Hugging Face's logo

Spaces:
GGSheng
/
action
Running

App Files Community
action / bt-source /panel /class /acme_v2.py
GGSheng's picture
GGSheng
feat: deploy Gemma 4 to hf space
020c337 verified
raw
history blame contribute delete
141 kB
#!/usr/bin/python
#coding: utf-8
# -------------------------------------------------------------------
# 宝塔Linux面板
# -------------------------------------------------------------------
# Copyright (c) 2015-2099 宝塔软件(http://bt.cn) All rights reserved.
# -------------------------------------------------------------------
# Author: hwliang <hwl@bt.cn> a
# -------------------------------------------------------------------
# -------------------------------------------------------------------
# ACME v2客户端
# -------------------------------------------------------------------
import warnings
warnings.filterwarnings("ignore", message=r".*doesn't\s+match\s+a\s+supported\s+version", module="requests")
import re
import fcntl
import datetime
import binascii
import hashlib
import base64
import json
import shutil
import time
import os
import sys
import uuid
os.chdir('/www/server/panel')
if not 'class/' in sys.path:
 sys.path.insert(0,'class/')
import http_requests as requests
# requests.DEFAULT_TYPE = 'curl'
import public
try:
 import OpenSSL
except:
 public.ExecShell("btpip install pyopenssl")
 import OpenSSL
try:
 import dns.resolver
except:
 public.ExecShell("btpip install dnspython")
 import dns.resolver
import ssl_info
####
# auth to 格式说明
# 旧版 auth to 格式:
# 文件验证:/www/server/xxxx/xxxx
# DNS->手动:dns DNS->api: CloudFlareDns|XXXXXXXX|XXXXXXXXX
#
# 新版 auth to 格式:
# DNS->手动:dns DNS->api: dns#@api
url_dic = {
 "letsencrypt": "https://acme-v02.api.letsencrypt.org/directory",
 "letsencrypt_staging": "https://acme-staging-v02.api.letsencrypt.org/directory",
 "litessl": "https://acme.litessl.com/acme/v2/directory"
}
class acme_v2:
 _url = None
 _apis = None
 _config = {}
 _dns_domains = []
 _bits = 2048
 _acme_timeout = 30
 _dns_class = None
 _user_agent = "BaoTa/1.0 (+https://www.bt.cn)"
 _replay_nonce = None
 _verify = False
 _digest = "sha256"
 _max_check_num = 15
 _wait_time = 5
 _mod_index = {True: "Staging", False: "Production", "litessl": "litessl", "letsencrypt": "Production"}
 _debug = False
 _auto_wildcard = False
 _dnsapi_file = 'config/dns_api.json'
 _save_path = 'vhost/letsencrypt'
 _conf_file = 'config/letsencrypt.json'
 _conf_file_v2 = 'config/letsencrypt_v2.json'
 _request_type = 'curl'
def __init__(self):
 if not os.path.exists(self._conf_file_v2) and os.path.exists(self._conf_file):
 shutil.copyfile(self._conf_file, self._conf_file_v2)
 if self._debug:
 self._url = 'https://acme-staging-v02.api.letsencrypt.org/directory'
 if self._debug == 'litessl':
 self._url = 'https://acme.litessl.com/acme/v2/directory'
 else:
 self._url = 'https://acme-v02.api.letsencrypt.org/directory'
 self._config = self.read_config()
 self._nginx_cache_file_auth = {}
 self._can_use_lua = None
 self._well_known_check_cache = {}
def can_use_lua_module(self):
 if self._can_use_lua is None:
 # 查询lua_module 不为空
 self._can_use_lua = public.ExecShell("nginx -V 2>&1 |grep lua_nginx_module")[0].strip() != ''
 return self._can_use_lua
# 返回是否能通过lua 做了文件验证处理, 如果返回True,则表示可以处理了验证文件, 不再走之前的 if 验证方式
 def can_use_lua_for_site(self, site_name: str, site_type: str):
 if self._can_use_lua is None:
 # 查询lua_module 不为空
 self._can_use_lua = public.ExecShell("nginx -V 2>&1 |grep lua_nginx_module")[0].strip() != ''
if not self._can_use_lua:
 return False
if site_type.lower() in ("php", "proxy", "wp2"):
 prefix = ""
 else:
 prefix = site_type.lower() + "_"
ng_file = "{}/nginx/{}{}.conf".format(public.get_vhost_path(), prefix, site_name)
 ng_data = public.readFile(ng_file)
 if not ng_data:
 return False
rep_well_known = re.compile(
 r"(#.*\n)?\s*include\s+/www/server/panel/vhost/nginx/well-known/.*\.conf;.*\n(#.*\n)?"
 r"(.*\n)*?\s*#error_page 404/404\.html;"
 ) # 匹配一下引入的外部配置文件,同时保证这个配置在SSL配置之前, 这样避免路由匹配问题
if rep_well_known.search(ng_data):
 lua_file = "{}/nginx/well-known/{}.conf".format(public.get_vhost_path(), site_name)
 lua_data = public.readFile(lua_file)
 if not lua_data or "set_by_lua_block $well_known" not in lua_data:
 return False
 else:
 return True
 else:
 return False
# 返回是否能通过if 判断方式做了文件验证处理, 如果返回True,则表示可以
 @staticmethod
 def can_use_if_for_file_check(site_name: str, site_type: str):
 if site_type.lower() in ("php", "proxy", "wp2"):
 prefix = ""
 else:
 prefix = site_type.lower() + "_"
# if 方式的文件验证必须是可重载的情况
 if public.checkWebConfig() is not True:
 return False
ng_file = "{}/nginx/{}{}.conf".format(public.get_vhost_path(), prefix, site_name)
 ng_data = public.readFile(ng_file)
 if not ng_data:
 return False
rep_well_known = re.compile(
 r"(#.*\n)?\s*include\s+/www/server/panel/vhost/nginx/well-known/.*\.conf;.*\n(#.*\n)?"
 r"(.*\n)*?\s*#error_page 404/404\.html;"
 ) # 匹配一下引入的外部配置文件,同时保证这个配置在SSL配置之前, 这样避免路由匹配问题
if rep_well_known.search(ng_data):
 return True
 else:
 return False
# 返回配置文件是否支持使用普通的文件验证
 @staticmethod
 def can_use_base_file_check(site_name: str, site_type: str):
 if site_type.lower() in ("php", "proxy", "wp2"):
 prefix = ""
 else:
 prefix = site_type.lower() + "_"
webserver = public.get_webserver()
 if webserver == "nginx":
 ng_file = "{}/nginx/{}{}.conf".format(public.get_vhost_path(), prefix, site_name)
 ng_data = public.readFile(ng_file)
 if not ng_data:
 return False
 rep_well_known = re.compile(r"location\s+([=~^]*\s*)?/?\\?\.well-known/?\s*{")
 if rep_well_known.search(ng_data):
 return True
 else:
 return False
 elif webserver == "apache" and prefix: # PHP 不用检查
 ap_file = "{}/apache/{}{}.conf".format(public.get_vhost_path(), prefix, site_name)
 ap_data = public.readFile(ap_file)
 if not ap_data:
 return False
 rep_well_known_list = [
 re.compile(r"<IfModule\s+alias_module>\s+Alias\s+/\.well-known/\s+\S+\s+</IfModule>"),
 re.compile(r"\s*ProxyPass\s+/\.well-known/\s+!", re.M),
 ]
 for rep_well_known in rep_well_known_list:
 if rep_well_known.search(ap_data):
 return True
 return False
 return True
# 取接口目录
 def get_apis(self):
 # if not self._apis:
 # 尝试从配置文件中获取
 api_index = self._mod_index[self._debug]
 if not 'apis' in self._config:
 self._config['apis'] = {}
 if api_index in self._config['apis']:
 if 'expires' in self._config['apis'][api_index] and 'directory' in self._config['apis'][api_index]:
 if time.time() < self._config['apis'][api_index]['expires']:
 self._apis = self._config['apis'][api_index]['directory']
 return self._apis
# 尝试从云端获取
 res = requests.get(self._url,s_type=self._request_type)
 if not res.status_code in [200, 201]:
 result = res.json()
 if "type" in result:
 if result['type'] == 'urn:acme:error:serverInternal':
 raise Exception('服务因维护而关闭或发生内部错误,查看 <a href="https://letsencrypt.status.io/" target="_blank" class="btlink">https://letsencrypt.status.io/</a> 了解更多详细信息。')
 raise Exception(res.content)
 s_body = res.json()
 self._apis = {}
 self._apis['newAccount'] = s_body['newAccount']
 self._apis['newNonce'] = s_body['newNonce']
 self._apis['newOrder'] = s_body['newOrder']
 self._apis['revokeCert'] = s_body['revokeCert']
 self._apis['keyChange'] = s_body['keyChange']
# 保存到配置文件
 self._config['apis'][api_index] = {}
 self._config['apis'][api_index]['directory'] = self._apis
 self._config['apis'][api_index]['expires'] = time.time() + \
 86400 # 24小时后过期
 self.save_config()
 return self._apis
# 获取帐户信息
 def get_account_info(self, args):
 try:
 if not 'account' in self._config:
 return {}
 k = self._mod_index[self._debug]
 if not k in self._config['account']:
 self.get_apis()
 self.get_kid()
 account = self._config['account'][k]
 account['email'] = self._config['email']
 self.set_crond()
 return account
 except Exception as ex:
 return public.returnMsg(False,str(ex))
# 设置帐户信息
 def set_account_info(self, args):
 if not 'account' in self._config:
 return public.returnMsg(False, '指定帐户不存在')
 account = json.loads(args.account)
 if 'email' in account:
 self._config['email'] = account['email']
 del(account['email'])
 self._config['account'][self._mod_index[self._debug]] = account
 self.save_config()
 return public.returnMsg(True, '帐户设置成功!')
