feat: 支持中间证书

doc/google/google.md

@@ -21,17 +21,17 @@ gcloud beta publicca external-account-keys create
 
 ```shell
 Created an external account key
-[b64MacKey: xxxxxxxxxxxxx
+[b64MacKey: xxxxxxxxxxxxxxxx
-keyId: xxxxxxxxx]
+keyId: xxxxxxxxxxxxx]
 ```
-记录以上信息备用
+记录以上信息备用（注意keyId是不带中括号的）
 
 
 ## 3、 创建证书流水线
 选择证书提供商为google， 开启使用代理
 
 ## 4、 将key信息作为EAB授权信息
-google证书需要EAB授权， 使用第二步中的 keyId 和 b64MacKey 信息创建一条EAB授权记录      
+google证书需要EAB授权， 使用第二步中的 keyId 和 b64MacKey 信息创建一条EAB授权记录         
-
+注意：keyId没有`]`结尾，不要把`]`也复制了
 ## 5、 其他就跟正常申请证书一样了
 

packages/plugins/plugin-cert/src/plugin/cert-plugin/acme.ts

@@ -12,6 +12,7 @@ export type CertInfo = {
   crt: string;
   key: string;
   csr: string;
+  ic?: string;
   pfx?: string;
   der?: string;
 };
@@ -276,8 +277,9 @@ export class AcmeService {
       signal: this.options.signal,
     });
 
+    const crtString = crt.toString();
     const cert: CertInfo = {
-      crt: crt.toString(),
+      crt: crtString,
       key: key.toString(),
       csr: csr.toString(),
     };

packages/plugins/plugin-cert/src/plugin/cert-plugin/base.ts

@@ -175,6 +175,7 @@ export abstract class CertApplyBasePlugin extends AbstractTaskPlugin {
     const zip = new JSZip();
     zip.file("cert.crt", cert.crt);
     zip.file("cert.key", cert.key);
+    zip.file("intermediate.crt", cert.ic);
     if (cert.pfx) {
       zip.file("cert.pfx", Buffer.from(cert.pfx, "base64"));
     }

packages/plugins/plugin-cert/src/plugin/cert-plugin/cert-reader.ts

@@ -6,7 +6,14 @@ import { crypto } from "@certd/acme-client";
 import { ILogger } from "@certd/pipeline";
 import dayjs from "dayjs";
 
-export type CertReaderHandleContext = { reader: CertReader; tmpCrtPath: string; tmpKeyPath: string; tmpPfxPath?: string; tmpDerPath?: string };
+export type CertReaderHandleContext = {
+  reader: CertReader;
+  tmpCrtPath: string;
+  tmpKeyPath: string;
+  tmpPfxPath?: string;
+  tmpDerPath?: string;
+  tmpIcPath?: string;
+};
 export type CertReaderHandle = (ctx: CertReaderHandleContext) => Promise<void>;
 export type HandleOpts = { logger: ILogger; handle: CertReaderHandle };
 export class CertReader {
@@ -14,6 +21,7 @@ export class CertReader {
   crt: string;
   key: string;
   csr: string;
+  ic: string; //中间证书
 
   detail: any;
   expires: number;
@@ -23,11 +31,30 @@ export class CertReader {
     this.key = certInfo.key;
     this.csr = certInfo.csr;
 
+    this.ic = certInfo.ic;
+    if (!this.ic) {
+      this.ic = this.getIc();
+      this.cert.ic = this.ic;
+    }
+
     const { detail, expires } = this.getCrtDetail(this.cert.crt);
     this.detail = detail;
     this.expires = expires.getTime();
   }
 
+  getIc() {
+    //中间证书ic， 就是crt的第一个 -----END CERTIFICATE----- 之后的内容
+    const endStr = "-----END CERTIFICATE-----";
+    const firstBlockEndIndex = this.crt.indexOf(endStr);
+
+    const start = firstBlockEndIndex + endStr.length + 1;
+    if (this.crt.length <= start) {
+      return "";
+    }
+    const ic = this.crt.substring(start);
+    return ic.trim();
+  }
+
   toCertInfo(): CertInfo {
     return this.cert;
   }
@@ -38,7 +65,7 @@ export class CertReader {
     return { detail, expires };
   }
 
