From fca6e9b9329c41678cb1c74405d8f6281852b65f Mon Sep 17 00:00:00 2001 From: PMExtra Date: Thu, 19 Sep 2024 15:49:42 +0800 Subject: [PATCH 1/4] refactor: Alibaba Cloud API --- acme.sh | 5 ++ deploy/ali_cdn.sh | 111 ++++++++-------------------------------- dnsapi/dns_ali.sh | 127 ++++++++++++++++++++++++---------------------- 3 files changed, 92 insertions(+), 151 deletions(-) diff --git a/acme.sh b/acme.sh index f6f34b6d..64a1f73e 100755 --- a/acme.sh +++ b/acme.sh @@ -672,8 +672,10 @@ _hex_dump() { #0 1 2 3 4 5 6 7 8 9 - _ . ~ #30 31 32 33 34 35 36 37 38 39 2d 5f 2e 7e +#_url_encode [upper-hex] the encoded hex will be upper-case if the argument upper-hex is followed #stdin stdout _url_encode() { + _upper_hex=$1 _hex_str=$(_hex_dump) _debug3 "_url_encode" _debug3 "_hex_str" "$_hex_str" @@ -883,6 +885,9 @@ _url_encode() { ;; #other hex *) + if [ "$_upper_hex" = "upper-hex" ]; then + _hex_code=$(printf "%s" "$_hex_code" | _upper_case) + fi printf '%%%s' "$_hex_code" ;; esac diff --git a/deploy/ali_cdn.sh b/deploy/ali_cdn.sh index 6bbb3b43..29ac4b98 100644 --- a/deploy/ali_cdn.sh +++ b/deploy/ali_cdn.sh @@ -2,15 +2,28 @@ # Script to create certificate to Alibaba Cloud CDN # +# Docs: https://github.com/acmesh-official/acme.sh/wiki/deployhooks#33-deploy-your-certificate-to-alibaba-cloud-cdn-aliyun +# # This deployment required following variables # export Ali_Key="ALIACCESSKEY" # export Ali_Secret="ALISECRETKEY" +# The credentials are shared with all the Alibaba Cloud deploy hooks and dnsapi +# +# To specify the CDN domain that is different from the certificate CN, usually used for multi-domain or wildcard certificates # export DEPLOY_ALI_CDN_DOMAIN="cdn.example.com" -# If you have more than one domain, just +# If you have multiple CDN domains using the same certificate, just # export DEPLOY_ALI_CDN_DOMAIN="cdn1.example.com cdn2.example.com" -# -# The credentials are shared with all domains, also shared with dns_ali api +# Load dnsapi/dns_ali.sh to reduce the duplicated codes +# https://github.com/acmesh-official/acme.sh/pull/5205#issuecomment-2357867276 +dnsapi_ali="$(_findHook "" "$_SUB_FOLDER_DNSAPI" dns_ali)" +# shellcheck source=/dev/null +if ! . "$dnsapi_ali"; then + _err "Error loading file $dnsapi_ali. Please check your API file and try again." + return 1 +fi + +# shellcheck disable=SC2034 Ali_API="https://cdn.aliyuncs.com/" ali_cdn_deploy() { @@ -26,18 +39,7 @@ ali_cdn_deploy() { _debug _cca "$_cca" _debug _cfullchain "$_cfullchain" - Ali_Key="${Ali_Key:-$(_readaccountconf_mutable Ali_Key)}" - Ali_Secret="${Ali_Secret:-$(_readaccountconf_mutable Ali_Secret)}" - if [ -z "$Ali_Key" ] || [ -z "$Ali_Secret" ]; then - Ali_Key="" - Ali_Secret="" - _err "You don't specify aliyun api key and secret yet." - return 1 - fi - - #save the api key and secret to the account conf file. - _saveaccountconf_mutable Ali_Key "$Ali_Key" - _saveaccountconf_mutable Ali_Secret "$Ali_Secret" + _prepare_ali_credentials _getdeployconf DEPLOY_ALI_CDN_DOMAIN if [ "$DEPLOY_ALI_CDN_DOMAIN" ]; then @@ -47,8 +49,8 @@ ali_cdn_deploy() { fi # read cert and key files and urlencode both - _cert=$(_url_encode_upper <"$_cfullchain") - _key=$(_url_encode_upper <"$_ckey") + _cert=$(_url_encode upper-hex <"$_cfullchain") + _key=$(_url_encode upper-hex <"$_ckey") _debug2 _cert "$_cert" _debug2 _key "$_key" @@ -64,80 +66,7 @@ ali_cdn_deploy() { return 0 } -#################### Private functions below ################################## - -# act ign mtd -_ali_rest() { - act="$1" - ign="$2" - mtd="$3" - - signature=$(printf "%s" "$mtd&%2F&$(_ali_urlencode "$query")" | _hmac "sha1" "$(printf "%s" "$Ali_Secret&" | _hex_dump | tr -d " ")" | _base64) - signature=$(_ali_urlencode "$signature") - url="$Ali_API?