# 获取订单列表
 def get_orders(self, args):
 if not 'orders' in self._config:
 return []
 s_orders = []
 for index in self._config['orders'].keys():
 tmp_order = self._config['orders'][index]
 tmp_order['index'] = index
 s_orders.append(tmp_order)
 return s_orders
# 删除订单
 def remove_order(self, args):
 if not 'orders' in self._config:
 return public.returnMsg(False, '指定订单不存在!')
 if not args.index in self._config['orders']:
 return public.returnMsg(False, '指定订单不存在!')
 del(self._config['orders'][args.index])
 self.save_config()
 return public.returnMsg(True, '订单删除成功!')
# 取指定订单数据
 def get_order_find(self, args):
 if not 'orders' in self._config:
 return public.returnMsg(False, '指定订单不存在!')
 if not args.index in self._config['orders']:
 return public.returnMsg(False, '指定订单不存在!')
 result = self._config['orders'][args.index]
 result['cert'] = self.get_cert_info(args.index)
 return result
# 获取证书信息
 def get_cert_info(self, index):
 cert = {}
 path = self._config['orders'][index]['save_path']
 if not os.path.exists(path):
 self.download_cert(index)
 cert['private_key'] = public.readFile(path + "/privkey.pem")
 cert['fullchain'] = public.readFile(path + "/fullchain.pem")
 return cert
# 更新证书压缩包
 def update_zip(self, args):
 path = self._config['orders'][args.index]['save_path']
 if not os.path.exists(path): # 尝试重新下载证书
 self.download_cert(args.index)
 if not os.path.exists(path):
 return public.returnMsg(False, '证书读取失败,目录不存在!')
 import panelTask
 bt_task = panelTask.bt_task()
 zip_file = path+'/cert.zip'
 result = bt_task._zip(path, '.', path+'/cert.zip', '/dev/null', 'zip')
 if not os.path.exists(zip_file):
 return result
 return public.returnMsg(True, zip_file)
# 吊销证书
 def revoke_order(self, index):
 if type(index) != str:
 index = index.index
 if not index in self._config['orders']:
 raise Exception("指定订单不存在!")
 cert_path = self._config['orders'][index]['save_path']
 if not os.path.exists(cert_path):
 raise Exception("指定订单没有找到可用的证书!")
 cert = self.dump_der(cert_path)
 if not cert:
 raise Exception("证书读取失败!")
 payload = {
 "certificate": self.calculate_safe_base64(cert),
 "reason": 4
 }
 res = self.acme_request(self._apis['revokeCert'], payload)
 if res.status_code in [200, 201]:
 if os.path.exists(cert_path):
 public.ExecShell("rm -rf {}".format(cert_path))
 del(self._config['orders'][index])
 self.save_config()
 return public.returnMsg(True, "证书吊销成功!")
 return res.json()
# 取根域名和记录值
 def extract_zone(self, domain_name):
 return public.split_domain_sld(domain_name)
 # top_domain_list = public.readFile('{}/config/domain_root.txt'.format(public.get_panel_path()))
 # if top_domain_list:
 # top_domain_list = top_domain_list.strip().split('\n')
 # else:
 # top_domain_list = []
 # old_domain_name = domain_name
 # top_domain = "."+".".join(domain_name.rsplit('.')[-2:])
 # new_top_domain = "." + top_domain.replace(".", "")
 # is_tow_top = False
 # if top_domain in top_domain_list:
 # is_tow_top = True
 # domain_name = domain_name[:-len(top_domain)] + new_top_domain
 #
 # if domain_name.count(".") > 1:
 # zone, middle, last = domain_name.rsplit(".", 2)
 # if is_tow_top:
 # last = top_domain[1:]
 # root = ".".join([middle, last])
 # else:
 # zone = ""
 # root = old_domain_name
 # return root, zone
# 自动构造通配符
 def auto_wildcard(self, domains):
 if not domains:
 return domains
 domain_list = []
 for domain in domains:
 root, zone = self.extract_zone(domain)
 tmp_list = zone.split(".", 1)
 if len(tmp_list) == 1:
 if root not in domain_list:
 domain_list.append(root)
 if not "*." + root in domain_list:
 domain_list.append("*." + root)
 else:
 new_root = "{}.{}".format(tmp_list[1], root)
 if new_root not in domain_list:
 domain_list.append(new_root)
 if not "*." + new_root in domain_list:
 domain_list.append("*." + new_root)
 return domain_list
# 构造域名列表
 def format_domains(self, domains):
 if type(domains) != list:
 return []
 # 是否自动构造通配符
 if self._auto_wildcard:
 domains = self.auto_wildcard(domains)
 wildcard = []
 tmp_domains = []
 for domain in domains:
 domain = domain.strip()
 if domain in tmp_domains:
 continue
 # 将通配符域名转为验证正则表达式
 f_index = domain.find("*.")
 if f_index not in [-1, 0]:
 continue
 if f_index == 0:
 wildcard.append(domain.replace(
 "*", r"^[\w-]+").replace(".", r"\."))
 # 添加到申请列表
 tmp_domains.append(domain)
# 处理通配符包含
 apply_domains = tmp_domains[:]
 for domain in tmp_domains:
 for w in wildcard:
 if re.match(w, domain):
 apply_domains.remove(domain)
return apply_domains
# 创建订单
 def create_order(self, domains, auth_type, auth_to, index=None):
 domains = self.format_domains(domains)
 if not domains:
 raise Exception("至少需要有一个域名或者IP")
 # 判断是否全部为IP或域名
 # 构造标识
 identifiers = []
 all_is_ip = set()
 for domain_name in domains:
 is_ip = public.check_ip(domain_name)
 all_is_ip.add(is_ip)
 if is_ip:
 identifiers.append({ "type": "ip", "value": domain_name })
 continue
 identifiers.append({"type": 'dns', "value": domain_name})
 payload = {"identifiers": identifiers}
 if len(all_is_ip) != 1:
 raise Exception("域名和IP不能同时申请证书!")
 all_is_ip = next(iter(all_is_ip))
 if all_is_ip:
 payload = {"identifiers": identifiers, "profile": "shortlived"}
 if auth_type != 'http':
 raise Exception("IP地址只能使用HTTP文件验证方式申请证书!")
