_ali.sh @@ -40,17 +40,17 @@ cdn_ali_deploy() { # read cert and key files and urlencode both _certnamestr=$DEPLOY_CDN_Ali_Prefix$_cdomain'-'$(sha1sum "$_ccert" | cut -c1-20) - _certtext=$(cat "$_cfullchain" | sed '/^$/d') - _keytext=$(cat "$_ckey" | sed '/^$/d') - _certstr=$(_urlencode "$_certtext") - _keystr=$(_urlencode "$_keytext") + _certtext=$(sed '/^$/d' < "$_cfullchain") + _keytext=$(sed '/^$/d' < "$_ckey") + _certstr=$(_ali_urlencode "$_certtext") + _keystr=$(_ali_urlencode "$_keytext") _debug _certname "$_certnamestr" _debug2 _cert "$_certstr" _debug2 _key "$_keystr" _debug "Set Cert" - _set_cert_query $(_urlencode "$DEPLOY_CDN_Ali_Prefix$_cdomain") $(_urlencode "$_certnamestr") "$_certstr" "$_keystr" && _ali_rest "Set Cert" + _set_cert_query "$(_ali_urlencode "$DEPLOY_CDN_Ali_Prefix$_cdomain")" "$(_ali_urlencode "$_certnamestr")" "$_certstr" "$_keystr" && _ali_rest "Set Cert" return 0 } @@ -96,20 +96,25 @@ _ali_rest() { } _ali_urlencode() { + # urlencode + old_lc_collate=$LC_COLLATE + LC_COLLATE=C + _str="$1" - _str_len=${#_str} - _u_i=1 - while [ "$_u_i" -le "$_str_len" ]; do - _str_c="$(printf "%s" "$_str" | cut -c "$_u_i")" - case $_str_c in [a-zA-Z0-9.~_-]) - printf "%s" "$_str_c" - ;; - *) - printf "%%%02X" "'$_str_c" - ;; + _str_length="${#1}" + i=1 + while [ "$i" -le "$_str_length" ] + do + _str_c="$(expr substr "$_str" "$i" 1)" + case $_str_c in + [a-zA-Z0-9.~_-]) printf "%s" "$_str_c" ;; + "") printf "%s" "%0A" ;; + *) printf '%%%02X' "'$_str_c" ;; esac - _u_i="$(_math "$_u_i" + 1)" + i=$((i + 1)) done + + LC_COLLATE=$old_lc_collate } _ali_nonce() { @@ -121,18 +126,3 @@ _ali_nonce() { _timestamp() { date -u +"%Y-%m-%dT%H%%3A%M%%3A%SZ" } - -_urlencode() { - # urlencode - old_lc_collate=$LC_COLLATE - LC_COLLATE=C - local length="${#1}" - for (( i = 0; i < length; i++ )); do - local c="${1:i:1}" - case $c in - [a-zA-Z0-9.~_-]) printf "$c" ;; - *) printf '%%%02X' "'$c" ;; - esac - done - LC_COLLATE=$old_lc_collate -} From 619e33276afcfff065fa28ad79be15be1c0ef806 Mon Sep 17 00:00:00 2001 From: WETOOP <37586574+WETOOP@users.noreply.github.com> Date: Sun, 29 Apr 2018 18:07:44 +0800 Subject: [PATCH 5/6] Fix format --- deploy/cdn_ali.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/deploy/cdn_ali.sh b/deploy/cdn_ali.sh index 912272dd..1f6cd7ab 100644 --- a/deploy/cdn_ali.sh +++ b/deploy/cdn_ali.sh @@ -40,8 +40,8 @@ cdn_ali_deploy() { # read cert and key files and urlencode both _certnamestr=$DEPLOY_CDN_Ali_Prefix$_cdomain'-'$(sha1sum "$_ccert" | cut -c1-20) - _certtext=$(sed '/^$/d' < "$_cfullchain") - _keytext=$(sed '/^$/d' < "$_ckey") + _certtext=$(sed '/^$/d' <"$_cfullchain") + _keytext=$(sed '/^$/d' <"$_ckey") _certstr=$(_ali_urlencode "$_certtext") _keystr=$(_ali_urlencode "$_keytext") @@ -103,9 +103,8 @@ _ali_urlencode() { _str="$1" _str_length="${#1}" i=1 - while [ "$i" -le "$_str_length" ] - do - _str_c="$(expr substr "$_str" "$i" 1)" + while [ "$i" -le "$_str_length" ]; do + _str_c="$(printf "%s" "$_str" | head -c "$i" | tail -c 1)" case $_str_c in [a-zA-Z0-9.~_-]) printf "%s" "$_str_c" ;; "") printf "%s" "%0A" ;; From ac38cb5d22739d61706216f4baea9740a7aa0fb4 Mon Sep 17 00:00:00 2001 From: WETOOP <37586574+WETOOP@users.noreply.github.com> Date: Fri, 5 Jan 2024 20:55:11 +0800 Subject: [PATCH 6/6] Switch to batch set api. --- deploy/cdn_ali.sh | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/deploy/cdn_ali.sh b/deploy/cdn_ali.sh index 1f6cd7ab..1f782f1f 100644 --- a/deploy/cdn_ali.sh +++ b/deploy/cdn_ali.sh @@ -39,7 +39,7 @@ cdn_ali_deploy() { _savedomainconf DEPLOY_CDN_Ali_Prefix "$DEPLOY_CDN_Ali_Prefix" # read cert and key files and urlencode both - _certnamestr=$DEPLOY_CDN_Ali_Prefix$_cdomain'-'$(sha1sum "$_ccert" | cut -c1-20) + _certnamestr=$_cdomain _certtext=$(sed '/^$/d' <"$_cfullchain") _keytext=$(sed '/^$/d' <"$_ckey") _certstr=$(_ali_urlencode "$_certtext") @@ -59,18 +59,20 @@ cdn_ali_deploy() { _set_cert_query() { query='' query=$query'AccessKeyId='$DEPLOY_CDN_Ali_Key - query=$query'&Action=SetDomainServerCertificate' + query=$query'&Action=BatchSetCdnDomainServerCertificate' query=$query'&CertName='$2 + query=$query'&CertType=upload' query=$query'&DomainName='$1 - query=$query'&Format=json' - query=$query'&PrivateKey='$4 - query=$query'&ServerCertificate='$3 - query=$query'&ServerCertificateStatus=on' + query=$query'&ForceSet=1' + query=$query'&Format=JSON' + query=$query'&SSLPri='$4 + query=$query'&SSLProtocol=on' + query=$query'&SSLPub='$3 query=$query'&SignatureMethod=HMAC-SHA1' query=$query"&SignatureNonce=$(_ali_nonce)" query=$query'&SignatureVersion=1.0' query=$query'&Timestamp='$(_timestamp) - query=$query'&Version=2014-11-11' + query=$query'&Version=2018-05-10' _debug2 query "$query" }