[SSL证书]免费证书申请增加HTTP认证方式

internal/const/const.go

@@ -1,7 +1,7 @@
 package teaconst
 
 const (
-	Version = "0.0.4"
+	Version = "0.0.5"
 
 	ProductName   = "Edge Admin"
 	ProcessName   = "edge-admin"

internal/web/actions/default/servers/certs/acme/create.go

@@ -66,6 +66,7 @@ func (this *CreateAction) RunGet(params struct{}) {
 
 func (this *CreateAction) RunPost(params struct {
 	TaskId        int64
+	AuthType      string
 	AcmeUserId    int64
 	DnsProviderId int64
 	DnsDomain     string
@@ -74,19 +75,27 @@ func (this *CreateAction) RunPost(params struct {
 
 	Must *actions.Must
 }) {
+	if params.AuthType != "dns" && params.AuthType != "http" {
+		this.Fail("无法识别的认证方式'" + params.AuthType + "'")
+	}
+
 	if params.AcmeUserId <= 0 {
 		this.Fail("请选择一个申请证书的用户")
 	}
+
+	// 校验DNS相关信息
+	dnsDomain := strings.ToLower(params.DnsDomain)
+	if params.AuthType == "dns" {
 		if params.DnsProviderId <= 0 {
 			this.Fail("请选择DNS服务商")
 		}
 		if len(params.DnsDomain) == 0 {
 			this.Fail("请输入顶级域名")
 		}
-	dnsDomain := strings.ToLower(params.DnsDomain)
 		if !domainutils.ValidateDomainFormat(dnsDomain) {
 			this.Fail("请输入正确的顶级域名")
 		}
+	}
 
 	if len(params.Domains) == 0 {
 		this.Fail("请输入证书域名列表")
@@ -94,14 +103,21 @@ func (this *CreateAction) RunPost(params struct {
 	realDomains := []string{}
 	for _, domain := range params.Domains {
 		domain = strings.ToLower(domain)
+		if params.AuthType == "dns" { // DNS认证
 			if !strings.HasSuffix(domain, "."+dnsDomain) && domain != dnsDomain {
 				this.Fail("证书域名中的" + domain + "和顶级域名不一致")
 			}
+		} else if params.AuthType == "http" { // HTTP认证
+			if strings.Contains(domain, "*") {
+				this.Fail("在HTTP认证时域名" + domain + "不能包含通配符")
+			}
+		}
 		realDomains = append(realDomains, domain)
 	}
 
 	if params.TaskId == 0 {
 		createResp, err := this.RPC().ACMETaskRPC().CreateACMETask(this.AdminContext(), &pb.CreateACMETaskRequest{
+			AuthType:      params.AuthType,
 			AcmeUserId:    params.AcmeUserId,
 			DnsProviderId: params.DnsProviderId,
 			DnsDomain:     dnsDomain,

internal/web/actions/default/servers/certs/acme/index.go

@@ -42,9 +42,16 @@ func (this *IndexAction) RunGet(params struct{}) {
 
 	taskMaps := []maps.Map{}
 	for _, task := range tasksResp.AcmeTasks {
-		if task.AcmeUser == nil || task.DnsProvider == nil {
+		if task.AcmeUser == nil {
 			continue
 		}
+		dnsProviderMap := maps.Map{}
+		if task.AuthType == "dns" && task.DnsProvider != nil {
+			dnsProviderMap = maps.Map{
+				"id":   task.DnsProvider.Id,
+				"name": task.DnsProvider.Name,
+			}
+		}
 
 		// 证书
 		var certMap maps.Map = nil
@@ -70,14 +77,12 @@ func (this *IndexAction) RunGet(params struct{}) {
 
 		taskMaps = append(taskMaps, maps.Map{
 			"id":       task.Id,
+			"authType": task.AuthType,
 			"acmeUser": maps.Map{
 				"id":    task.AcmeUser.Id,
 				"email": task.AcmeUser.Email,
 			},
-			"dnsProvider": maps.Map{
+			"dnsProvider": dnsProviderMap,
-				"id":   task.DnsProvider.Id,
-				"name": task.DnsProvider.Name,
-			},
 			"dnsDomain":   task.DnsDomain,
 			"domains":     task.Domains,
 			"autoRenew":   task.AutoRenew,

