update

2022-04-18 11:21:20 +08:00
commit 45a7af638f
210 changed files with 8997 additions and 0 deletions
--- a/letsencrypt/Demo/SingleNode/README.md
+++ b/letsencrypt/Demo/SingleNode/README.md
@@ -0,0 +1,35 @@
+# 部署 letsencrypt
+
+- 为域名 x1.xx.com 和 x2.xx.com 申请 ssl 证书，并在每月的 31 号晚上十一点更新一次
+- 为域名 \*.xxx.com 申请 ssl 证书，并在每月的 31 号晚上十点更新一次
+- 根据实际环境修改
+    - docker-compose.yml
+
+- 创建目录
+    ```
+    grep '\<source:' docker-compose.yml | cut -d: -f2 | xargs mkdir -p
+    ```
+
+- 获取通配域名的证书时，需要手动设置 TXT 解析记录，这里配合脚本实现自动化获取和更新
+    - 调用腾讯云接口设置 TXT 解析记录
+        ```
+        cp tencent-api.sh letsencrypt-wildcard/etc/manual-hook.sh
+        ```
+
+    - 调用腾讯云接口设置 TXT 解析记录
+        ```
+        cp aliyun-api.sh letsencrypt-wildcard/etc/manual-hook.sh
+        ```
+
+
+- 启动
+    ```
+    docker-compose up -d
+    ```
+
+- 创建定时任务
+    ```
+    0 23 31 * * docker-compose -f /compose/docker-compose.yml up -d letsencrypt
+    0 22 31 * * docker-compose -f /compose/docker-compose.yml up -d letsencrypt-wildcard
+    ```
+
--- a/letsencrypt/Demo/SingleNode/aliyun-api.sh
+++ b/letsencrypt/Demo/SingleNode/aliyun-api.sh
@@ -0,0 +1,147 @@
+#!/bin/bash
+#=========================================
+# Author   : Colben
+# Create   : 2022-04-11 19:48
+#=========================================
+
+set -euo pipefail
+export LANG=en_US.UTF-8
+trap Quit EXIT
+
+ACCESS_KEY_ID='aliyun access key id'
+ACCESS_KEY_SECRET='aliyun access key secret'
+DOMAIN=$CERTBOT_DOMAIN
+SUB_DOMAIN=_acme-challenge
+RECORD_ID=
+RECORD_VA=$CERTBOT_VALIDATION
+PID_FILE=/tmp/$(basename ${0%.sh}).pid
+
+if [ -t 0 ]; then
+    function Print { echo -e "\033[32;1m$(date +'[%F %T]') $*\033[0m"; }
+    function Warn { echo -e "\033[33;1m$(date +'[%F %T]') $*\033[0m"; }
+    function Error { echo -e "\033[31;1m$(date +'[%F %T]') $*\033[0m"; exit 1; }
+else
+    #exec &> ${0%.sh}.out
+    function Print { echo -e "$(date +'[%F %T] INFO') $*"; }
+    function Warn { echo -e "$(date +'[%F %T] WARN') $*"; }
+    function Error { echo -e "$(date +'[%F %T] ERROR') $*"; exit 1; }
+fi
+
+function Quit {
+    local exitCode=$?
+    [ 0 -ne $exitCode ] && Error Failed to request aliyun api!
+    [ -z "${END:-}" ] && echo && Error Interrupted manually!
+    Print Succeeded to request aliyun api and wait 30 seconds.
+    sleep 30
+}
+
+function GetSignature {
+    local uriEncoded="GET&%2F&$(echo "$1" | sed -e 's/=/%3D/g' -e 's/:/%253A/g' -e 's/&/%26/g')"
+    local sha1Str=$(echo -n "$uriEncoded" | openssl dgst -sha1 -hmac "$ACCESS_KEY_SECRET&" -binary)
+    echo -n "$sha1Str" | base64 | sed -e 's/=/%3D/g' -e 's/+/%2B/g' -e 's,/,%2F,g'
+}
+
+function ListRecord {
+    Warn Get request uri ...