# 请求创建订单
 res = self.acme_request(self._apis['newOrder'], payload)
 if not res.status_code in [201,200]: # 如果创建失败
 e_body = res.json()
 if 'type' in e_body:
 # 如果随机数失效
 if e_body['type'].find('error:badNonce') != -1:
 self.get_nonce(force=True)
 res = self.acme_request(self._apis['newOrder'], payload)
# 如果帐户失效
 if e_body['detail'].find('KeyID header contained an invalid account URL') != -1:
 k = self._mod_index[self._debug]
 del(self._config['account'][k])
 self.get_kid()
 self.get_nonce(force=True)
 res = self.acme_request(self._apis['newOrder'], payload)
 if not res.status_code in [201,200]:
 a_auth = res.json()
ret_title = self.get_error(str(a_auth))
 raise StopIteration(
 "{0} >>>> {1}".format(
 ret_title,
 json.dumps(a_auth)
 )
 )
# 返回验证地址和验证
 s_json = res.json()
 s_json['auth_type'] = auth_type
 s_json['url'] = res.headers.get("Location")
 s_json['ca'] = self._debug
 s_json['domains'] = domains
 s_json['auth_to'] = auth_to
 index = self.save_order(s_json, index)
 return index
def get_site_run_path_byid(self,site_id):
 '''
 @name 通过site_id获取网站运行目录
 @author hwliang
 @param site_id<int> 网站标识
 @return None or string
 '''
 if public.M('sites').where('id=? and project_type=?', (site_id, 'PHP')).count()>=1:
 site_path = public.M('sites').where('id=?',site_id).getField('path')
 if not site_path: return None
 if not os.path.exists(site_path): return None
 args = public.dict_obj()
 args.id = site_id
 import panelSite
 run_path = panelSite.panelSite().GetRunPath(args)
 if run_path in ['/']: run_path = ''
 if run_path:
 if run_path[0] == '/': run_path = run_path[1:]
 site_run_path = os.path.join(site_path,run_path)
 if not os.path.exists(site_run_path): return site_path
 return site_run_path
 else:
 find = public.M('sites').where('id=?',site_id).find()
 if not find:
 return False
 count = public.M('sites').where(
 'id=? and project_type in (?,?,?,?)',
 (site_id, 'Java', 'Go', 'Other', "Python")
 ).count()
 if count:
 try:
 project_info = json.loads(find['project_config'])
 if 'ssl_path' not in project_info:
 ssl_path = '/www/wwwroot/java_node_ssl'
 else:
 ssl_path = project_info['ssl_path']
 if not os.path.exists(ssl_path):
 os.makedirs(ssl_path)
 return ssl_path
 except:
 return False
 else:
 import panelSite
 auth_to = find['path'] + '/' + panelSite.panelSite().GetRunPath(public.to_dict_obj({"id": site_id}))
 auth_to = auth_to.replace("//", "/")
 if auth_to[-1] == '/':
 auth_to = auth_to[:-1]
 if not os.path.exists(auth_to):
 return False
 return auth_to
def get_site_run_path(self,domains):
 '''
 @name 通过域名列表获取网站运行目录
 @author hwliang
 @param domains<list> 域名列表
 @return None or string
 '''
 site_id = 0
 for domain in domains:
 site_id = public.M('domain').where("name=?",domain).getField('pid')
 if site_id: break
if not site_id: return None
 return self.get_site_run_path_byid(site_id)
# 获取验证信息
 def get_auths(self, index):
 if not index in self._config['orders']:
 raise Exception('指定订单不存在!')
# 检查是否已经获取过授权信息
 if 'auths' in self._config['orders'][index]:
 # 检查授权信息是否过期
 if time.time() < self._config['orders'][index]['auths'][0]['expires']:
 return self._config['orders'][index]['auths']
 if self._config['orders'][index]['auth_type'] != 'dns':
 site_run_path = self.get_site_run_path(self._config['orders'][index]['domains'])
 if site_run_path: self._config['orders'][index]['auth_to'] = site_run_path
#清理旧验证
 self.claer_auth_file(index)
auths = []
 for auth_url in self._config['orders'][index]['authorizations']:
 res = self.acme_request(auth_url, "")
 if res.status_code not in [200, 201]:
 raise Exception("获取授权失败: {}".format(res.json()))
s_body = res.json()
 if 'status' in s_body:
 if s_body['status'] in ['invalid']:
 raise Exception("无效订单,此订单当前为验证失败状态!")
 if s_body['status'] in ['valid']: # 跳过无需验证的域名
 continue
s_body['expires'] = self.utc_to_time(s_body['expires'])
 identifier_auth = self.get_identifier_auth(index, auth_url, s_body)
 if not identifier_auth:
 raise Exception("验证信息构造失败!{}")
acme_keyauthorization, auth_value = self.get_keyauthorization(
 identifier_auth['token'])
 identifier_auth['acme_keyauthorization'] = acme_keyauthorization
 identifier_auth['auth_value'] = auth_value
 identifier_auth['expires'] = s_body['expires']
 identifier_auth['auth_to'] = self._config['orders'][index]['auth_to']
 identifier_auth['type'] = self._config['orders'][index]['auth_type']
# 设置验证信息
 set_auth = True
 for auth in auths:
 if (
 auth['domain'].replace("*.", "") == identifier_auth['domain'].replace("*.", "")
 and auth['auth_value'] == identifier_auth['auth_value']
 ):
 set_auth = False
 break
 if set_auth:
 self.set_auth_info(identifier_auth, index=index)
 auths.append(identifier_auth)
 self._config['orders'][index]['auths'] = auths
 self.save_config()
 if not self.check_config(index, "auths", auths):
 self.save_config()
 return auths
# 更新随机数
 def update_replay_nonce(self, res):
 replay_nonce = res.headers.get('Replay-Nonce')
 if replay_nonce:
 self._replay_nonce = replay_nonce
# 设置验证信息
 def set_auth_info(self, identifier_auth, index=None):
#从云端验证
 if not self.cloud_check_domain(identifier_auth['domain']):
 self.err = "云端验证失败!"
# 是否手动验证DNS
 if identifier_auth['auth_to'] == 'dns':
 return None
# 是否文件验证
 if identifier_auth['type'] in ['http', 'tls']:
 self.write_auth_file(
 identifier_auth['auth_to'], identifier_auth['token'], identifier_auth['acme_keyauthorization'], index)
 else:
 # dnsapi验证
 self.create_dns_record(
 identifier_auth['auth_to'], identifier_auth['domain'], identifier_auth['auth_value'])
#从云端验证域名是否可访问
 def cloud_check_domain(self,domain):
 try:
 result = requests.post('https://www.bt.cn/api/panel/check_domain',{"domain":domain,"ssl":1},s_type=self._request_type).json()
 return result['status']
 except: return False
#清理验证文件
 def claer_auth_file(self,index):
 if not self._config['orders'][index]['auth_type'] in ['http','tls']:
 return True
 acme_path = '{}/.well-known/acme-challenge'.format(self._config['orders'][index]['auth_to'])
 acme_path = acme_path.replace("//",'/')
 write_log("|-验证目录:{}".format(acme_path))
 if os.path.exists(acme_path):
 public.ExecShell("rm -f {}/*".format(acme_path))
acme_path = '/www/server/stop/.well-known/acme-challenge'
 if os.path.exists(acme_path):
 public.ExecShell("rm -f {}/*".format(acme_path))
def change_well_known_mod(self, path_dir: str):
 path_dir = path_dir.rstrip("/")
 if not os.path.isdir(path_dir):
 return False
 if path_dir in self._well_known_check_cache:
 return True
 else:
 self._well_known_check_cache[path_dir] = True
 import stat
try:
 import pwd
 uid_data = pwd.getpwnam("www")
 uid = uid_data.pw_uid
 gid = uid_data.pw_gid
 except:
 return
# 逐级给最低访问权限
 while path_dir != "/":
 path_dir_stat = os.stat(path_dir)
 if path_dir_stat.st_uid == 0 and uid != 0:
 old_mod = stat.S_IMODE(path_dir_stat.st_mode)
 if not old_mod & (1 << 3):
 os.chmod(path_dir, old_mod + (1 << 3)) # chmod g+x
 if path_dir_stat.st_uid == uid:
 old_mod = stat.S_IMODE(path_dir_stat.st_mode)
 if not old_mod & (1 << 6):
 os.chmod(path_dir, old_mod + (1 << 6)) # chmod u+x
 elif path_dir_stat.st_gid == gid:
 old_mod = stat.S_IMODE(path_dir_stat.st_mode)
 if not old_mod & (1 << 3):
 os.chmod(path_dir, old_mod + (1 << 6)) # chmod g+x
 elif path_dir_stat.st_uid != uid or path_dir_stat.st_gid != gid:
 old_mod = stat.S_IMODE(path_dir_stat.st_mode)
 if not old_mod & 1:
 os.chmod(path_dir, old_mod+1) # chmod o+x
 path_dir = os.path.dirname(path_dir)
