本文首发于 Anyeの小站,点击链接 访问原文体验更佳
前言
都用 CDN 了还在乎那点 1 年证书钱么? 开句玩笑话,按照 Apple 的说法,证书有效期不该超过 45 天。那么证书有效期的缩短意味着要更频繁地更新证书。对于我这样的“裸奔”站点来说,自动续签的 ZeroSSL 证书影响不是很大,但是对于使用 CDN 的站点来说,频繁更新证书可能会带来额外的管理成本和复杂性。
那么就不得不提到 1Panel 在 v1.10.12-lts 引入的功能:https://github.com/1Panel-dev/1Panel/pull/5517,在 1Panel 自动续签证书后允许用户自定义脚本来实现高阶功能,这不就是给 CDN 推送量身打造的吗?
好吧,基于群里很多小伙伴有这个需求,那么我就用 王总 倾向的 Docker 来实现。
制作不易,点个赞再走吧。
获取 ID & Key
这点相信会使用 DNS 申请证书的用户都明白,如果不会,请看:
https://help.aliyun.com/zh/cli/configure-credentialshttps://console.cloud.tencent.com/cam/capi
获取到
ALIBABA_CLOUD_ACCESS_KEY_ID # 阿里云AccessKey ID
ALIBABA_CLOUD_ACCESS_KEY_SECRET # 阿里云AccessKey Secret
TENCENTCLOUD_SECRET_ID # 腾讯云Secret ID
TENCENTCLOUD_SECRET_KEY # 腾讯云Secret Key
构建二合一 Cli 镜像
在 1Panel 侧边栏 容器 -> 镜像 中选择 构建镜像 ,名称填写 aliyun-tccli ,编辑内容如下:
FROM alpine:latest
RUN if curl -s https://cloudflare.com/cdn-cgi/trace | grep -q 'loc=CN' || [ $? -ne 0 ]; then \
sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories; \
pip_conf="https://pypi.tuna.tsinghua.edu.cn/simple"; \
else \
pip_conf="https://pypi.org/simple"; \
fi \
&& apk add --no-cache python3 py3-pip jq wget curl \
&& pip config set global.index-url $pip_conf
RUN wget https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz \
&& tar -xvzf aliyun-cli-linux-latest-amd64.tgz \
&& rm aliyun-cli-linux-latest-amd64.tgz \
&& mv aliyun /usr/local/bin/ \
&& mkdir -p /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
RUN python3 -m venv /opt/venv \
&& . /opt/venv/bin/activate \
&& pip install --no-cache-dir tccli
ENV PATH="/opt/venv/bin:$PATH"
ENV ALIBABA_CLOUD_PROFILE=AkProfile
ENV ALIBABA_CLOUD_IGNORE_PROFILE=TRUE
ENV ALIBABA_CLOUD_REGION_ID=cn-hangzhou
RUN echo '#!/bin/sh' > /entrypoint.sh && \
echo '' >> /entrypoint.sh && \
echo 'CLOUD_PROVIDER="$1"' >> /entrypoint.sh && \
echo 'SERVICE_TYPE="$2"' >> /entrypoint.sh && \
echo 'DOMAIN_NAME="${DomainName}"' >> /entrypoint.sh && \
echo '' >> /entrypoint.sh && \
echo 'if [ -z "$CLOUD_PROVIDER" ] || [ -z "$SERVICE_TYPE" ] || [ -z "$DOMAIN_NAME" ]; then' >> /entrypoint.sh && \
echo ' echo "错误: 缺少必要的参数。请提供 CLOUD_PROVIDER, SERVICE_TYPE 和 DOMAIN_NAME 参数。"' >> /entrypoint.sh && \
echo ' exit 1' >> /entrypoint.sh && \
echo 'fi' >> /entrypoint.sh && \
echo '' >> /entrypoint.sh && \
echo 'if [ "$CLOUD_PROVIDER" = "aliyun" ]; then' >> /entrypoint.sh && \
echo ' if [ "$SERVICE_TYPE" != "cdn" ] && [ "$SERVICE_TYPE" != "dcdn" ]; then' >> /entrypoint.sh && \
echo ' echo "错误: 对于阿里云,支持的服务类型只有 cdn 和 dcdn。"' >> /entrypoint.sh && \