+    local sign=
+    local resp=
+    local uri="AccessKeyId=$ACCESS_KEY_ID"
+    uri="${uri}&Action=DescribeDomainRecords"
+    uri="${uri}&DomainName=$DOMAIN"
+    uri="${uri}&Format=JSON"
+    uri="${uri}&KeyWord=$SUB_DOMAIN"
+    uri="${uri}&SearchMode=EXACT"
+    uri="${uri}&SignatureMethod=HMAC-SHA1"
+    uri="${uri}&SignatureNonce=$RANDOM"
+    uri="${uri}&SignatureVersion=1.0"
+    uri="${uri}&Timestamp=$(date +'%FT%TZ' -d'8 hours ago')"
+    uri="${uri}&Type=TXT"
+    uri="${uri}&Version=2015-01-09"
+    sign=$(GetSignature "$uri")
+    Warn List record ...
+    resp=$(curl -sSL -XGET "http://alidns.aliyuncs.com/?$uri&Signature=$sign" | jq -eM .)
+    RECORD_ID=$(echo $resp | jq -crM .DomainRecords.Record[].RecordId)
+    [ 'null' == "$RECORD_ID" ] && echo "$resp" && exit 1
+    return 0
+}
+
+function CreateRecord {
+    Warn Get request uri ...
+    local sign=
+    local resp=
+    local uri="AccessKeyId=$ACCESS_KEY_ID"
+    uri="${uri}&Action=AddDomainRecord"
+    uri="${uri}&DomainName=$DOMAIN"
+    uri="${uri}&Format=JSON"
+    uri="${uri}&RR=$SUB_DOMAIN"
+    uri="${uri}&SignatureMethod=HMAC-SHA1"
+    uri="${uri}&SignatureNonce=$RANDOM"
+    uri="${uri}&SignatureVersion=1.0"
+    uri="${uri}&Timestamp=$(date +'%FT%TZ' -d'8 hours ago')"
+    uri="${uri}&Type=TXT"
+    uri="${uri}&Value=$RECORD_VA"
+    uri="${uri}&Version=2015-01-09"
+    sign=$(GetSignature "$uri")
+    Warn Create sub_domain: $SUB_DOMAIN with value: $RECORD_VA ...
+    resp=$(curl -sSL -XGET "http://alidns.aliyuncs.com/?$uri&Signature=$sign" | jq -eM .)
+    [ 'null' != "$(echo $resp | jq -crM .Message)" ] && echo "$resp" && exit 1
+    return 0
+}
+
+function ModifyRecord {
+    Warn Get request uri ...
+    local sign=
+    local resp=
+    local uri="AccessKeyId=$ACCESS_KEY_ID"
+    uri="${uri}&Action=UpdateDomainRecord"
+    uri="${uri}&DomainName=$DOMAIN"
+    uri="${uri}&Format=JSON"
+    uri="${uri}&RR=$SUB_DOMAIN"
+    uri="${uri}&RecordId=$RECORD_ID"
+    uri="${uri}&SignatureMethod=HMAC-SHA1"
+    uri="${uri}&SignatureNonce=$RANDOM"
+    uri="${uri}&SignatureVersion=1.0"
+    uri="${uri}&Timestamp=$(date +'%FT%TZ' -d'8 hours ago')"
+    uri="${uri}&Type=TXT"
+    uri="${uri}&Value=$RECORD_VA"
+    uri="${uri}&Version=2015-01-09"
+    sign=$(GetSignature "$uri")
+    Warn Modify record: $RECORD_ID with value: $RECORD_VA ...
+    resp=$(curl -sSL -XGET "http://alidns.aliyuncs.com/?$uri&Signature=$sign" | jq -eM .)
+    [ 'null' != "$(echo $resp | jq -crM .Message)" ] && echo "$resp" && exit 1
+    return 0
+}
+
+function DeleteRecord {
+    Warn Get request uri ...
+    local sign=
+    local resp=
+    local uri="AccessKeyId=$ACCESS_KEY_ID"
+    uri="${uri}&Action=DeleteDomainRecord"
+    uri="${uri}&DomainName=$DOMAIN"
+    uri="${uri}&Format=JSON"
+    uri="${uri}&RecordId=$RECORD_ID"
+    uri="${uri}&SignatureMethod=HMAC-SHA1"
+    uri="${uri}&SignatureNonce=$RANDOM"
+    uri="${uri}&SignatureVersion=1.0"
+    uri="${uri}&Timestamp=$(date +'%FT%TZ' -d'8 hours ago')"
+    uri="${uri}&Version=2015-01-09"
+    sign=$(GetSignature "$uri")
+    Warn Delete record $RECORD_ID ...