# 写验证文件
 def write_auth_file(self, auth_to, token, acme_keyauthorization, index):
 if public.get_webserver() == "nginx":
 # 如果是nginx尝试使用配置文件进行验证
 self.write_ngin_authx_file(auth_to, token, acme_keyauthorization, index)
# 尝试写文件进行验证
 try:
 acme_path = '{}/.well-known/acme-challenge'.format(auth_to)
 acme_path = acme_path.replace("//",'/')
 if not os.path.exists(acme_path):
 os.makedirs(acme_path)
 public.set_own(acme_path, 'www')
 self.change_well_known_mod(acme_path)
 wellknown_path = '{}/{}'.format(acme_path, token)
 public.writeFile(wellknown_path, acme_keyauthorization)
 public.set_own(wellknown_path, 'www')
acme_path = '/www/server/stop/.well-known/acme-challenge'
 if not os.path.exists(acme_path):
 os.makedirs(acme_path)
 public.set_own(acme_path, 'www')
 self.change_well_known_mod(acme_path)
 wellknown_path = '{}/{}'.format(acme_path,token)
 public.writeFile(wellknown_path,acme_keyauthorization)
 public.set_own(wellknown_path, 'www')
 return True
 except:
 err = public.get_error_info()
 print(err)
 raise Exception("写入验证文件失败: {}".format(err))
def write_ngin_authx_file(self, auth_to, token, acme_keyauthorization, index):
 site_name, project_type = self.get_site_name_by_domains(self._config["orders"][index]["domains"])
 if site_name is None:
 return
if self.can_use_lua_for_site(site_name, project_type):
 return
if project_type.lower() in ("php", "proxy"):
 nginx_conf_path = "{}/vhost/nginx/{}.conf".format(public.get_panel_path(), site_name)
 else:
 nginx_conf_path = "{}/vhost/nginx/{}_{}.conf".format(public.get_panel_path(), project_type.lower(), site_name)
 nginx_conf = public.readFile(nginx_conf_path)
 if nginx_conf is False:
 return
file_check_config_path = "/www/server/panel/vhost/nginx/well-known/{}.conf".format(site_name)
 if not os.path.exists("/www/server/panel/vhost/nginx/well-known"):
 os.makedirs("/www/server/panel/vhost/nginx/well-known", 0o755)
# 如果主配置中,没有引用则尝试添加,添加失败就跳出
 if not re.search(r"\s*include\s+/www/server/panel/vhost/nginx/well-known/.*\.conf;", nginx_conf, re.M):
 ssl_line = re.search(r"(#.*\n\s*)?#error_page 404/404\.html;", nginx_conf)
 if ssl_line is None:
 return
 default_cert_apply_check = (
 "#CERT-APPLY-CHECK--START\n"
 " # 用于SSL证书申请时的文件验证相关配置 -- 请勿删除\n"
 " include /www/server/panel/vhost/nginx/well-known/{}.conf;\n"
 " #CERT-APPLY-CHECK--END\n "
 ).format(site_name)
 if not os.path.exists(file_check_config_path):
 public.writeFile(file_check_config_path, "")
new_conf = nginx_conf.replace(ssl_line.group(), default_cert_apply_check + ssl_line.group(), 1)
 public.writeFile(nginx_conf_path, new_conf)
 isError = public.checkWebConfig()
 if isError is not True:
 public.writeFile(nginx_conf_path, nginx_conf)
 return
# 如果主配置有引用, 不再检测位置关系,因为不能保证用户的自定义配置的优先级, 直接进行文件验证的 lua 方式和 if 方式的尝试
 if self.can_use_lua_module():
 self.write_lua_file_for_site(file_check_config_path)
 return
# 开始尝试if 验证方式
 if auth_to not in self._nginx_cache_file_auth:
 self._nginx_cache_file_auth[auth_to] = []
self._nginx_cache_file_auth[auth_to].append((token, acme_keyauthorization))
tmp_data = []
 for token, acme_key in self._nginx_cache_file_auth[auth_to]:
 tmp_data.append((
 'if ($request_uri ~ "^/\.well-known/acme-challenge/{}.*"){{\n'
 ' return 200 "{}";\n'
 '}}\n'
 ).format(token, acme_key))
public.writeFile(file_check_config_path, "\n".join(tmp_data))
 isError = public.checkWebConfig()
 if isError is True:
 public.serviceReload()
 else:
 public.writeFile(file_check_config_path, "")
@staticmethod
 def write_lua_file_for_site(file_check_config_path: str):
 old_data = public.readFile(file_check_config_path)
 if isinstance(old_data, str) and "set_by_lua_block $well_known" in old_data:
 return
lua_file_data = """
set $well_known '';
if ( $uri ~ "^/.well-known/" ) {
 set_by_lua_block $well_known {
-- 获取路径
 local m,err = ngx.re.match(ngx.var.uri,"/.well-known/(.*)","isjo")
 -- 如果路径匹配
 if m then
 -- 拼接文件路径
 local filename = ngx.var.document_root .. m[0]
 -- 判断文件路径中是否合法
 if not ngx.re.find(m[1],"\\\\./","isjo") then
 -- 判断文件是否存在
 local is_exists = io.open(filename, "r")
 if not is_exists then
 -- Java项目?
 filename = "/www/wwwroot/java_node_ssl" .. m[0]
 end
 -- 释放
 if is_exists then is_exists:close() end
 -- 读取文件
 local fp = io.open(filename,'r')
 if fp then
 local file_body = fp:read("*a")
 fp:close()
 if file_body then
 ngx.header['content-type'] = 'text/plain'
 return file_body
 end
 end
 end
 end
 return ""
 }
}
if ( $well_known != "" ) {
 return 200 $well_known;
}
"""
 public.writeFile(file_check_config_path, lua_file_data)
 isError = public.checkWebConfig()
 if isError is True:
 public.serviceReload()
 else:
 public.writeFile(file_check_config_path, old_data)
# 解析域名 新的 前端修改完用这个
 # def create_dns_record(self, auth_to, domain, dns_value):
 # # 如果为手动解析
 # if auth_to == 'dns':
 # return None
 #
 # from panelDnsapi import DnsMager
 #
 # self._dns_class = DnsMager().get_dns_obj_by_domain(domain)
 # self._dns_class.create_dns_record(public.de_punycode(domain), dns_value)
 # self._dns_domains.append({"domain": domain, "dns_value": dns_value})
# 解析域名
 def create_dns_record(self, auth_to, domain, dns_value):
 # 如果为手动解析
 if auth_to == 'dns':
 return None
if auth_to.find('|') != -1:
 import panelDnsapi
 dns_name, key, secret = self.get_dnsapi(auth_to)
 self._dns_class = getattr(panelDnsapi, dns_name)(key, secret)
 self._dns_class.create_dns_record(public.de_punycode(domain), dns_value)
 # else:
 # from panelDnsapi import DnsMager
 # self._dns_class = DnsMager().get_dns_obj_by_domain(domain)
 # self._dns_class.create_dns_record(public.de_punycode(domain), dns_value)
 # self._dns_domains.append({"domain": domain, "dns_value": dns_value})
 else:
 from sslModel import dataModel
 dataModel.main().add_dns_value_by_domain(domain, dns_value, is_let_txt=True)
 self._dns_domains.append({"domain": domain, "dns_value": dns_value})
 return
# 解析域名
 # def create_dns_record(self, auth_to, domain, dns_value):
 # # 如果为手动解析
 # if auth_to == 'dns' or auth_to.find('|') == -1:
 # return None
 #
 # import panelDnsapi
 # dns_name, key, secret = self.get_dnsapi(auth_to)
 # self._dns_class = getattr(panelDnsapi, dns_name)(key, secret)
 # self._dns_class.create_dns_record(public.de_punycode(domain), dns_value)
 # self._dns_domains.append({"domain": domain, "dns_value": dns_value})
 # return
# 解析DNSAPI信息 # 不再使用的
 def get_dnsapi(self, auth_to):
 tmp = auth_to.split('|')
 dns_name = tmp[0]
 key = "None"
 secret = "None"
 if len(tmp) < 3:
 try:
 dnsapi_config = json.loads(public.readFile(self._dnsapi_file))
 for dc in dnsapi_config:
 if dc['name'] != dns_name:
 continue
 if not dc['data']:
 continue
 key = dc['data'][0]['value']
 secret = dc['data'][1]['value']
 except:
 raise Exception("没有找到有效的DNSAPI密钥信息")
 else:
 key = tmp[1]
 secret = tmp[2]
 return dns_name, key, secret
# 删除域名解析
 def remove_dns_record(self):
 if not self._dns_domains:
 return None
 for dns_info in self._dns_domains:
 try:
 if self._dns_class:
 self._dns_class.delete_dns_record(
 public.de_punycode(dns_info['domain']), dns_info['dns_value'])
 else:
 from sslModel import dataModel
 dataModel.main().del_dns_value_by_domain(dns_info['domain'], is_let_txt=True)
 except Exception as e:
 pass
# 验证域名
 def auth_domain(self, index):
 self._config['orders'][index]['auth_tag'] = True
 self.save_config()
 if index not in self._config['orders']:
 raise Exception('指定订单不存在!')
if "auths" not in self._config['orders'][index]:
 raise Exception('订单验证信息丢失,请尝试重新申请!')
