[SSL证书]实现基本的自动申请证书流程

2026-01-03 04:26:34 +08:00 · 2020-11-26 16:39:06 +08:00
parent 4142fae762
commit 3eea083a5a
18 changed files with 594 additions and 27 deletions
--- a/internal/db/models/acme_task_dao.go
+++ b/internal/db/models/acme_task_dao.go
@@ -2,10 +2,15 @@ package models

 import (
 	"encoding/json"
+	"github.com/TeaOSLab/EdgeAPI/internal/acme"
+	"github.com/TeaOSLab/EdgeAPI/internal/dnsclients"
 	"github.com/TeaOSLab/EdgeAPI/internal/errors"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/sslconfigs"
+	"github.com/go-acme/lego/v4/registration"
 	_ "github.com/go-sql-driver/mysql"
 	"github.com/iwind/TeaGo/Tea"
 	"github.com/iwind/TeaGo/dbs"
+	"github.com/iwind/TeaGo/logs"
 	"github.com/iwind/TeaGo/types"
 )

@@ -131,7 +136,6 @@ func (this *ACMETaskDAO) CreateACMETask(adminId int64, userId int64, acmeUserId
 	op.AutoRenew = autoRenew
 	op.IsOn = true
 	op.State = ACMETaskStateEnabled
-	op.IsOk = false
 	_, err := this.Save(op)
 	if err != nil {
 		return 0, err
@@ -173,3 +177,179 @@ func (this *ACMETaskDAO) CheckACMETask(adminId int64, userId int64, acmeTaskId i
 		Pk(acmeTaskId).
 		Exist()
 }
+
+// 设置任务关联的证书
+func (this *ACMETaskDAO) UpdateACMETaskCert(taskId int64, certId int64) error {
+	if taskId <= 0 {
+		return errors.New("invalid taskId")
+	}
+
+	op := NewACMETaskOperator()
+	op.Id = taskId
+	op.CertId = certId
+	_, err := this.Save(op)
+	return err
+}
+
+// 执行任务并记录日志
+func (this *ACMETaskDAO) RunTask(taskId int64) (isOk bool, errMsg string, resultCertId int64) {
+	isOk, errMsg, resultCertId = this.runTaskWithoutLog(taskId)
+
+	// 记录日志
+	err := SharedACMETaskLogDAO.CreateACMELog(taskId, isOk, errMsg)
+	if err != nil {
+		logs.Error(err)
+	}
+
+	return
+}
+
+// 执行任务但并不记录日志
+func (this *ACMETaskDAO) runTaskWithoutLog(taskId int64) (isOk bool, errMsg string, resultCertId int64) {
+	task, err := this.FindEnabledACMETask(taskId)
+	if err != nil {
+		errMsg = "查询任务信息时出错：" + err.Error()
+		return
+	}
+	if task == nil {
+		errMsg = "找不到要执行的任务"
+		return
+	}
+	if task.IsOn != 1 {
+		errMsg = "任务没有启用"
+		return
+	}
+
+	// ACME用户
+	user, err := SharedACMEUserDAO.FindEnabledACMEUser(int64(task.AcmeUserId))
+	if err != nil {
+		errMsg = "查询ACME用户时出错：" + err.Error()
+		return
+	}
+	if user == nil {
+		errMsg = "找不到ACME用户"
+		return
+	}
+
+	privateKey, err := acme.ParsePrivateKeyFromBase64(user.PrivateKey)
+	if err != nil {
+		errMsg = "解析私钥时出错：" + err.Error()
+		return
+	}
+
+	remoteUser := acme.NewUser(user.Email, privateKey, func(resource *registration.Resource) error {
+		resourceJSON, err := json.Marshal(resource)
+		if err != nil {
+			return err
+		}
+
+		err = SharedACMEUserDAO.UpdateACMEUserRegistration(int64(user.Id), resourceJSON)
+		return err
+	})
+
+	if len(user.Registration) > 0 {
+		err = remoteUser.SetRegistration([]byte(user.Registration))
+		if err != nil {
+			errMsg = "设置注册信息时出错：" + err.Error()
+			return
+		}
+	}
+
+	// DNS服务商
+	dnsProvider, err := SharedDNSProviderDAO.FindEnabledDNSProvider(int64(task.DnsProviderId))
+	if err != nil {
+		errMsg = "查找DNS服务商账号信息时出错：" + err.Error()
+		return
+	}
+	if dnsProvider == nil {
+		errMsg = "找不到DNS服务商账号"
+		return
+	}
+	providerInterface := dnsclients.FindProvider(dnsProvider.Type)
+	if providerInterface == nil {
+		errMsg = "暂不支持此类型的DNS服务商 '" + dnsProvider.Type + "'"
+		return
+	}
+	apiParams, err := dnsProvider.DecodeAPIParams()
+	if err != nil {
+		errMsg = "解析DNS服务商API参数时出错：" + err.Error()
+		return
+	}
