-
-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(deploy_ali_cdn): support Alibaba Cloud CDN deployment #5205
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,157 @@ | ||
#!/usr/bin/env sh | ||
|
||
# Script to create certificate to Alibaba Cloud CDN | ||
# | ||
# This deployment required following variables | ||
# export Ali_Key="ALIACCESSKEY" | ||
# export Ali_Secret="ALISECRETKEY" | ||
# export DEPLOY_ALI_CDN_DOMAIN="cdn.example.com" | ||
# If you have more than one domain, just | ||
# export DEPLOY_ALI_CDN_DOMAIN="cdn1.example.com cdn2.example.com" | ||
# | ||
# The credentials are shared with all domains, also shared with dns_ali api | ||
|
||
Ali_API="https://cdn.aliyuncs.com/" | ||
|
||
ali_cdn_deploy() { | ||
_cdomain="$1" | ||
_ckey="$2" | ||
_ccert="$3" | ||
_cca="$4" | ||
_cfullchain="$5" | ||
|
||
_debug _cdomain "$_cdomain" | ||
_debug _ckey "$_ckey" | ||
_debug _ccert "$_ccert" | ||
_debug _cca "$_cca" | ||
_debug _cfullchain "$_cfullchain" | ||
|
||
Ali_Key="${Ali_Key:-$(_readaccountconf_mutable Ali_Key)}" | ||
Ali_Secret="${Ali_Secret:-$(_readaccountconf_mutable Ali_Secret)}" | ||
if [ -z "$Ali_Key" ] || [ -z "$Ali_Secret" ]; then | ||
Ali_Key="" | ||
Ali_Secret="" | ||
_err "You don't specify aliyun api key and secret yet." | ||
return 1 | ||
fi | ||
|
||
#save the api key and secret to the account conf file. | ||
_saveaccountconf_mutable Ali_Key "$Ali_Key" | ||
_saveaccountconf_mutable Ali_Secret "$Ali_Secret" | ||
|
||
_getdeployconf DEPLOY_ALI_CDN_DOMAIN | ||
if [ "$DEPLOY_ALI_CDN_DOMAIN" ]; then | ||
_savedeployconf DEPLOY_ALI_CDN_DOMAIN "$DEPLOY_ALI_CDN_DOMAIN" | ||
else | ||
DEPLOY_ALI_CDN_DOMAIN="$_cdomain" | ||
fi | ||
|
||
# read cert and key files and urlencode both | ||
_cert=$(_url_encode_upper <"$_cfullchain") | ||
_key=$(_url_encode_upper <"$_ckey") | ||
|
||
_debug2 _cert "$_cert" | ||
_debug2 _key "$_key" | ||
|
||
## update domain ssl config | ||
for domain in $DEPLOY_ALI_CDN_DOMAIN; do | ||
_set_cdn_domain_ssl_certificate_query "$domain" "$_cert" "$_key" | ||
if _ali_rest "Set CDN domain SSL certificate for $domain" "" POST; then | ||
_info "Domain $domain certificate has been deployed successfully" | ||
fi | ||
done | ||
|
||
return 0 | ||
} | ||
|
||
#################### Private functions below ################################## | ||
|
||
# act ign mtd | ||
_ali_rest() { | ||
act="$1" | ||
ign="$2" | ||
mtd="$3" | ||
|
||
signature=$(printf "%s" "$mtd&%2F&$(_ali_urlencode "$query")" | _hmac "sha1" "$(printf "%s" "$Ali_Secret&" | _hex_dump | tr -d " ")" | _base64) | ||
signature=$(_ali_urlencode "$signature") | ||
url="$Ali_API?$query&Signature=$signature" | ||
|
||
if [ "$mtd" = "GET" ]; then | ||
response="$(_get "$url")" | ||
else | ||
# post payload is not supported yet because of signature | ||
response="$(_post "" "$url")" | ||
fi | ||
|
||
_ret="$?" | ||
_debug2 response "$response" | ||
if [ "$_ret" != "0" ]; then | ||
_err "Error <$act>" | ||
return 1 | ||
fi | ||
|
||
if [ -z "$ign" ]; then | ||
message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")" | ||
if [ "$message" ]; then | ||
_err "$message" | ||
return 1 | ||
fi | ||
fi | ||
} | ||
Comment on lines
+69
to
+100
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Reference https://github.com/acmesh-official/acme.sh/blob/3.0.7/dnsapi/dns_ali.sh However, the original method was hard coded with the So, I made a new argument to specify the method. Notice that Alibaba Cloud API supports passing the parameters by either query or body. (https://help.aliyun.com/zh/sdk/product-overview/rpc-mechanism#section-9x3-wo3-8l9) But we must sign with all the parameters, in alphabetical order, regardless of where they come from. So, I didn't support the post-payload yet. |
||
|
||
_ali_urlencode() { | ||
_str="$1" | ||
_str_len=${#_str} | ||
_u_i=1 | ||
while [ "$_u_i" -le "$_str_len" ]; do | ||
_str_c="$(printf "%s" "$_str" | cut -c "$_u_i")" | ||
case $_str_c in [a-zA-Z0-9.~_-]) | ||
printf "%s" "$_str_c" | ||
;; | ||
*) | ||
printf "%%%02X" "'$_str_c" | ||
;; | ||
esac | ||
_u_i="$(_math "$_u_i" + 1)" | ||
done | ||
} | ||
|
||
_ali_nonce() { | ||
#_head_n 1 </dev/urandom | _digest "sha256" hex | cut -c 1-31 | ||
#Not so good... | ||
date +"%s%N" | sed 's/%N//g' | ||
} | ||
|
||
_timestamp() { | ||
date -u +"%Y-%m-%dT%H%%3A%M%%3A%SZ" | ||
} | ||
Comment on lines
+102
to
+127
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
|
||
# stdin stdout | ||
_url_encode_upper() { | ||
encoded=$(_url_encode) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 能不能把 encoded 直接全部 _upper_case 一下 ? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 不可以,原始输入是 base64 ,要区分大小写的。 其实就是为了处理 |
||
|
||
for match in $(echo "$encoded" | _egrep_o '%..' | sort -u); do | ||
upper=$(echo "$match" | tr '[:lower:]' '[:upper:]') | ||
encoded=$(echo "$encoded" | sed "s/$match/$upper/g") | ||
done | ||
|
||
echo "$encoded" | ||
} | ||
|
||
# domain pub pri | ||
_set_cdn_domain_ssl_certificate_query() { | ||
query='' | ||
query=$query'AccessKeyId='$Ali_Key | ||
query=$query'&Action=SetCdnDomainSSLCertificate' | ||
query=$query'&CertType=upload' | ||
query=$query'&DomainName='$1 | ||
query=$query'&Format=json' | ||
query=$query'&SSLPri='$3 | ||
query=$query'&SSLProtocol=on' | ||
query=$query'&SSLPub='$2 | ||
query=$query'&SignatureMethod=HMAC-SHA1' | ||
query=$query"&SignatureNonce=$(_ali_nonce)" | ||
query=$query'&SignatureVersion=1.0' | ||
query=$query'&Timestamp='$(_timestamp) | ||
query=$query'&Version=2018-05-10' | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copy from
acme.sh/dnsapi/dns_ali.sh
Lines 13 to 24 in 377a37e