# 开始验证
 for auth in self._config['orders'][index]['auths']:
 res = self.check_auth_status(auth['url']) # 检查是否需要验证
 if res.json()['status'] == 'invalid':
 raise Exception('域名验证失败,请尝试重新申请!')
 if res.json()['status'] == 'pending':
 if auth['type'] == 'dns': # 尝试提前验证dns解析
 self.check_dns(
 "_acme-challenge.{}".format(
 auth['domain'].replace('*.', '')),
 auth['auth_value'],
 "TXT"
 )
 self.respond_to_challenge(auth)
# 检查验证结果
 for i in range(len(self._config['orders'][index]['auths'])):
 self.check_auth_status(self._config['orders'][index]['auths'][i]['url'], [
 'valid', 'invalid'])
 self._config['orders'][index]['status'] = 'valid'
def auth_domain_api(self, get):
 """
 验证单个域名
 """
 index = get.index
 domain = get.domain
write_log("|-正在验证域名:{}".format(domain))
 if index not in self._config['orders']:
 return public.returnMsg(False, '指定订单不存在!')
 order = self._config['orders'][index]
 if "ca" in order:
 self._debug = order['ca']
 self._url = url_dic.get(order['ca'], url_dic['letsencrypt'])
 self.get_apis()
if "auths" not in order:
 return public.returnMsg(False, '订单验证信息丢失,请尝试重新申请!')
for auth in order['auths']:
 if auth.get("status") == "invalid":
 return public.returnMsg(False, "域名验证失败,请尝试重新申请!")
 if domain and auth['domain'] != domain:
 continue
 try:
 res = self.check_auth_status(auth['url']) # 检查是否需要验证
 if res.json()['status'] == 'pending':
 self.respond_to_challenge(auth)
 _return = self.check_auth_status(auth['url'], ['valid', 'invalid']).json()
 auth['status'] = _return['status']
 return auth
 auth['status'] = res.json()['status']
 write_log("|-验证成功!")
 return auth
 except StopIteration as e:
 auth['status'] = 'invalid'
 ex = str(e)
 if ex.find(">>>>") != -1:
 msg = ex.split(">>>>")
 msg[1] = json.loads(msg[1])
 else:
 msg = ex
 write_log(public.get_error_info())
 auth['error'] = msg
 return public.returnMsg(False, msg)
 finally:
 self.save_config()
 if "pending" not in [i.get("status", "pending") for i in order['auths']]:
 return self.apply_dns_auth(get)
 write_log("|-没有在订单中找到此域名:{}".format(domain))
 return public.returnMsg(False, "没有在订单中找到此域名:{}".format(domain))
# 检查验证状态
 def check_auth_status(self, url, desired_status=None):
 desired_status = desired_status or ["pending", "valid", "invalid"]
 number_of_checks = 0
 while True:
 if desired_status == ['valid', 'invalid']:
 write_log("|-第{}次查询验证结果..".format(number_of_checks + 1))
 time.sleep(self._wait_time)
 check_authorization_status_response = self.acme_request(url, "")
 a_auth = check_authorization_status_response.json()
 if 'type' in a_auth and a_auth['type'].find('error:badNonce') != -1:
 # 如果随机数失效
 self.get_nonce(force=True)
 a_auth = self.acme_request(url, "").json()
 if not isinstance(a_auth, dict):
 write_log(a_auth)
 continue
 authorization_status = a_auth["status"]
 number_of_checks += 1
 if authorization_status in desired_status:
 if authorization_status == "invalid":
 write_log("|-验证失败!")
 try:
 if 'error' in a_auth['challenges'][0]:
 ret_title = a_auth['challenges'][0]['error']['detail']
 elif 'error' in a_auth['challenges'][1]:
 ret_title = a_auth['challenges'][1]['error']['detail']
 elif 'error' in a_auth['challenges'][2]:
 ret_title = a_auth['challenges'][2]['error']['detail']
 else:
 ret_title = str(a_auth)
 ret_title = self.get_error(ret_title)
 except:
 ret_title = str(a_auth)
 raise StopIteration(
 "{0} >>>> {1}".format(
 ret_title,
 json.dumps(a_auth)
 )
 )
 break
if number_of_checks == self._max_check_num:
 raise StopIteration(
 "错误:已尝试验证{0}次. 最大验证次数为{1}. 验证时间间隔为{2}秒.".format(
 number_of_checks,
 self._max_check_num,
 self._wait_time
 )
 )
 if desired_status == ['valid', 'invalid']:
 write_log("|-验证成功!")
 return check_authorization_status_response
# 格式化错误输出
 def get_error(self, error):
 write_log("error_result: " + str(error))
 if error.find("Max checks allowed") >= 0:
 return "CA无法验证您的域名,请检查域名解析是否正确,或等待5-10分钟后重试."
 elif error.find("Max retries exceeded with") >= 0 or error.find('status_code=0 ') != -1:
 return "CA服务器连接超时,请稍候重试."
 elif error.find("The domain name belongs") >= 0:
 return "域名不属于此DNS服务商,请确保域名填写正确."
 elif error.find("domains in the last 168 hours") != -1 and error.find("Error creating new order") != -1:
 return "签发失败,该域名%s的根域名超出了每周的最大签发次数限制!" % re.findall("hours:\s+(.+?),", error)
 elif error.find('login token ID is invalid') >= 0:
 return 'DNS服务器连接失败,请检查密钥是否正确.'
 elif error.find('Error getting validation data') != -1:
 return '数据验证失败,CA无法从验证连接中获到正确的验证码.'
 elif "too many certificates already issued for exact set of domains" in error:
 return '签发失败,该域名%s超出了每周的重复签发次数限制!' % re.findall("exact set of domains: (.+):", error)
 elif "Error creating new account :: too many registrations for this IP" in error:
 return '签发失败,当前服务器IP已达到每3小时最多创建10个帐户的限制.'
 elif "DNS problem: NXDOMAIN looking up A for" in error:
 return '验证失败,没有解析域名,或解析未生效!'
 elif "Invalid response from" in error:
 return '验证失败,域名解析错误或验证URL无法被访问!'
 elif error.find('TLS Web Server Authentication') != -1:
 return "连接CA服务器失败,请稍候重试."
 elif error.find('Name does not end in a public suffix') != -1:
 return "不支持的域名%s,请检查域名是否正确!" % re.findall("Cannot issue for \"(.+)\":", error)
 elif error.find('No valid IP addresses found for') != -1:
 return "域名%s没有找到解析记录,请检查域名是否解析生效!" % re.findall("No valid IP addresses found for (.+)", error)
 elif error.find('No TXT record found at') != -1:
 return "没有在域名%s中找到有效的TXT解析记录,请检查是否正确解析TXT记录,如果是DNSAPI方式申请的,请10分钟后重试!" % re.findall("No TXT record found at (.+)", error)
 elif error.find('Incorrect TXT record') != -1:
 return "在%s上发现错误的TXT记录:%s,请检查TXT解析是否正确,如果是DNSAPI方式申请的,请10分钟后重试!" % (re.findall("found at (.+)", error), re.findall("Incorrect TXT record \"(.+)\"", error))
 elif error.find('Domain not under you or your user') != -1:
 return "这个dnspod账户下面不存在这个域名,添加解析失败!"
 elif error.find('SERVFAIL looking up TXT for') != -1:
 return "没有在域名%s中找到有效的TXT解析记录,请检查是否正确解析TXT记录,如果是DNSAPI方式申请的,请10分钟后重试!" % re.findall("looking up TXT for (.+)", error)
 elif error.find('Timeout during connect') != -1:
 return "连接超时,CA服务器无法访问您的网站!"
 elif error.find("DNS problem: SERVFAIL looking up CAA for") != -1:
 return "域名%s当前被要求验证CAA记录,请手动解析CAA记录,或1小时后重新尝试申请!" % re.findall("looking up CAA for (.+)", error)
 elif error.find("Read timed out.") != -1:
 return "验证超时,请检查域名是否正确解析,若已正确解析,可能服务器与Let'sEncrypt连接异常,请稍候再重试!"
 elif error.find("The ACME server can not issue a certificate for an IP address") != -1:
 return "不能使用IP地址申请证书!"
 elif error.find('Cannot issue for') != -1:
 return "无法为{}颁发证书,不能直接用域名后缀申请通配符证书!".format(re.findall(r'for\s+"(.+)"',error))
 elif error.find('too many failed authorizations recently') != -1:
 return '该帐户1小时内失败的订单次数超过5次,请等待1小时再重试!'
 elif error.find("Error creating new order") != -1:
 return "订单创建失败,请稍候重试!"
 elif error.find("Too Many Requests") != -1:
 return "1小时内超过5次验证失败,暂时禁止申请,请稍候重试!"
 elif error.find('HTTP Error 400: Bad Request') != -1:
 return "CA服务器拒绝访问,请稍候重试!"
