feat(deploy_ali_cdn): support Alibaba Cloud CDN deployment #5205
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,157 @@ | ||
| #!/usr/bin/env sh | ||
|
|
||
| # Script to create certificate to Alibaba Cloud CDN | ||
| # | ||
| # This deployment required following variables | ||
| # export Ali_Key="ALIACCESSKEY" | ||
| # export Ali_Secret="ALISECRETKEY" | ||
| # export DEPLOY_ALI_CDN_DOMAIN="cdn.example.com" | ||
| # If you have more than one domain, just | ||
| # export DEPLOY_ALI_CDN_DOMAIN="cdn1.example.com cdn2.example.com" | ||
| # | ||
| # The credentials are shared with all domains, also shared with dns_ali api | ||
|
|
||
| Ali_API="https://cdn.aliyuncs.com/" | ||
|
|
||
| ali_cdn_deploy() { | ||
| _cdomain="$1" | ||
| _ckey="$2" | ||
| _ccert="$3" | ||
| _cca="$4" | ||
| _cfullchain="$5" | ||
|
|
||
| _debug _cdomain "$_cdomain" | ||
| _debug _ckey "$_ckey" | ||
| _debug _ccert "$_ccert" | ||
| _debug _cca "$_cca" | ||
| _debug _cfullchain "$_cfullchain" | ||
|
|
||
| Ali_Key="${Ali_Key:-$(_readaccountconf_mutable Ali_Key)}" | ||
| Ali_Secret="${Ali_Secret:-$(_readaccountconf_mutable Ali_Secret)}" | ||
| if [ -z "$Ali_Key" ] || [ -z "$Ali_Secret" ]; then | ||
| Ali_Key="" | ||
| Ali_Secret="" | ||
| _err "You don't specify aliyun api key and secret yet." | ||
| return 1 | ||
| fi | ||
|
|
||
| #save the api key and secret to the account conf file. | ||
| _saveaccountconf_mutable Ali_Key "$Ali_Key" | ||
| _saveaccountconf_mutable Ali_Secret "$Ali_Secret" | ||
|
|
||
| _getdeployconf DEPLOY_ALI_CDN_DOMAIN | ||
| if [ "$DEPLOY_ALI_CDN_DOMAIN" ]; then | ||
| _savedeployconf DEPLOY_ALI_CDN_DOMAIN "$DEPLOY_ALI_CDN_DOMAIN" | ||
| else | ||
| DEPLOY_ALI_CDN_DOMAIN="$_cdomain" | ||
| fi | ||
|
|
||
| # read cert and key files and urlencode both | ||
| _cert=$(_url_encode_upper <"$_cfullchain") | ||
| _key=$(_url_encode_upper <"$_ckey") | ||
|
|
||
| _debug2 _cert "$_cert" | ||
| _debug2 _key "$_key" | ||
|
|
||
| ## update domain ssl config | ||
| for domain in $DEPLOY_ALI_CDN_DOMAIN; do | ||
| _set_cdn_domain_ssl_certificate_query "$domain" "$_cert" "$_key" | ||
| if _ali_rest "Set CDN domain SSL certificate for $domain" "" POST; then | ||
| _info "Domain $domain certificate has been deployed successfully" | ||
| fi | ||
| done | ||
|
|
||
| return 0 | ||
| } | ||
|
|
||
| #################### Private functions below ################################## | ||
|
|
||
| # act ign mtd | ||
| _ali_rest() { | ||
| act="$1" | ||
| ign="$2" | ||
| mtd="$3" | ||
|
|
||
| signature=$(printf "%s" "$mtd&%2F&$(_ali_urlencode "$query")" | _hmac "sha1" "$(printf "%s" "$Ali_Secret&" | _hex_dump | tr -d " ")" | _base64) | ||
| signature=$(_ali_urlencode "$signature") | ||
| url="$Ali_API?$query&Signature=$signature" | ||
|
|
||
| if [ "$mtd" = "GET" ]; then | ||
| response="$(_get "$url")" | ||
| else | ||
| # post payload is not supported yet because of signature | ||