-  saveToFile(type: "crt" | "key" | "pfx" | "der", filepath?: string) {
+  saveToFile(type: "crt" | "key" | "pfx" | "der" | "ic", filepath?: string) {
     if (!this.cert[type]) {
       return;
     }
@@ -52,7 +79,7 @@ export class CertReader {
     if (!fs.existsSync(dir)) {
       fs.mkdirSync(dir, { recursive: true });
     }
-    if (type === "crt" || type === "key") {
+    if (type === "crt" || type === "key" || type === "ic") {
       fs.writeFileSync(filepath, this.cert[type]);
     } else {
       fs.writeFileSync(filepath, Buffer.from(this.cert[type], "base64"));
@@ -66,8 +93,9 @@ export class CertReader {
     const tmpCrtPath = this.saveToFile("crt");
     const tmpKeyPath = this.saveToFile("key");
     const tmpPfxPath = this.saveToFile("pfx");
-    const tmpDerPath = this.saveToFile("der");
+    const tmpIcPath = this.saveToFile("ic");
     logger.info("本地文件写入成功");
+    const tmpDerPath = this.saveToFile("der");
     try {
       return await opts.handle({
         reader: this,
@@ -75,6 +103,7 @@ export class CertReader {
         tmpKeyPath: tmpKeyPath,
         tmpPfxPath: tmpPfxPath,
         tmpDerPath: tmpDerPath,
+        tmpIcPath: tmpIcPath,
       });
     } catch (err) {
       throw err;
@@ -90,6 +119,7 @@ export class CertReader {
       removeFile(tmpKeyPath);
       removeFile(tmpPfxPath);
       removeFile(tmpDerPath);
+      removeFile(tmpIcPath);
     }
   }
 

packages/ui/certd-client/src/views/sys/account/index.vue

@@ -1,6 +1,6 @@
 <template>
   <fs-page class="cd-page-account">
-    <iframe ref="iframeRef" class="account-iframe" src="http://localhost:1017/#/home?appKey=z4nXOeTeSnnpUpnmsV"> </iframe>
+    <iframe ref="iframeRef" class="account-iframe" src="http://localhost:1017/#/?appKey=z4nXOeTeSnnpUpnmsV"> </iframe>
   </fs-page>
 </template>
 

packages/ui/certd-server/src/plugins/plugin-host/plugin/upload-to-host/index.ts

@@ -9,7 +9,7 @@ import { SshAccess } from '../../access/index.js';
   title: '上传证书到主机',
   icon: 'line-md:uploading-loop',
   group: pluginGroups.host.key,
-  desc: '也支持复制证书到本机',
+  desc: '支持上传完成后执行脚本命令',
   default: {
     strategy: {
       runStrategy: RunStrategy.SkipWhenSucceed,
@@ -34,6 +34,15 @@ export class UploadCertToHostPlugin extends AbstractTaskPlugin {
   })
   keyPath!: string;
 
+  @TaskInput({
+    title: '中间证书保存路径',
+    helper: '需要有写入权限，路径要包含私钥文件名，文件名不能用*?!等特殊符号，例如：/tmp/intermediate.crt',
+    component: {
+      placeholder: '/root/deploy/nginx/intermediate.crt',
+    },
+  })
+  icPath!: string;
+
   @TaskInput({
     title: 'PFX证书保存路径',
     helper: '用于IIS证书部署，需要有写入权限，路径要包含私钥文件名，文件名不能用*?!等特殊符号，例如：/tmp/cert.pfx',
@@ -85,10 +94,24 @@ export class UploadCertToHostPlugin extends AbstractTaskPlugin {
   })
   mkdirs = true;
 
+  @TaskInput({
+    title: 'shell脚本命令',
+    component: {
+      name: 'a-textarea',
+      vModel: 'value',
+      rows: 6,
+    },
+    helper: '上传后执行脚本命令，不填则不执行\n注意：如果目标主机是windows，且终端是cmd，系统会自动将多行命令通过“&&”连接成一行',
+    required: false,
+  })
+  script!: string;
+
   @TaskInput({
     title: '仅复制到当前主机',
     helper:
-      '开启后，将直接复制到当前主机某个目录，不上传到主机，由于是docker启动，实际上是复制到docker容器内的“证书保存路径”，你需要事先在docker-compose.yaml中配置主机目录映射： volumes: /your_target_path:/your_target_path',
+      '注意：本配置即将废弃\n' +
+      '开启后，将直接复制到当前主机某个目录，不上传到主机，由于是docker启动，实际上是复制到docker容器内的“证书保存路径”\n' +
+      '你需要事先在docker-compose.yaml中配置主机目录映射： volumes: /your_target_path:/your_target_path',
     value: false,
     component: {
       name: 'a-switch',
@@ -107,6 +130,10 @@ export class UploadCertToHostPlugin extends AbstractTaskPlugin {
   })
   hostKeyPath!: string;
 