$query&Signature=$signature" - - if [ "$mtd" = "GET" ]; then - response="$(_get "$url")" - else - # post payload is not supported yet because of signature - response="$(_post "" "$url")" - fi - - _ret="$?" - _debug2 response "$response" - if [ "$_ret" != "0" ]; then - _err "Error <$act>" - return 1 - fi - - if [ -z "$ign" ]; then - message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")" - if [ "$message" ]; then - _err "$message" - return 1 - fi - fi -} - -_ali_urlencode() { - _str="$1" - _str_len=${#_str} - _u_i=1 - while [ "$_u_i" -le "$_str_len" ]; do - _str_c="$(printf "%s" "$_str" | cut -c "$_u_i")" - case $_str_c in [a-zA-Z0-9.~_-]) - printf "%s" "$_str_c" - ;; - *) - printf "%%%02X" "'$_str_c" - ;; - esac - _u_i="$(_math "$_u_i" + 1)" - done -} - -_ali_nonce() { - #_head_n 1 " + return 1 + fi + + if [ -z "$ign" ]; then + message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")" + if [ "$message" ]; then + _err "$message" + return 1 + fi + fi +} + +_ali_nonce() { + #_head_n 1 " - return 1 - fi - - _debug2 response "$response" - if [ -z "$2" ]; then - message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")" - if [ "$message" ]; then - _err "$message" - return 1 - fi - fi -} - -_ali_urlencode() { - _str="$1" - _str_len=${#_str} - _u_i=1 - while [ "$_u_i" -le "$_str_len" ]; do - _str_c="$(printf "%s" "$_str" | cut -c "$_u_i")" - case $_str_c in [a-zA-Z0-9.~_-]) - printf "%s" "$_str_c" - ;; - *) - printf "%%%02X" "'$_str_c" - ;; - esac - _u_i="$(_math "$_u_i" + 1)" - done -} - -_ali_nonce() { - #_head_n 1 Date: Thu, 19 Sep 2024 16:30:04 +0800 Subject: [PATCH 2/4] refactor(ali): set API endpoint for each action --- deploy/ali_cdn.sh | 6 +++--- dnsapi/dns_ali.sh | 8 ++++++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/deploy/ali_cdn.sh b/deploy/ali_cdn.sh index 29ac4b98..786bcc7e 100644 --- a/deploy/ali_cdn.sh +++ b/deploy/ali_cdn.sh @@ -1,4 +1,5 @@ #!/usr/bin/env sh +# shellcheck disable=SC2034,SC2154 # Script to create certificate to Alibaba Cloud CDN # @@ -23,8 +24,7 @@ if ! . "$dnsapi_ali"; then return 1 fi -# shellcheck disable=SC2034 -Ali_API="https://cdn.aliyuncs.com/" +Ali_CDN_API="https://cdn.aliyuncs.com/" ali_cdn_deploy() { _cdomain="$1" @@ -66,9 +66,9 @@ ali_cdn_deploy() { return 0 } -# shellcheck disable=SC2154 # domain pub pri _set_cdn_domain_ssl_certificate_query() { + endpoint=$Ali_CDN_API query='' query=$query'AccessKeyId='$Ali_Key query=$query'&Action=SetCdnDomainSSLCertificate' diff --git a/dnsapi/dns_ali.sh b/dnsapi/dns_ali.sh index 76a8d314..be632bec 100755 --- a/dnsapi/dns_ali.sh +++ b/dnsapi/dns_ali.sh @@ -14,7 +14,7 @@ Options: # https://github.com/acmesh-official/acme.sh/pull/5205#issuecomment-2357867276 # Be careful when modifying this file, especially when making breaking changes for common functions -Ali_API="https://alidns.aliyuncs.com/" +Ali_DNS_API="https://alidns.aliyuncs.com/" #Usage: dns_ali_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_ali_add() { @@ -71,7 +71,7 @@ _ali_rest() { signature=$(printf "%s" "$mtd&%2F&$(printf "%s" "$query" | _url_encode upper-hex)" | _hmac "sha1" "$(printf "%s" "$Ali_Secret&" | _hex_dump | tr -d " ")" | _base64) signature=$(printf "%s" "$signature" | _url_encode upper-hex) - url="$Ali_API?Signature=$signature" + url="$endpoint?Signature=$signature" if [ "$mtd" = "GET" ]; then url="$url&$query" @@ -140,6 +140,7 @@ _get_root() { _check_exist_query() { _qdomain="$1" _qsubdomain="$2" + endpoint=$Ali_DNS_API query='' query=$query'AccessKeyId='$Ali_Key query=$query'&Action=DescribeDomainRecords' @@ -155,6 +156,7 @@ _check_exist_query() { } _add_record_query() { + endpoint=$Ali_DNS_API query='' query=$query'AccessKeyId='$Ali_Key query=$query'&Action=AddDomainRecord' @@ -171,6 +173,7 @@ _add_record_query() { } _delete_record_query() { + endpoint=$Ali_DNS_API query='' query=$query'AccessKeyId='$Ali_Key query=$query'&Action=DeleteDomainRecord' @@ -184,6 +187,7 @@ _delete_record_query() { } _describe_records_query() { + endpoint=$Ali_DNS_API query='' query=$query'AccessKeyId='$Ali_Key query=$query'&Action=DescribeDomainRecords' From ea2330b49f0d4a1d533445a9288dcb4c3a1746c8 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 20 Sep 2024 14:54:07 +0800 Subject: [PATCH 3/4] refactor(ali): move the loading script into ali_cdn_deploy --- deploy/ali_cdn.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/deploy/ali_cdn.sh b/deploy/ali_cdn.sh index 786bcc7e..541781b9 100644 --- a/deploy/ali_cdn.sh +++ b/deploy/ali_cdn.sh @@ -15,15 +15,6 @@ # If you have multiple CDN domains using the same certificate, just # export DEPLOY_ALI_CDN_DOMAIN="cdn1.example.com cdn2.example.com" -# Load dnsapi/dns_ali.sh to reduce the duplicated codes -# https://github.com/acmesh-official/acme.sh/pull/5205#issuecomment-2357867276 -dnsapi_ali="$(_findHook "" "$_SUB_FOLDER_DNSAPI" dns_ali)" -# shellcheck source=/dev/null -if ! . "$dnsapi_ali"; then - _err "Error loading file $dnsapi_ali. Please check your API file and try again." - return 1 -fi - Ali_CDN_API="https://cdn.aliyuncs.com/" ali_cdn_deploy() { @@ -39,6 +30,15 @@ ali_cdn_deploy() { _debug _cca "$_cca" _debug _cfullchain "$_cfullchain" + # Load dnsapi/dns_ali.sh to reduce the duplicated codes + # https://github.com/acmesh-official/acme.sh/pull/5205#issuecomment-2357867276 + dnsapi_ali="$(_findHook "$_cdomain" "$_SUB_FOLDER_DNSAPI" dns_ali)" + # shellcheck source=/dev/null + if ! . "$dnsapi_ali"; then + _err "Error loading file $dnsapi_ali. Please check your API file and try again." + return 1 + fi + _prepare_ali_credentials _getdeployconf DEPLOY_ALI_CDN_DOMAIN From 2ea37e6a0da09d0390cb5ed1b654190b4fcbafa9 Mon Sep 17 00:00:00 2001 From: PMExtra Date: Fri, 20 Sep 2024 14:55:33 +0800 Subject: [PATCH 4/4] refactor(ali): check the result of prepare_ali_credentials --- deploy/ali_cdn.sh | 2 +- dnsapi/dns_ali.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/ali_cdn.sh b/deploy/ali_cdn.sh index 541781b9..6eb6659a 100644 --- a/deploy/ali_cdn.sh +++ b/deploy/ali_cdn.sh @@ -39,7 +39,7 @@ ali_cdn_deploy() { return 1 fi - _prepare_ali_credentials + _prepare_ali_credentials || return 1 _getdeployconf DEPLOY_ALI_CDN_DOMAIN if [ "$DEPLOY_ALI_CDN_DOMAIN" ]; then diff --git a/dnsapi/dns_ali.sh b/dnsapi/dns_ali.sh index be632bec..0f1626f5 100755 --- a/dnsapi/dns_ali.sh +++ b/dnsapi/dns_ali.sh @@ -21,7 +21,7 @@ dns_ali_add() { fulldomain=$1 txtvalue=$2 - _prepare_ali_credentials + _prepare_ali_credentials || return 1 _debug "First detect the root zone" if ! _get_root "$fulldomain"; then