| response="$(_post "" "$url")" | ||
| fi | ||
|
|
||
| _ret="$?" | ||
| _debug2 response "$response" | ||
| if [ "$_ret" != "0" ]; then | ||
| _err "Error <$act>" | ||
| return 1 | ||
| fi | ||
|
|
||
| if [ -z "$ign" ]; then | ||
| message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")" | ||
| if [ "$message" ]; then | ||
| _err "$message" | ||
| return 1 | ||
| fi | ||
| fi | ||
| } | ||
|
Comment on lines
+69
to
+100
There was a problem hiding this comment. Reference https://github.com/acmesh-official/acme.sh/blob/3.0.7/dnsapi/dns_ali.sh However, the original method was hard coded with the So, I made a new argument to specify the method. Notice that Alibaba Cloud API supports passing the parameters by either query or body. (https://help.aliyun.com/zh/sdk/product-overview/rpc-mechanism#section-9x3-wo3-8l9) But we must sign with all the parameters, in alphabetical order, regardless of where they come from. So, I didn't support the post-payload yet. |
||
|
|
||
| _ali_urlencode() { | ||
| _str="$1" | ||
| _str_len=${#_str} | ||
| _u_i=1 | ||
| while [ "$_u_i" -le "$_str_len" ]; do | ||
| _str_c="$(printf "%s" "$_str" | cut -c "$_u_i")" | ||
| case $_str_c in [a-zA-Z0-9.~_-]) | ||
| printf "%s" "$_str_c" | ||
| ;; | ||
| *) | ||
| printf "%%%02X" "'$_str_c" | ||
| ;; | ||
| esac | ||
| _u_i="$(_math "$_u_i" + 1)" | ||
| done | ||
| } | ||
|
|
||
| _ali_nonce() { | ||
| #_head_n 1 </dev/urandom | _digest "sha256" hex | cut -c 1-31 | ||
| #Not so good... | ||
| date +"%s%N" | sed 's/%N//g' | ||
| } | ||
|
|
||
| _timestamp() { | ||
| date -u +"%Y-%m-%dT%H%%3A%M%%3A%SZ" | ||
| } | ||
|
Comment on lines
+102
to
+127
There was a problem hiding this comment. |
||
|
|
||
| # stdin stdout | ||
| _url_encode_upper() { | ||
| encoded=$(_url_encode) | ||
|
There was a problem hiding this comment. 能不能把 encoded 直接全部 _upper_case 一下 ? There was a problem hiding this comment. 不可以,原始输入是 base64 ,要区分大小写的。 其实就是为了处理 |
||
|
|
||
| for match in $(echo "$encoded" | _egrep_o '%..' | sort -u); do | ||
| upper=$(echo "$match" | tr '[:lower:]' '[:upper:]') | ||
| encoded=$(echo "$encoded" | sed "s/$match/$upper/g") | ||
| done | ||
|
|
||
| echo "$encoded" | ||
| } | ||
|
|
||
| # domain pub pri | ||
| _set_cdn_domain_ssl_certificate_query() { | ||
| query='' | ||
| query=$query'AccessKeyId='$Ali_Key | ||
| query=$query'&Action=SetCdnDomainSSLCertificate' | ||
| query=$query'&CertType=upload' | ||
| query=$query'&DomainName='$1 | ||
| query=$query'&Format=json' | ||
| query=$query'&SSLPri='$3 | ||
| query=$query'&SSLProtocol=on' | ||
| query=$query'&SSLPub='$2 | ||
| query=$query'&SignatureMethod=HMAC-SHA1' | ||
| query=$query"&SignatureNonce=$(_ali_nonce)" | ||
| query=$query'&SignatureVersion=1.0' | ||
| query=$query'&Timestamp='$(_timestamp) | ||
| query=$query'&Version=2018-05-10' | ||
| } | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copy from
acme.sh/dnsapi/dns_ali.sh
Lines 13 to 24 in 377a37e