internal/web/actions/default/servers/certs/acme/updateTaskPopup.go

@@ -55,8 +55,8 @@ func (this *UpdateTaskPopupAction) RunGet(params struct {
 
 	this.Data["task"] = maps.Map{
 		"id":          task.Id,
+		"authType":    task.AuthType,
 		"acmeUser":    acmeUserMap,
-		"dnsProviderId": task.DnsProvider.Id,
 		"dnsDomain":   task.DnsDomain,
 		"domains":     task.Domains,
 		"autoRenew":   task.AutoRenew,
@@ -88,6 +88,7 @@ func (this *UpdateTaskPopupAction) RunGet(params struct {
 
 func (this *UpdateTaskPopupAction) RunPost(params struct {
 	TaskId        int64
+	AuthType      string
 	AcmeUserId    int64
 	DnsProviderId int64
 	DnsDomain     string
@@ -99,19 +100,26 @@ func (this *UpdateTaskPopupAction) RunPost(params struct {
 }) {
 	defer this.CreateLogInfo("修改证书申请任务 %d", params.TaskId)
 
+	if params.AuthType != "dns" && params.AuthType != "http" {
+		this.Fail("无法识别的认证方式'" + params.AuthType + "'")
+	}
+
 	if params.AcmeUserId <= 0 {
 		this.Fail("请选择一个申请证书的用户")
 	}
+
+	dnsDomain := strings.ToLower(params.DnsDomain)
+	if params.AuthType == "dns" {
 		if params.DnsProviderId <= 0 {
 			this.Fail("请选择DNS服务商")
 		}
 		if len(params.DnsDomain) == 0 {
 			this.Fail("请输入顶级域名")
 		}
-	dnsDomain := strings.ToLower(params.DnsDomain)
 		if !domainutils.ValidateDomainFormat(dnsDomain) {
 			this.Fail("请输入正确的顶级域名")
 		}
+	}
 
 	if len(params.Domains) == 0 {
 		this.Fail("请输入证书域名列表")
@@ -119,9 +127,15 @@ func (this *UpdateTaskPopupAction) RunPost(params struct {
 	realDomains := []string{}
 	for _, domain := range params.Domains {
 		domain = strings.ToLower(domain)
+		if params.AuthType == "dns" {
 			if !strings.HasSuffix(domain, "."+dnsDomain) && domain != dnsDomain {
 				this.Fail("证书域名中的" + domain + "和顶级域名不一致")
 			}
+		} else if params.AuthType == "http" { // HTTP认证
+			if strings.Contains(domain, "*") {
+				this.Fail("在HTTP认证时域名" + domain + "不能包含通配符")
+			}
+		}
 		realDomains = append(realDomains, domain)
 	}
 

internal/web/helpers/utils.go

@@ -52,7 +52,12 @@ func checkIPWithoutCache(config *systemconfigs.SecurityConfig, ipAddr string) bo
 	}
 
 	// 本地IP
-	ip := net.ParseIP(ipAddr).To4()
+	ipObj := net.ParseIP(ipAddr)
+	if ipObj == nil {
+		logs.Println("[USER_MUST_AUTH]invalid client address: " + ipAddr)
+		return false
+	}
+	ip := ipObj.To4()
 	if ip == nil {
 		logs.Println("[USER_MUST_AUTH]invalid client address: " + ipAddr)
 		return false

web/views/@default/servers/certs/acme/create.html

@@ -9,13 +9,13 @@
 	<form class="ui form">
 		<div class="ui steps fluid small">
 			<div class="ui step" :class="{active:step == 'prepare'}">
-				准备工作
+				选择申请方式
 			</div>
 			<div class="ui step" :class="{active:step == 'user'}">
 				选择用户
 			</div>
 			<div class="ui step" :class="{active:step == 'dns'}">
-				设置域名解析
+				填写域名信息
 			</div>
 			<div class="ui step" :class="{active:step == 'finish'}">
 				完成
@@ -24,9 +24,14 @@
 
 		<!-- 准备工作 -->
 		<div v-show="step == 'prepare'">
-			<div>此流程用于免费申请一个新的证书。</div>
+			<div style="margin-bottom: 1em">
-			<div class="margin"></div>
+				<radio name="authType" :v-value="'http'" v-model="authType">使用HTTP认证</radio> &nbsp;
-			<div>
+				<radio name="authType" :v-value="'dns'" v-model="authType">使用DNS认证</radio>
+			</div>
+			<div v-if="authType == 'http'">
+				使用HTTP的方式请求网址<code-label>/.well-known/acme-challenge/令牌</code-label>校验，该方式要求需要实现将域名解析到集群上，之后系统会自动生成网址信息。
+			</div>
+			<div v-if="authType == 'dns'">
 				我们在申请免费证书的过程中需要自动增加或修改相关域名的TXT记录，请先确保你已经在"域名解析" -- <a href="/dns/providers" target="_blank">"DNS服务商"</a> 中已经添加了对应的DNS服务商账号。
 			</div>
 