 elif error.find('Temporary failure in name resolution') != -1:
 return '服务器DNS故障,无法解析域名,请使用Linux工具箱检查dns配置'
 elif error.find('Too Many Requests') != -1:
 return '该域名请求申请次数过多,请3小时后重试'
 elif error.find('Only domain names are supported') != -1:
 return "Let's Encrypt仅支持使用域名申请证书"
 elif error.find('DNSSEC: DNSKEY Missing') != -1:
 return "CA无法找到或获取用于验证DNSSEC签名的DNSKEY记录"
 else:
 return error
# 发送验证请求
 def respond_to_challenge(self, auth):
 payload = {"keyAuthorization": "{0}".format(
 auth['acme_keyauthorization'])}
 respond_to_challenge_response = self.acme_request(
 auth['dns_challenge_url'], payload)
 return respond_to_challenge_response
# 发送CSR
 def send_csr(self, index):
 csr = self.create_csr(index)
 payload = {"csr": self.calculate_safe_base64(csr)}
 send_csr_response = self.acme_request(
 url=self._config['orders'][index]['finalize'], payload=payload)
 if send_csr_response.status_code not in [200, 201]:
 if send_csr_response.status_code == 0:
 raise ValueError("错误:提示Connection reset by peer,可能请求过程被意外拦截,如果只有此域名无法申请,则该域名可能存在异常!")
 raise ValueError(
 "错误: 发送CSR: 响应状态{status_code} 响应值:{response}".format(
 status_code=send_csr_response.status_code,
 response=send_csr_response.json(),
 )
 )
 # 轮询获取证书
 l=0
 while True:
 res = self.acme_request(
 url=self._config['orders'][index]['url'], payload=""
 ).json()
 public.print_log(res)
 if res["status"] == "valid":
 certificate_url = res["certificate"]
 break
 if l >= self._max_check_num:
 raise Exception(
 "错误:已尝试获取证书{0}次. 最大尝试次数为{1}. 尝试间隔为{2}秒.".format(
 l,
 self._max_check_num,
 self._wait_time
 )
 )
 time.sleep(1)
 l+=1
 self._config['orders'][index]['certificate_url'] = certificate_url
 self.save_config()
 return certificate_url
# 获取证书到期时间
 def get_cert_timeout(self, cret_data):
info = ssl_info.ssl_info().load_ssl_info_by_data(cret_data)
 if not info:
 return int(time.time() + (86400 * 90))
try:
 return public.to_date(times=info['notAfter'])
 except:
 return int(time.time() + (86400 * 90))
# 下载证书
 def download_cert(self, index):
 res = self.acme_request(
 self._config['orders'][index]['certificate_url'], "")
 if res.status_code not in [200, 201]:
 raise Exception("下载证书失败: {}".format(res.json()))
pem_certificate = res.content
 if type(pem_certificate) == bytes:
 pem_certificate = pem_certificate.decode('utf-8')
 cert = self.split_ca_data(pem_certificate)
 cert['cert_timeout'] = self.get_cert_timeout(cert['cert'])
 cert['private_key'] = self._config['orders'][index]['private_key']
 cert['domains'] = self._config['orders'][index]['domains']
 del(self._config['orders'][index]['private_key'])
 del(self._config['orders'][index]['auths'])
 del(self._config['orders'][index]['expires'])
 del(self._config['orders'][index]['authorizations'])
 del(self._config['orders'][index]['finalize'])
 del(self._config['orders'][index]['identifiers'])
 if 'cert' in self._config['orders'][index]:
 del(self._config['orders'][index]['cert'])
 self._config['orders'][index]['status'] = 'valid'
 self._config['orders'][index]['cert_timeout'] = cert['cert_timeout']
 domain_name = self._config['orders'][index]['domains'][0]
 self._config['orders'][index]['save_path'] = '{}/{}'.format(
 self._save_path, domain_name)
 cert['save_path'] = self._config['orders'][index]['save_path']
 self.save_config()
 self.save_cert(cert, index)
 return cert
# 保存证书到文件
 def save_cert(self, cert, index):
 try:
 from ssl_manage import SSLManger
 SSLManger().save_by_data(cert['cert'] + cert['root'], cert['private_key'])
domain_name = self._config['orders'][index]['domains'][0]
 path = self._config['orders'][index]['save_path']
 if not os.path.exists(path):
 os.makedirs(path, 384)
# 存储证书
 key_file = path + "/privkey.pem"
 pem_file = path + "/fullchain.pem"
 public.writeFile(key_file, cert['private_key'])
 public.writeFile(pem_file, cert['cert'] + cert['root'])
 public.writeFile(path + "/cert.csr", cert['cert'])
 public.writeFile(path + "/root_cert.csr", cert['root'])
self.set_exclude_hash(index, cert['cert'] + cert['root'])
# 转为IIS证书
 try:
 pfx_buffer = self.dump_pkcs12(
 cert['private_key'], cert['cert'] + cert['root'], cert['root'], domain_name)
 except:
 pfx_buffer = ssl_info.ssl_info().dump_pkcs12_new(
 cert['private_key'], cert['cert'] + cert['root'], cert['root'], domain_name)
 public.writeFile(path + "/fullchain.pfx", pfx_buffer, 'wb+')
ps = '''文件说明:
privkey.pem 证书私钥
fullchain.pem 包含证书链的PEM格式证书(nginx/apache)
root_cert.csr 根证书
cert.csr 域名证书
fullchain.pfx 用于IIS的证书格式
如何在宝塔面板使用:
privkey.pem 粘贴到密钥输入框
fullchain.pem 粘贴到证书输入框
'''
 public.writeFile(path+'/说明.txt', ps)
 self.sub_all_cert(key_file, pem_file)
 except:
 write_log(public.get_error_info())
def set_exclude_hash(self, order, exclude_hash):
 try:
 path = '{}/data/exclude_hash.json'.format(public.get_panel_path())
try:
 data = json.loads(public.readFile(path))
 except:
 data = self.get_exclude_hash(public.to_dict_obj({}))
 if "exclude_hash_let" not in data:
 data["exclude_hash_let"] = {}
 data['exclude_hash_let'].update({order: self._hash(certificate=exclude_hash)})
 public.writeFile(path, json.dumps(data))
 except:
 pass
def get_exclude_hash(self, get):
 path = '{}/data/exclude_hash.json'.format(public.get_panel_path())
import panelSSL
 exclude_data = panelSSL.panelSSL().get_exclude_hash(get)
 if exclude_data.get('version_let') == '1':
 return exclude_data
 if "exclude_hash_let" not in exclude_data:
 exclude_data["exclude_hash_let"] = {}
data = self.read_config()
if data.get('orders', {}):
 try:
 self.get_apis()
 except:
 return exclude_data
 for order in data.get('orders', {}).values():
 if order['status'] != "valid" or not order.get("certificate_url"):
 continue
 try:
 res = self.acme_request(
 order['certificate_url'], "")
 if res.status_code not in [200, 201]:
 continue
 pem_certificate = res.content
 if type(pem_certificate) == bytes:
 pem_certificate = pem_certificate.decode('utf-8')
 cert = self.split_ca_data(pem_certificate)
 exclude_data["exclude_hash_let"].update({order['index']: self._hash(certificate=cert['cert'] + cert['root'])})
 except:
 pass
 exclude_data['version_let'] = '1'
 public.writeFile(path, json.dumps(exclude_data))
 return exclude_data
def _hash(self, cert_filename: str = None, certificate: str = None, ignore_errors: bool = False):
 if cert_filename is not None and os.path.isfile(cert_filename):
 certificate = public.readFile(cert_filename)
if not isinstance(certificate, str) or not certificate.startswith("-----BEGIN"):
 if ignore_errors:
 return None
 raise ValueError("证书格式错误")
md5_obj = hashlib.md5()
 md5_obj.update(certificate.encode("utf-8"))
 return md5_obj.hexdigest()
# 通过域名获取网站名称
 def get_site_name_by_domains(self,domains):
 sql = public.M('domain')
 site_sql = public.M('sites')
 siteName, project_type = None, None
 for domain in domains:
 pid = sql.where('name=?',domain).getField('pid')
 if pid:
 site_data = site_sql.where('id=?', pid).field('name,project_type').find()
 siteName, project_type = site_data["name"], site_data["project_type"]
 break
 return siteName, project_type
# 替换服务器上的同域名同品牌证书
 def sub_all_cert(self, key_file, pem_file):
 cert_init = self.get_cert_init(pem_file) # 获取新证书的基本信息
 paths = ['/www/server/panel/vhost/cert', '/www/server/panel/vhost/ssl','/www/server/panel']
 is_panel = False
 for path in paths:
 if not os.path.exists(path):
 continue
 for p_name in os.listdir(path):
 to_path = path + '/' + p_name
 to_pem_file = to_path + '/fullchain.pem'
 to_key_file = to_path + '/privkey.pem'
 to_info = to_path + '/info.json'
 # 判断目标证书是否存在
 if not os.path.exists(to_pem_file):
 if not p_name in ['ssl']: continue
 to_pem_file = to_path + '/certificate.pem'
 to_key_file = to_path + '/privateKey.pem'
 if not os.path.exists(to_pem_file):
 continue
 # 获取目标证书的基本信息
 to_cert_init = self.get_cert_init(to_pem_file)
 # 判断证书品牌是否一致
 try:
 if to_cert_init['issuer'] != cert_init['issuer'] and to_cert_init['issuer'].find("Let's Encrypt") == -1 and to_cert_init.get('issuer_O', '') != "Let's Encrypt":
 continue
 except: continue
 # 判断目标证书的到期时间是否较早
 if to_cert_init['notAfter'] > cert_init['notAfter']:
 continue
 # 判断认识名称是否一致
 if len(to_cert_init['dns']) != len(cert_init['dns']):
 continue
 is_copy = True
 for domain in to_cert_init['dns']:
 if not domain in cert_init['dns']:
 is_copy = False
 if not is_copy:
 continue
# 替换新的证书文件和基本信息
 public.writeFile(
 to_pem_file, public.readFile(pem_file, 'rb'), 'wb')
 public.writeFile(
 to_key_file, public.readFile(key_file, 'rb'), 'wb')
 public.writeFile(to_info, json.dumps(cert_init))
 write_log(
 "|-检测到{}下的证书与本次申请的证书重叠,且到期时间较早,已替换为新证书!".format(to_path))
 if path == paths[-1]: is_panel = True
# 重载web服务
 public.serviceReload()
 # if is_panel: public.restart_panel()
# 检查指定证书是否在订单列表
 def check_order_exists(self, pem_file):
 try:
 cert_init = self.get_cert_init(pem_file)
 if not cert_init:
 return None
 if not (cert_init['issuer'].find("Let's Encrypt") != -1 or cert_init['issuer'] in ('R3', 'R10', 'R11') or cert_init.get('issuer_O', '') == "Let's Encrypt"):
 return None
 for index in self._config['orders'].keys():
 if not 'save_path' in self._config['orders'][index]:
 continue
 for domain in self._config['orders'][index]['domains']:
 if domain in cert_init['dns']:
 return index
 return pem_file
 except:
 return None
# 取证书基本信息API
 def get_cert_init_api(self, args):
 if not os.path.exists(args.pem_file):
 args.pem_file = 'vhost/cert/{}/fullchain.pem'.format(args.siteName)
 if not os.path.exists(args.pem_file):
 return public.returnMsg(False, '指定证书文件不存在!')
 cert_init = self.get_cert_init(args.pem_file)
 if not cert_init:
 return public.returnMsg(False, '证书信息获取失败!')
 try:
 cert_init['dnsapi'] = json.loads(public.readFile(self._dnsapi_file))
 except:
 cert_init['dnsapi'] = []
 return cert_init
# 获取指定证书基本信息
 def get_cert_init(self, pem_file):
 return ssl_info.ssl_info().load_ssl_info(pem_file)
# 转换时间
 def strf_date(self, sdate):
 return time.strftime('%Y-%m-%d', time.strptime(sdate, '%Y%m%d%H%M%S'))
# 证书转为DER
 def dump_der(self, cert_path):
 cert = OpenSSL.crypto.load_certificate(
 OpenSSL.crypto.FILETYPE_PEM, public.readFile(cert_path+'/cert.csr'))
 return OpenSSL.crypto.dump_certificate(OpenSSL.crypto.FILETYPE_ASN1, cert)
# 证书转为pkcs12
 def dump_pkcs12(self, key_pem=None, cert_pem=None, ca_pem=None, friendly_name=None):
 p12 = OpenSSL.crypto.PKCS12()
 if cert_pem:
 p12.set_certificate(OpenSSL.crypto.load_certificate(
 OpenSSL.crypto.FILETYPE_PEM, cert_pem.encode()))
 if key_pem:
 p12.set_privatekey(OpenSSL.crypto.load_privatekey(
 OpenSSL.crypto.FILETYPE_PEM, key_pem.encode()))
 if ca_pem:
 p12.set_ca_certificates((OpenSSL.crypto.load_certificate(
 OpenSSL.crypto.FILETYPE_PEM, ca_pem.encode()),))
 if friendly_name:
 p12.set_friendlyname(friendly_name.encode())
 return p12.export()
# 拆分根证书
 def split_ca_data(self,cert):
 sp_key = '-----END CERTIFICATE-----\n'
 datas = cert.split(sp_key)
 return {"cert": datas[0] + sp_key, "root": sp_key.join(datas[1:])}
# 构造可选名称
 def get_alt_names(self, index):
 domain_name = self._config['orders'][index]['domains'][0]
 domain_alt_names = []
 if len(self._config['orders'][index]['domains']) > 1:
 domain_alt_names = self._config['orders'][index]['domains'][1:]
 return domain_name, domain_alt_names
# 检查DNS记录
 def check_dns(self, domain, value, s_type='TXT'):
 write_log("|-尝试本地验证DNS记录,域名: {} , 类型: {} 记录值: {}".format(domain, s_type, value))
 time.sleep(10)
 n = 0
 while n < 20:
 n += 1
 try:
 import dns.resolver
 ns = dns.resolver.query(domain, s_type)
 for j in ns.response.answer:
 for i in j.items:
 txt_value = i.to_text().replace('"', '').strip()
 write_log("|-第 {} 次验证值: {}".format(n, txt_value))
 if txt_value == value:
 write_log("|-本地验证成功!")
 return True
 except:
 try:
 import dns.resolver
 except:
 return False
 time.sleep(3)
 write_log("|-本地验证失败!")
 return True
# 创建CSR
 def create_csr(self, index):
 if 'csr' in self._config['orders'][index]:
 return self._config['orders']['csr']
 domain_name, domain_alt_names = self.get_alt_names(index)
 X509Req = OpenSSL.crypto.X509Req()
 if not public.check_ip(domain_name):
 X509Req.get_subject().CN = domain_name
 if domain_alt_names:
 SAN = "DNS:{0}, ".format(domain_name).encode("utf8") + ", ".join(
 "DNS:" + i for i in domain_alt_names
 ).encode("utf8")
 else:
 SAN = "DNS:{0}".format(domain_name).encode("utf8")
 else:
 if domain_alt_names:
 SAN = "IP:{0}, ".format(domain_name).encode("utf8") + ", ".join(
 "IP:" + i for i in domain_alt_names
 ).encode("utf8")
 else:
 SAN = "IP:{0}".format(domain_name).encode("utf8")
X509Req.add_extensions(
 [
 OpenSSL.crypto.X509Extension(
 "subjectAltName".encode("utf8"), critical=False, value=SAN
 )
 ]
 )
 pk = OpenSSL.crypto.load_privatekey(
 OpenSSL.crypto.FILETYPE_PEM, self.create_certificate_key(
 index).encode()
 )
 X509Req.set_pubkey(pk)
 try:
 X509Req.set_version(2)
 except ValueError as e: # pyOpenSSL 新版本需要必须设置版本为0
 X509Req.set_version(0)
 X509Req.sign(pk, self._digest)
 return OpenSSL.crypto.dump_certificate_request(OpenSSL.crypto.FILETYPE_ASN1, X509Req)
def create_csr_new(self, index):
 from cryptography import x509
 from cryptography.x509.oid import NameOID
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives import serialization
 import ipaddress
 # 如果已经生成了 CSR,直接返回
 if 'csr' in self._config['orders'][index]:
 return self._config['orders'][index]['csr']
# 获取域名和备用域名
 domain_name, domain_alt_names = self.get_alt_names(index)
# 生成私钥
 pk = self.create_certificate_key(index).encode()
 private_key = serialization.load_pem_private_key(pk, password=None)
if public.check_ip(domain_name):
 # IP证书不需要CN
 csr_builder = x509.CertificateSigningRequestBuilder().subject_name(
 x509.Name([])
 )
 # 添加 subjectAltName 扩展
 if domain_alt_names:
 alt_names = [x509.IPAddress(ipaddress.ip_address(domain_name))] + [x509.IPAddress(ipaddress.ip_address(alt)) for alt in domain_alt_names]
 else:
 alt_names = [x509.IPAddress(ipaddress.ip_address(domain_name))]
 else:
 # 构建 CSR
 csr_builder = x509.CertificateSigningRequestBuilder().subject_name(
 x509.Name([
 x509.NameAttribute(NameOID.COMMON_NAME, domain_name),
 ])
 )
# 添加 subjectAltName 扩展
 if domain_alt_names:
 alt_names = [x509.DNSName(domain_name)] + [x509.DNSName(alt) for alt in domain_alt_names]
 else:
 alt_names = [x509.DNSName(domain_name)]
csr_builder = csr_builder.add_extension(
 x509.SubjectAlternativeName(alt_names),
 critical=False
 )
# 签署 CSR
 csr = csr_builder.sign(private_key, hashes.SHA256())
# 返回 CSR (ASN1 格式)
 return csr.public_bytes(serialization.Encoding.DER)
# 构造域名验证头和验证值
 def get_keyauthorization(self, token):
 acme_header_jwk_json = json.dumps(
 self.get_acme_header("GET_THUMBPRINT")["jwk"], sort_keys=True, separators=(",", ":")
 )
 acme_thumbprint = self.calculate_safe_base64(
 hashlib.sha256(acme_header_jwk_json.encode("utf8")).digest()
 )
 acme_keyauthorization = "{0}.{1}".format(token, acme_thumbprint)
 base64_of_acme_keyauthorization = self.calculate_safe_base64(
 hashlib.sha256(acme_keyauthorization.encode("utf8")).digest()
 )
return acme_keyauthorization, base64_of_acme_keyauthorization
# 构造验证信息
 def get_identifier_auth(self, index, url, auth_info):
 s_type = self.get_auth_type(index)
 write_log("|-验证类型:{}".format(s_type))
 domain = auth_info['identifier']['value']
 wildcard = False
 # 处理通配符
 if 'wildcard' in auth_info:
 wildcard = auth_info['wildcard']
 if wildcard:
 domain = "*." + domain
for auth in auth_info['challenges']:
 if auth['type'] != s_type:
 continue
 identifier_auth = {
 "domain": domain,
 "url": url,
 "wildcard": wildcard,
 "token": auth['token'],
 "dns_challenge_url": auth['url'],
 }
 return identifier_auth
 return None
# 获取域名验证方式
 def get_auth_type(self, index):
 if not index in self._config['orders']:
 raise Exception('指定订单不存在!')