+    resp=$(curl -sSL -XGET "http://alidns.aliyuncs.com/?$uri&Signature=$sign" | jq -eM .)
+    [ 'null' != "$(echo $resp | jq -crM .Message)" ] && echo "$resp" && exit 1
+    return 0
+}
+
+function Main {
+    [ -e "$PID_FILE" ] && Error Pid file $PID_FILE already exists, quit!
+    echo $$ > $PID_FILE
+    ListRecord
+    [ -z "$RECORD_ID" ] && CreateRecord
+    [ -n "$RECORD_ID" ] && ModifyRecord
+    END=1
+}
+
+# Start here
+Main
+
--- a/letsencrypt/Demo/SingleNode/docker-compose.yml
+++ b/letsencrypt/Demo/SingleNode/docker-compose.yml
@@ -0,0 +1,35 @@
+version: "3.7"
+
+services:
+  letsencrypt:
+    image: harbor.colben.cn/general/letsencrypt
+    container_name: letsencrypt
+    restart: "no"
+    stop_grace_period: 1m
+    environment:
+      DOMAINS: x1.xx.com,x2.xx.com
+    network_mode: host
+    volumes:
+    - type: bind
+      source: ./letsencrypt/etc
+      target: /etc/letsencrypt
+    - type: bind
+      source: ./letsencrypt/log
+      target: /var/log/letsencrypt
+
+  letsencrypt-wildcard:
+    image: harbor.colben.cn/general/letsencrypt
+    container_name: letsencrypt-wildcard
+    restart: "no"
+    stop_grace_period: 1m
+    environment:
+      DOMAINS: "*.xxx.com"
+    network_mode: host
+    volumes:
+    - type: bind
+      source: ./letsencrypt-wildcard/etc
+      target: /etc/letsencrypt
+    - type: bind
+      source: ./letsencrypt-wildcard/log
+      target: /var/log/letsencrypt
+
--- a/letsencrypt/Demo/SingleNode/tencent-api.sh
+++ b/letsencrypt/Demo/SingleNode/tencent-api.sh
@@ -0,0 +1,136 @@
+i#!/bin/bash
+#=========================================
+# Author   : colben
+# Create   : 2022-04-04 10:12
+#=========================================
+
+set -euo pipefail
+export LANG=en_US.UTF-8
+trap Quit EXIT
+
+SECRET_ID='tencent secret id'
+SECRET_KEY='tencent secret key'
+DOMAIN=$CERTBOT_DOMAIN
+SUB_DOMAIN=_acme-challenge
+RECORD_ID=
+RECORD_VA=$CERTBOT_VALIDATION
+PID_FILE=/tmp/$(basename ${0%.sh}).pid
+
+if [ -t 0 ]; then
+    function Print { echo -e "\033[32;1m$(date +'[%F %T]') $*\033[0m"; }
+    function Warn { echo -e "\033[33;1m$(date +'[%F %T]') $*\033[0m"; }
+    function Error { echo -e "\033[31;1m$(date +'[%F %T]') $*\033[0m"; exit 1; }
+else
+    #exec &> ${0%.sh}.out
+    function Print { echo -e "$(date +'[%F %T] INFO') $*"; }
+    function Warn { echo -e "$(date +'[%F %T] WARN') $*"; }
+    function Error { echo -e "$(date +'[%F %T] ERROR') $*"; exit 1; }
+fi
+
+function Quit {
+    local exitCode=$?
+    [ 0 -ne $exitCode ] && Error Failed to request tencent api!
+    [ -z "${END:-}" ] && echo && Error Interrupted manually!
+    Print Succeeded to request tencent api and wait 30 seconds.
+    sleep 30
+}
+
+function GetSignature {
+    local sha1Str=$(echo -n "GET$1" | openssl dgst -sha1 -hmac "$SECRET_KEY" -binary)
+    echo -n "$sha1Str" | base64 | sed -e 's/=/%3D/g' -e 's/+/%2B/g'
+}
+
+function ListRecord {
+    Warn Get request url ...