echo ' exit 1' >> /entrypoint.sh && \
echo ' fi' >> /entrypoint.sh && \
echo ' SSLPub=$(cat /ssl/fullchain.pem)' >> /entrypoint.sh && \
echo ' SSLPri=$(cat /ssl/privkey.pem)' >> /entrypoint.sh && \
echo ' if [ "$SERVICE_TYPE" = "cdn" ]; then' >> /entrypoint.sh && \
echo ' echo "同步证书到阿里云 CDN..."' >> /entrypoint.sh && \
echo ' aliyun cdn SetCdnDomainSSLCertificate --DomainName "$DOMAIN_NAME" --CertType upload --SSLProtocol on --SSLPub="$SSLPub" --SSLPri="$SSLPri"' >> /entrypoint.sh && \
echo ' if [ $? -eq 0 ]; then' >> /entrypoint.sh && \
echo ' echo "阿里云 CDN 证书同步成功。"' >> /entrypoint.sh && \
echo ' else' >> /entrypoint.sh && \
echo ' echo "阿里云 CDN 证书同步失败。"' >> /entrypoint.sh && \
echo ' exit 1' >> /entrypoint.sh && \
echo ' fi' >> /entrypoint.sh && \
echo ' elif [ "$SERVICE_TYPE" = "dcdn" ]; then' >> /entrypoint.sh && \
echo ' echo "同步证书到阿里云 DCDN..."' >> /entrypoint.sh && \
echo ' aliyun dcdn SetDcdnDomainSSLCertificate --DomainName "$DOMAIN_NAME" --CertType upload --SSLProtocol on --SSLPub="$SSLPub" --SSLPri="$SSLPri"' >> /entrypoint.sh && \
echo ' if [ $? -eq 0 ]; then' >> /entrypoint.sh && \
echo ' echo "阿里云 DCDN 证书同步成功。"' >> /entrypoint.sh && \
echo ' else' >> /entrypoint.sh && \
echo ' echo "阿里云 DCDN 证书同步失败。"' >> /entrypoint.sh && \
echo ' exit 1' >> /entrypoint.sh && \
echo ' fi' >> /entrypoint.sh && \
echo ' fi' >> /entrypoint.sh && \
echo '' >> /entrypoint.sh && \
echo 'elif [ "$CLOUD_PROVIDER" = "tencent" ]; then' >> /entrypoint.sh && \
echo ' if [ "$SERVICE_TYPE" != "cdn" ] && [ "$SERVICE_TYPE" != "eo" ]; then' >> /entrypoint.sh && \
echo ' echo "错误: 对于腾讯云,支持的服务类型只有 cdn 和 eo。"' >> /entrypoint.sh && \
echo ' exit 1' >> /entrypoint.sh && \
echo ' fi' >> /entrypoint.sh && \
echo ' CertificatePublicKey=$(cat /ssl/fullchain.pem)' >> /entrypoint.sh && \
echo ' CertificatePrivateKey=$(cat /ssl/privkey.pem)' >> /entrypoint.sh && \
echo ' resp=$(tccli ssl UploadCertificate --cli-unfold-argument --CertificatePublicKey "$CertificatePublicKey" --CertificatePrivateKey "$CertificatePrivateKey")' >> /entrypoint.sh && \
echo " CertificateId=\$(echo \$resp | egrep -o '\"CertificateId\": \"[^\"]+\"' | cut -d'\"' -f4)" >> /entrypoint.sh && \
echo '' >> /entrypoint.sh && \
echo ' if [ "$SERVICE_TYPE" = "cdn" ] || [ "$SERVICE_TYPE" = "ecdn" ]; then' >> /entrypoint.sh && \
echo ' echo "同步证书到腾讯云 CDN/ECDN..."' >> /entrypoint.sh && \
echo ' tccli ssl DeployCertificateInstance --cli-unfold-argument --CertificateId "$CertificateId" --InstanceIdList "$DOMAIN_NAME" --ResourceType cdn --Status 1' >> /entrypoint.sh && \