+  @TaskOutput({
+    title: '中间证书保存路径',
+  })
+  hostIcPath!: string;
   @TaskOutput({
     title: 'PFX保存路径',
   })
@@ -129,63 +156,76 @@ export class UploadCertToHostPlugin extends AbstractTaskPlugin {
       fs.mkdirSync(dir, { recursive: true });
     }
     fs.copyFileSync(srcFile, destFile);
+    this.logger.info(`复制文件：${srcFile} => ${destFile}`);
   }
   async execute(): Promise<void> {
     const { crtPath, keyPath, cert, accessId } = this;
     const certReader = new CertReader(cert);
+    const connectConf: SshAccess = await this.accessService.getById(accessId);
+    const sshClient = new SshClient(this.logger);
 
     const handle = async (opts: CertReaderHandleContext) => {
-      const { tmpCrtPath, tmpKeyPath, tmpDerPath, tmpPfxPath } = opts;
+      const { tmpCrtPath, tmpKeyPath, tmpDerPath, tmpPfxPath, tmpIcPath } = opts;
       if (this.copyToThisHost) {
         this.logger.info('复制到目标路径');
         this.copyFile(tmpCrtPath, crtPath);
         this.copyFile(tmpKeyPath, keyPath);
+        this.copyFile(tmpIcPath, this.icPath);
         this.copyFile(tmpPfxPath, this.pfxPath);
         this.copyFile(tmpDerPath, this.derPath);
-
-        this.logger.info(`证书复制成功：crtPath=${crtPath},keyPath=${keyPath},pfxPath=${this.pfxPath},derPath=${this.derPath}`);
       } else {
         if (!accessId) {
           throw new Error('主机登录授权配置不能为空');
         }
         this.logger.info('准备上传文件到服务器');
-        const connectConf: SshAccess = await this.accessService.getById(accessId);
+
-        const sshClient = new SshClient(this.logger);
         const transports: any = [];
         if (crtPath) {
           transports.push({
             localPath: tmpCrtPath,
             remotePath: crtPath,
           });
+          this.logger.info(`上传证书到主机：${crtPath}`);
         }
         if (keyPath) {
           transports.push({
             localPath: tmpKeyPath,
             remotePath: keyPath,
           });
+          this.logger.info(`上传私钥到主机：${keyPath}`);
+        }
+        if (this.icPath) {
+          transports.push({
+            localPath: tmpIcPath,
+            remotePath: this.icPath,
+          });
+          this.logger.info(`上传中间证书到主机：${this.icPath}`);
         }
         if (this.pfxPath) {
           transports.push({
             localPath: tmpPfxPath,
             remotePath: this.pfxPath,
           });
+          this.logger.info(`上传PFX证书到主机：${this.pfxPath}`);
         }
         if (this.derPath) {
           transports.push({
             localPath: tmpDerPath,
             remotePath: this.derPath,
           });
+          this.logger.info(`上传DER证书到主机：${this.derPath}`);
         }
+        this.logger.info('开始上传文件到服务器');
         await sshClient.uploadFiles({
           connectConf,
           transports,
           mkdirs: this.mkdirs,
         });
-        this.logger.info(`证书上传成功：crtPath=${crtPath},keyPath=${keyPath},pfxPath=${this.pfxPath},derPath=${this.derPath}`);
+        this.logger.info('上传文件到服务器成功');
-
         //输出
         this.hostCrtPath = crtPath;
         this.hostKeyPath = keyPath;
+        this.hostIcPath = this.icPath;
         this.hostPfxPath = this.pfxPath;
         this.hostDerPath = this.derPath;
       }
@@ -194,6 +234,15 @@ export class UploadCertToHostPlugin extends AbstractTaskPlugin {
       logger: this.logger,
       handle,
     });
+
+    if (this.script.trim()) {
+      this.logger.info('执行脚本命令');
+      const scripts = this.script.split('\n');
+      await sshClient.exec({
+        connectConf,
+        script: scripts,
+      });
+    }
   }
 }