@@ -69,7 +74,7 @@
 		<!-- 设置域名解析 -->
 		<div v-show="step == 'dns'">
 			<table class="ui table definition selectable">
-				<tr>
+				<tr v-show="authType == 'dns'">
 					<td class="title">选择DNS服务商 *</td>
 					<td>
 						<div v-if="providers.length > 0">
@@ -81,7 +86,7 @@
 						<p class="comment">用于自动创建域名解析记录。</p>
 					</td>
 				</tr>
-				<tr>
+				<tr v-show="authType == 'dns'">
 					<td>顶级域名 *</td>
 					<td>
 						<input type="text" maxlength="100" v-model="dnsDomain"/>
@@ -92,7 +97,7 @@
 					<td>证书域名列表 *</td>
 					<td>
 						<values-box name="" placeholder="域名" size="30" @change="changeDomains"></values-box>
-						<p class="comment">需要申请的证书中包含的域名列表，所有域名必须是同一个顶级域名。</p>
+						<p class="comment">需要申请的证书中包含的域名列表<span v-if="authType == 'dns'">，所有域名必须是同一个顶级域名</span><span v-if="authType == 'http'">使用HTTP认证方式时，域名中不能含有通配符</span>。</p>
 					</td>
 				</tr>
 				<tr>

web/views/@default/servers/certs/acme/create.js

@@ -4,6 +4,8 @@ Tea.context(function () {
 	/**
 	 * 准备工作
 	 */
+	this.authType = "http"
+
 	this.doPrepare = function () {
 		this.step = "user"
 	}
@@ -70,6 +72,7 @@ Tea.context(function () {
 
 		this.$post("$")
 			.params({
+				authType: this.authType,
 				acmeUserId: this.userId,
 				dnsProviderId: this.dnsProviderId,
 				dnsDomain: this.dnsDomain,

web/views/@default/servers/certs/acme/index.html

@@ -21,7 +21,12 @@
 			</tr>
 		</thead>
 		<tr v-for="(task, index) in tasks" :class="{warning: runningIndex == index}">
-			<td>{{task.acmeUser.email}}</td>
+			<td>{{task.acmeUser.email}}
+				<div style="margin-top: 1em">
+					<tiny-basic-label class="olive" v-if="task.authType == 'dns'">DNS</tiny-basic-label>
+					<tiny-basic-label class="olive" v-if="task.authType == 'http'">HTTP</tiny-basic-label>
+				</div>
+			</td>
 			<td nowrap="">
 				<div v-for="domain in task.domains">
 					<span class="ui label small basic">{{domain}}</span>

web/views/@default/servers/certs/acme/updateTaskPopup.html

@@ -5,9 +5,10 @@
 	<csrf-token></csrf-token>
 	<input type="hidden" name="taskId" :value="task.id"/>
 	<input type="hidden" name="acmeUserId" :value="task.acmeUser.id"/>
+	<input type="hidden" name="authType" :value="task.authType"/>
 
 	<table class="ui table definition selectable">
-		<tr>
+		<tr v-if="task.authType == 'dns'">
 			<td class="title">选择DNS服务商 *</td>
 			<td>
 				<div v-if="providers.length > 0">
@@ -19,7 +20,7 @@
 				<p class="comment">用于自动创建域名解析记录。</p>
 			</td>
 		</tr>
-		<tr>
+		<tr v-if="task.authType == 'dns'">
 			<td>顶级域名 *</td>
 			<td>
 				<input type="text" maxlength="100" name="dnsDomain" v-model="task.dnsDomain"/>
@@ -30,7 +31,7 @@
 			<td>证书域名列表 *</td>
 			<td>
 				<values-box name="domains" :values="task.domains" placeholder="域名" size="30"></values-box>
-				<p class="comment">需要申请的证书中包含的域名列表，所有域名必须是同一个顶级域名。</p>
+				<p class="comment">需要申请的证书中包含的域名列表<span v-if="task.authType == 'dns'">，所有域名必须是同一个顶级域名</span><span v-if="task.authType == 'http'">使用HTTP认证方式时，域名中不能含有通配符</span>。</p>
 			</td>
 		</tr>
 		<tr>