echo ' if [ $? -eq 0 ]; then' >> /entrypoint.sh && \
echo ' echo "腾讯云 CDN/ECDN 证书同步成功。"' >> /entrypoint.sh && \
echo ' else' >> /entrypoint.sh && \
echo ' echo "腾讯云 CDN/ECDN 证书同步失败。"' >> /entrypoint.sh && \
echo ' exit 1' >> /entrypoint.sh && \
echo ' fi' >> /entrypoint.sh && \
echo ' elif [ "$SERVICE_TYPE" = "eo" ]; then' >> /entrypoint.sh && \
echo ' echo "同步证书到腾讯云 EO..."' >> /entrypoint.sh && \
echo ' tccli ssl DeployCertificateInstance --cli-unfold-argument --CertificateId "$CertificateId" --InstanceIdList "$DOMAIN_NAME" --ResourceType eo --Status 1' >> /entrypoint.sh && \
echo ' if [ $? -eq 0 ]; then' >> /entrypoint.sh && \
echo ' echo "腾讯云 EO 证书同步成功。"' >> /entrypoint.sh && \
echo ' else' >> /entrypoint.sh && \
echo ' echo "腾讯云 EO 证书同步失败。"' >> /entrypoint.sh && \
echo ' exit 1' >> /entrypoint.sh && \
echo ' fi' >> /entrypoint.sh && \
echo ' fi' >> /entrypoint.sh && \
echo '' >> /entrypoint.sh && \
echo 'else' >> /entrypoint.sh && \
echo ' echo "错误: 不支持的云服务提供商 $CLOUD_PROVIDER。"' >> /entrypoint.sh && \
echo ' exit 1' >> /entrypoint.sh && \
echo 'fi' >> /entrypoint.sh
RUN chmod +x /entrypoint.sh
CMD ["/entrypoint.sh"]
等待构建成功。
申请证书后执行脚本
docker run --rm --name aliyun-tccli \
-e ALIBABA_CLOUD_ACCESS_KEY_ID=aliyun_access_key_id \
-e ALIBABA_CLOUD_ACCESS_KEY_SECRET=aliyun_access_key_secret \
-e TENCENTCLOUD_SECRET_ID=tencloud_secret_id \
-e TENCENTCLOUD_SECRET_KEY=tencloud_secret_key \
-e DomainName=youdomain.com \
-v /path/to/ssl:/ssl \
aliyun-tccli "/entrypoint.sh" "[aliyun|tencent]" "[cdn|dcdn|eo]"
前四个环境变量即获取到的 Key,需要推送到阿里云就只写阿里云的 AK 即可,腾讯云同理。
DomainName 的值为你在云厂商配置的域名(一般就是最终访问的域名)。
/path/to/ssl 填写上面配置的推送目录,如我这里的 /root/ssl/anye.xyz
-
若使用的是阿里云 CDN 内容分发网络:https://www.aliyun.com/product/cdn,则最后一行选择
aliyuncdn,即aliyun-tccli "/entrypoint.sh" "aliyun" "cdn" -
若使用的是阿里云全站加速 DCDN:https://www.aliyun.com/product/dcdn,则最后一行选择
aliyundcdn,即aliyun-tccli "/entrypoint.sh" "aliyun" "dcdn" -
若使用的是腾讯云内容分发网络 CDN / 全站加速网络 ECDN:https://cloud.tencent.com/product/cdn/https://cloud.tencent.com/product/ecdn,则最后一行选择
tencentcdn,即aliyun-tccli "/entrypoint.sh" "tencent" "cdn" -
若使用的是腾讯云边缘安全加速平台 EO:https://cloud.tencent.com/product/teo,则最后一行选择
tencenteo,即aliyun-tccli "/entrypoint.sh" "tencent" "eo"
开始自动化之旅吧~
后记
** 腾讯云的 SDK 奇奇怪怪的,调用还反复横跳,上传反应还慢半拍,一言难尽。。。彻夜未眠
腾讯云的 EO 没测试,成本有些高,不过应该没啥问题,有问题的话望各位大佬写在评论区,我会尽快修改。
参考资料
[1] https://github.com/cabforum/servercert/pull/553
[2] https://github.com/aliyun/aliyun-cli
[3] https://github.com/TencentCloud/tencentcloud-cli
