[SSL证书]免费证书申请增加HTTP认证方式

2025-11-03 23:20:26 +08:00 · 2020-12-03 18:19:22 +08:00
parent b8bad79859
commit 0df86527c8
20 changed files with 369 additions and 57 deletions
--- a/internal/acme/auth_callback.go
+++ b/internal/acme/auth_callback.go
@@ -0,0 +1,3 @@
+package acme
+
+type AuthCallback func(domain, token, keyAuth string)
--- a/internal/acme/http_provider.go
+++ b/internal/acme/http_provider.go
@@ -0,0 +1,23 @@
+package acme
+
+type HTTPProvider struct {
+	onAuth AuthCallback
+}
+
+func NewHTTPProvider(onAuth AuthCallback) *HTTPProvider {
+	return &HTTPProvider{
+		onAuth: onAuth,
+	}
+}
+
+func (this *HTTPProvider) Present(domain, token, keyAuth string) error {
+	if this.onAuth != nil {
+		this.onAuth(domain, token, keyAuth)
+	}
+	//http01.ChallengePath()
+	return nil
+}
+
+func (this *HTTPProvider) CleanUp(domain, token, keyAuth string) error {
+	return nil
+}
--- a/internal/acme/request.go
+++ b/internal/acme/request.go
@@ -14,7 +14,8 @@ import (
 type Request struct {
 	debug bool

-	task *Task
+	task   *Task
+	onAuth AuthCallback
 }

 func NewRequest(task *Task) *Request {
@@ -27,7 +28,23 @@ func (this *Request) Debug() {
 	this.debug = true
 }

+func (this *Request) OnAuth(onAuth AuthCallback) {
+	this.onAuth = onAuth
+}
+
 func (this *Request) Run() (certData []byte, keyData []byte, err error) {
+	switch this.task.AuthType {
+	case AuthTypeDNS:
+		return this.runDNS()
+	case AuthTypeHTTP:
+		return this.runHTTP()
+	default:
+		err = errors.New("invalid task type '" + this.task.AuthType + "'")
+		return
+	}
+}
+
+func (this *Request) runDNS() (certData []byte, keyData []byte, err error) {
 	if !this.debug {
 		acmelog.Logger = log.New(ioutil.Discard, "", log.LstdFlags)
 	}
@@ -92,3 +109,57 @@ func (this *Request) Run() (certData []byte, keyData []byte, err error) {

 	return certResource.Certificate, certResource.PrivateKey, nil
 }
+
+func (this *Request) runHTTP() (certData []byte, keyData []byte, err error) {
+	if !this.debug {
+		acmelog.Logger = log.New(ioutil.Discard, "", log.LstdFlags)
+	}
+
+	if this.task.User == nil {
+		err = errors.New("'user' must not be nil")
+		return
+	}
+
+	config := lego.NewConfig(this.task.User)
+	config.Certificate.KeyType = certcrypto.RSA2048
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// 注册用户
+	resource := this.task.User.GetRegistration()
+	if resource != nil {
+		resource, err = client.Registration.QueryRegistration()
+		if err != nil {
+			return nil, nil, err
+		}
+	} else {
+		resource, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		if err != nil {
+			return nil, nil, err
+		}
+		err = this.task.User.Register(resource)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+
+	err = client.Challenge.SetHTTP01Provider(NewHTTPProvider(this.onAuth))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// 申请证书
+	request := certificate.ObtainRequest{
+		Domains: this.task.Domains,
+		Bundle:  true,
+	}
+	certResource, err := client.Certificate.Obtain(request)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return certResource.Certificate, certResource.PrivateKey, nil
+}
--- a/internal/acme/request_test.go
+++ b/internal/acme/request_test.go
@@ -11,7 +11,7 @@ import (
 	"testing"
 )

-func TestNewRequest(t *testing.T) {
+func TestRequest_Run_DNS(t *testing.T) {
 	privateKey, err := ParsePrivateKeyFromBase64("MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgD3xxDXP4YVqHCfub21Yi3QL1Kvgow23J8CKJ7vU3L4+hRANCAARRl5ZKAlgGRc5RETSMYFCTXvjnePDgjALWgtgfClQGLB2rGyRecJvlesAM6Q7LQrDxVxvxdSQQmPGRqJGiBtjd")
 	if err != nil {
 		t.Fatal(err)
@@ -39,6 +39,7 @@ func TestNewRequest(t *testing.T) {

 	req := NewRequest(&Task{
 		User:        user,
+		Type:        TaskTypeDNS,
 		DNSProvider: dnsProvider,
 		DNSDomain:   "yun4s.cn",
 		Domains:     []string{"yun4s.cn"},
@@ -51,6 +52,40 @@ func TestNewRequest(t *testing.T) {
 	t.Log("key:", string(keyData))
 }

+func TestRequest_Run_HTTP(t *testing.T) {
+	privateKey, err := ParsePrivateKeyFromBase64("MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgD3xxDXP4YVqHCfub21Yi3QL1Kvgow23J8CKJ7vU3L4+hRANCAARRl5ZKAlgGRc5RETSMYFCTXvjnePDgjALWgtgfClQGLB2rGyRecJvlesAM6Q7LQrDxVxvxdSQQmPGRqJGiBtjd")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	user := NewUser("19644627@qq.com", privateKey, func(resource *registration.Resource) error {
+		resourceJSON, err := json.Marshal(resource)
+		if err != nil {
+			return err
+		}
+		t.Log(string(resourceJSON))
+		return nil
+	})
+
+	regResource := []byte(`{"body":{"status":"valid","contact":["mailto:19644627@qq.com"]},"uri":"https://acme-v02.api.letsencrypt.org/acme/acct/103672877"}`)
+	err = user.SetRegistration(regResource)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req := NewRequest(&Task{
+		User:    user,
+		Type:    TaskTypeHTTP,
+		Domains: []string{"teaos.cn", "www.teaos.cn", "meloy.cn"},
+	})
+	certData, keyData, err := req.runHTTP()
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Log(string(certData))
+	t.Log(string(keyData))
+}
+
 func testDNSPodProvider() (dnsclients.ProviderInterface, error) {
 	db, err := dbs.Default()
 	if err != nil {
--- a/internal/acme/task.go
+++ b/internal/acme/task.go
@@ -2,9 +2,19 @@ package acme

 import "github.com/TeaOSLab/EdgeAPI/internal/dnsclients"

+type AuthType = string
+
+const (
+	AuthTypeDNS  AuthType = "dns"
+	AuthTypeHTTP AuthType = "http"
+)
+
 type Task struct {
-	User        *User
+	User     *User
+	AuthType AuthType
+	Domains  []string
+
+	// DNS相关
 	DNSProvider dnsclients.ProviderInterface
 	DNSDomain   string
-	Domains     []string
 }