+    local sign=
+    local resp=
+    local url='cns.api.qcloud.com/v2/index.php'
+    url="${url}?Action=RecordList"
+    url="${url}&Nonce=$RANDOM"
+    url="${url}&SecretId=$SECRET_ID"
+    url="${url}&Timestamp=$(date +%s)"
+    url="${url}&Version=2018-08-08"
+    url="${url}&domain=$DOMAIN"
+    sign=$(GetSignature "$url")
+    Warn List record ...
+    resp=$(curl -sSL -XGET "https://$url&Signature=$sign" | jq -eM .)
+    [ '0' != "$(echo $resp | jq -crM .code)" ] && echo "$resp" && exit 1
+    RECORD_ID=$(echo $resp | jq -crM ".data.records[] | select(.name == \"$SUB_DOMAIN\") | .id")
+}
+
+function CreateRecord {
+    Warn Get request url ...
+    local sign=
+    local resp=
+    local url='cns.api.qcloud.com/v2/index.php'
+    url="${url}?Action=RecordCreate"
+    url="${url}&Nonce=$RANDOM"
+    url="${url}&SecretId=$SECRET_ID"
+    url="${url}&Timestamp=$(date +%s)"
+    url="${url}&Version=2018-08-08"
+    url="${url}&domain=$DOMAIN"
+    url="${url}&recordLine=默认"
+    url="${url}&recordType=TXT"
+    url="${url}&subDomain=$SUB_DOMAIN"
+    url="${url}&value=$RECORD_VA"
+    sign=$(GetSignature "$url")
+    Warn Create sub_domain: $SUB_DOMAIN with value: $RECORD_VA ...
+    resp=$(curl -sSL -XGET "https://$url&Signature=$sign" | jq -eM .)
+    [ '0' != "$(echo $resp | jq -crM .code)" ] && echo "$resp" && exit 1
+    return 0
+}
+
+function ModifyRecord {
+    Warn Get request url ...
+    local sign=
+    local resp=
+    local url='cns.api.qcloud.com/v2/index.php'
+    url="${url}?Action=RecordModify"
+    url="${url}&Nonce=$RANDOM"
+    url="${url}&SecretId=$SECRET_ID"
+    url="${url}&Timestamp=$(date +%s)"
+    url="${url}&Version=2018-08-08"
+    url="${url}&domain=$CERTBOT_DOMAIN"
+    url="${url}&recordId=$RECORD_ID"
+    url="${url}&recordLine=默认"
+    url="${url}&recordType=TXT"
+    url="${url}&subDomain=$SUB_DOMAIN"
+    url="${url}&value=$RECORD_VA"
+    sign=$(GetSignature "$url")
+    Warn Modify record: $RECORD_ID with value: $RECORD_VA ...
+    resp=$(curl -sSL -XGET "https://$url&Signature=$sign" | jq -eM .)
+    [ '0' != "$(echo $resp | jq -crM .code)" ] && echo "$resp" && exit 1
+    return 0
+}
+
+function DeleteRecord {
+    Warn Get request url ...
+    local sign=
+    local resp=
+    local url='cns.api.qcloud.com/v2/index.php'
+    url="${url}?Action=RecordDelete"
+    url="${url}&Nonce=$RANDOM"
+    url="${url}&SecretId=$SECRET_ID"
+    url="${url}&Timestamp=$(date +%s)"
+    url="${url}&Version=2018-08-08"
+    url="${url}&domain=$DOMAIN"
+    url="${url}&recordId=$RECORD_ID"
+    sign=$(GetSignature "$url")
+    Warn Delete record $RECORD_ID ...
+    resp=$(curl -sSL -XGET "https://$url&Signature=$sign" | jq -eM .)
+    [ '0' != "$(echo $resp | jq -crM .code)" ] && echo "$resp" && exit 1
+    return 0
+}
+
+function Main {
+    [ -e "$PID_FILE" ] && Error Pid file $PID_FILE already exists, quit!
+    echo $$ > $PID_FILE
+    ListRecord
+    [ -z "$RECORD_ID" ] && CreateRecord
+    [ -n "$RECORD_ID" ] && ModifyRecord
+    END=1
+}
+
+# Start here
+Main
+