+	err = providerInterface.Auth(apiParams)
+	if err != nil {
+		errMsg = "校验DNS服务商API参数时出错：" + err.Error()
+		return
+	}
+
+	acmeRequest := acme.NewRequest(&acme.Task{
+		User:        remoteUser,
+		DNSProvider: providerInterface,
+		DNSDomain:   task.DnsDomain,
+		Domains:     task.DecodeDomains(),
+	})
+	certData, keyData, err := acmeRequest.Run()
+	if err != nil {
+		errMsg = "证书生成失败：" + err.Error()
+		return
+	}
+
+	// 分析证书
+	sslConfig := &sslconfigs.SSLCertConfig{
+		CertData: certData,
+		KeyData:  keyData,
+	}
+	err = sslConfig.Init()
+	if err != nil {
+		errMsg = "证书生成成功，但是分析证书信息时发生错误：" + err.Error()
+		return
+	}
+
+	// 保存证书
+	resultCertId = int64(task.CertId)
+	if resultCertId > 0 {
+		cert, err := SharedSSLCertDAO.FindEnabledSSLCert(resultCertId)
+		if err != nil {
+			errMsg = "证书生成成功，但查询已绑定的证书时出错：" + err.Error()
+			return
+		}
+		if cert == nil {
+			errMsg = "证书已被管理员或用户删除"
+
+			// 禁用
+			err = SharedACMETaskDAO.DisableACMETask(taskId)
+			if err != nil {
+				errMsg = "禁用失效的ACME任务出错：" + err.Error()
+			}
+
+			return
+		}
+
+		err = SharedSSLCertDAO.UpdateCert(resultCertId, cert.IsOn == 1, cert.Name, cert.Description, cert.ServerName, cert.IsCA == 1, certData, keyData, sslConfig.TimeBeginAt, sslConfig.TimeEndAt, sslConfig.DNSNames, sslConfig.CommonNames)
+		if err != nil {
+			errMsg = "证书生成成功，但是修改数据库中的证书信息时出错：" + err.Error()
+			return
+		}
+	} else {
+		resultCertId, err = SharedSSLCertDAO.CreateCert(int64(task.AdminId), int64(task.UserId), true, task.DnsDomain+"免费证书", "免费申请的证书", "", false, certData, keyData, sslConfig.TimeBeginAt, sslConfig.TimeEndAt, sslConfig.DNSNames, sslConfig.CommonNames)
+		if err != nil {
+			errMsg = "证书生成成功，但是保存到数据库失败：" + err.Error()
+			return
+		}
+
+		err = SharedSSLCertDAO.UpdateCertACME(resultCertId, int64(task.Id))
+		if err != nil {
+			errMsg = "证书生成成功，修改证书ACME信息时出错：" + err.Error()
+			return
+		}
+
+		// 设置成功
+		err = SharedACMETaskDAO.UpdateACMETaskCert(taskId, resultCertId)
+		if err != nil {
+			errMsg = "证书生成成功，设置任务关联的证书时出错：" + err.Error()
+			return
+		}
+	}
+
+	isOk = true
+	return
+}
--- a/internal/db/models/acme_task_log_dao.go
+++ b/internal/db/models/acme_task_log_dao.go
@@ -26,3 +26,13 @@ func init() {
 		SharedACMETaskLogDAO = NewACMETaskLogDAO()
 	})
 }
+
+// 生成日志
+func (this *ACMETaskLogDAO) CreateACMELog(taskId int64, isOk bool, errMsg string) error {
+	op := NewACMETaskLogOperator()
+	op.TaskId = taskId
+	op.Error = errMsg
+	op.IsOk = isOk
+	_, err := this.Save(op)
+	return err
+}
--- a/internal/db/models/acme_task_model.go
+++ b/internal/db/models/acme_task_model.go
@@ -12,7 +12,6 @@ type ACMETask struct {
 	Domains       string `field:"domains"`       // 证书域名
 	CreatedAt     uint64 `field:"createdAt"`     // 创建时间
 	State         uint8  `field:"state"`         // 状态
-	IsOk          uint8  `field:"isOk"`          // 最后运行是否正常
 	CertId        uint64 `field:"certId"`        // 生成的证书ID
 	AutoRenew     uint8  `field:"autoRenew"`     // 是否自动更新
 }
@@ -28,7 +27,6 @@ type ACMETaskOperator struct {
 	Domains       interface{} // 证书域名
 	CreatedAt     interface{} // 创建时间
 	State         interface{} // 状态
-	IsOk          interface{} // 最后运行是否正常
 	CertId        interface{} // 生成的证书ID
 	AutoRenew     interface{} // 是否自动更新
 }
--- a/internal/db/models/acme_user_dao.go
+++ b/internal/db/models/acme_user_dao.go
@@ -97,7 +97,7 @@ func (this *ACMEUserDAO) CreateACMEUser(adminId int64, userId int64, email strin
 	return types.Int64(op.Id), nil
 }

-// 查找用户列表
+// 修改用户信息
 func (this *ACMEUserDAO) UpdateACMEUser(acmeUserId int64, description string) error {
 	if acmeUserId <= 0 {
 		return errors.New("invalid acmeUserId")
@@ -109,6 +109,18 @@ func (this *ACMEUserDAO) UpdateACMEUser(acmeUserId int64, description string) er
 	return err
 }

+// 修改用户ACME注册信息
+func (this *ACMEUserDAO) UpdateACMEUserRegistration(acmeUserId int64, registrationJSON []byte) error {
+	if acmeUserId <= 0 {
+		return errors.New("invalid acmeUserId")
+	}
+	op := NewACMEUserOperator()
+	op.Id = acmeUserId
+	op.Registration = registrationJSON
+	_, err := this.Save(op)
+	return err
+}
+
 // 计算用户数量
 func (this *ACMEUserDAO) CountACMEUsersWithAdminId(adminId int64, userId int64) (int64, error) {
 	query := this.Query()
--- a/internal/db/models/acme_user_model.go
+++ b/internal/db/models/acme_user_model.go
@@ -2,25 +2,27 @@ package models

 //
 type ACMEUser struct {
-	Id          uint64 `field:"id"`          // ID
-	AdminId     uint32 `field:"adminId"`     // 管理员ID
-	UserId      uint32 `field:"userId"`      // 用户ID
-	PrivateKey  string `field:"privateKey"`  // 私钥
-	Email       string `field:"email"`       // E-mail
-	CreatedAt   uint64 `field:"createdAt"`   // 创建时间
-	State       uint8  `field:"state"`       // 状态
-	Description string `field:"description"` // 备注介绍
+	Id           uint64 `field:"id"`           // ID
+	AdminId      uint32 `field:"adminId"`      // 管理员ID
+	UserId       uint32 `field:"userId"`       // 用户ID
+	PrivateKey   string `field:"privateKey"`   // 私钥
+	Email        string `field:"email"`        // E-mail
+	CreatedAt    uint64 `field:"createdAt"`    // 创建时间
+	State        uint8  `field:"state"`        // 状态
+	Description  string `field:"description"`  // 备注介绍
+	Registration string `field:"registration"` // 注册信息
 }

 type ACMEUserOperator struct {
-	Id          interface{} // ID
-	AdminId     interface{} // 管理员ID
-	UserId      interface{} // 用户ID
-	PrivateKey  interface{} // 私钥
-	Email       interface{} // E-mail
-	CreatedAt   interface{} // 创建时间
-	State       interface{} // 状态
-	Description interface{} // 备注介绍
+	Id           interface{} // ID
+	AdminId      interface{} // 管理员ID
+	UserId       interface{} // 用户ID
+	PrivateKey   interface{} // 私钥
+	Email        interface{} // E-mail
+	CreatedAt    interface{} // 创建时间
+	State        interface{} // 状态
+	Description  interface{} // 备注介绍
+	Registration interface{} // 注册信息
 }

 func NewACMEUserOperator() *ACMEUserOperator {
--- a/internal/db/models/ssl_cert_dao.go
+++ b/internal/db/models/ssl_cert_dao.go
@@ -178,6 +178,7 @@ func (this *SSLCertDAO) ComposeCertConfig(certId int64) (*sslconfigs.SSLCertConf
 	config.Id = int64(cert.Id)
 	config.IsOn = cert.IsOn == 1
 	config.IsCA = cert.IsCA == 1
+	config.IsACME = cert.IsACME == 1
 	config.Name = cert.Name
 	config.Description = cert.Description
 	config.CertData = []byte(cert.CertData)
@@ -269,3 +270,16 @@ func (this *SSLCertDAO) ListCertIds(isCA bool, isAvailable bool, isExpired bool,
 	}
 	return result, nil
 }
+
+// 设置证书的ACME信息
+func (this *SSLCertDAO) UpdateCertACME(certId int64, acmeTaskId int64) error {
+	if certId <= 0 {
+		return errors.New("invalid certId")
+	}
+	op := NewSSLCertOperator()
+	op.Id = certId
+	op.AcmeTaskId = acmeTaskId
+	op.IsACME = true
+	_, err := this.Save(op)
+	return err
+}