 s_type = 'http-01'
 if 'auth_type' in self._config['orders'][index]:
 if self._config['orders'][index]['auth_type'] == 'dns':
 s_type = 'dns-01'
 elif self._config['orders'][index]['auth_type'] == 'tls':
 s_type = 'tls-alpn-01'
 else:
 s_type = 'http-01'
 return s_type
# 保存订单
 def save_order(self, order_object, index):
 if not 'orders' in self._config:
 self._config['orders'] = {}
 renew = False
 if not index:
 # index = public.md5(json.dumps(order_object['identifiers']))
 index = public.md5(str(uuid.uuid4()))
 else:
 renew = True
 order_object['certificate_url'] = self._config['orders'][index]['certificate_url']
 order_object['save_path'] = self._config['orders'][index]['save_path']
order_object['expires'] = self.utc_to_time(order_object['expires'])
 self._config['orders'][index] = order_object
 self._config['orders'][index]['index'] = index
 if not renew:
 self._config['orders'][index]['create_time'] = int(time.time())
 self._config['orders'][index]['renew_time'] = 0
 self.save_config()
 return index
# UTC时间转时间戳
 def utc_to_time(self, utc_string):
 try:
 utc_string = utc_string.split('.')[0]
 utc_date = datetime.datetime.strptime(
 utc_string, "%Y-%m-%dT%H:%M:%S")
 # 按北京时间返回
 return int(time.mktime(utc_date.timetuple())) + (3600 * 8)
 except:
 return int(time.time() + 86400 * 7)
# 获取kid
 def get_kid(self, force=False):
 #如果配置文件中不存在kid或force = True时则重新注册新的acme帐户
 if not 'account' in self._config:
 self._config['account'] = {}
 k = self._mod_index[self._debug]
 if not k in self._config['account']:
 self._config['account'][k] = {}
if not 'kid' in self._config['account'][k]:
 self._config['account'][k]['kid'] = self.register()
 self.save_config()
 time.sleep(3)
 self._config = self.read_config()
 return self._config['account'][k]['kid']
# 注册acme帐户
 def register(self, existing=False):
 if not 'email' in self._config:
 self._config['email'] = 'demo@bt.cn'
 if existing:
 payload = {"onlyReturnExisting": True}
 elif self._config['email']:
 payload = {
 "termsOfServiceAgreed": True,
 "contact": ["mailto:{0}".format(self._config['email'])],
 }
 else:
 payload = {"termsOfServiceAgreed": True}
 if self._debug == 'litessl':
 payload["externalAccountBinding"] = self.build_eab(
 account_jwk_pem=self.get_account_key(),
 new_account_url=self._apis['newAccount']
 )
 public.print_log(payload["externalAccountBinding"])
res = self.acme_request(url=self._apis['newAccount'], payload=payload)
if res.status_code not in [201, 200, 409]:
 raise Exception("注册ACME帐户失败: {}".format(res.json()))
 kid = res.headers["Location"]
 return kid
def build_eab(self, account_jwk_pem: str, new_account_url: str):
 """
 构造 External Account Binding (EAB)
 account_jwk_pem: RSA 私钥的 PEM 字符串
 """
 import base64
 import json
 import hmac
 import hashlib
 from cryptography.hazmat.primitives import serialization
# Base64URL 编码
 def b64url(data: bytes) -> str:
 return base64.urlsafe_b64encode(data).rstrip(b"=").decode("utf-8")
# 将整数转成 Base64URL(big-endian)
 def b64url_uint(val: int) -> str:
 length = (val.bit_length() + 7) // 8
 return base64.urlsafe_b64encode(val.to_bytes(length, "big")).rstrip(b"=").decode("utf-8")
# PEM 字符串 → RSA 私钥对象
 private_key = serialization.load_pem_private_key(
 account_jwk_pem.encode("utf-8"),
 password=None
 )
# RSA 公钥 → JWK dict
 public_numbers = private_key.public_key().public_numbers()
 public_jwk = {
 "kty": "RSA",
 "e": b64url_uint(public_numbers.e),
 "n": b64url_uint(public_numbers.n)
 }
# 1. 请求 EAB 参数
 eab_res = requests.post("https://www.bt.cn/api/v3/litessl/eab")
 eab_data = eab_res.json()
 self._config["eab_kid"] = eab_data["res"]["data"]["eab_kid"]
 self._config["eab_hmac_key"] = eab_data["res"]["data"]["eab_mac_key"]
# 2. protected header
 protected = {
 "alg": "HS256",
 "kid": self._config["eab_kid"],
 "url": new_account_url
 }
 protected_b64 = b64url(json.dumps(protected, separators=(",", ":")).encode())
# 3. payload = 公钥 JWK
 payload_b64 = b64url(json.dumps(public_jwk, separators=(",", ":")).encode())
# 4. HMAC-SHA256 签名
 def base64url_decode(s: str) -> bytes:
 # 补全 '=' 使长度能被4整除
 s = s + "=" * (-len(s) % 4)
 return base64.urlsafe_b64decode(s)
hmac_key = base64url_decode(self._config["eab_hmac_key"])
 signing_input = f"{protected_b64}.{payload_b64}".encode()
 signature = hmac.new(hmac_key, signing_input, hashlib.sha256).digest()
 signature_b64 = b64url(signature)
# 5. 返回 EAB
 return {
 "protected": protected_b64,
 "payload": payload_b64,
 "signature": signature_b64
 }
# 请求到ACME接口
 def acme_request(self, url, payload):
 headers = {"User-Agent": self._user_agent}
 payload = self.stringfy_items(payload)
if payload == "":
 payload64 = payload
 else:
 payload64 = self.calculate_safe_base64(json.dumps(payload))
 protected = self.get_acme_header(url)
 protected64 = self.calculate_safe_base64(json.dumps(protected))
 signature = self.sign_message(
 message="{0}.{1}".format(protected64, payload64)) # bytes
 signature64 = self.calculate_safe_base64(signature) # str
 data = json.dumps(
 {"protected": protected64, "payload": payload64,
 "signature": signature64}
 )
 headers.update({"Content-Type": "application/jose+json"})
 response = requests.post(
 url, data=data.encode("utf8"), timeout=self._acme_timeout, headers=headers, verify=self._verify,s_type=self._request_type
 )
 # 更新随机数
 self.update_replay_nonce(response)
 return response
# 计算signature
 def sign_message(self, message):
 try:
 pk = OpenSSL.crypto.load_privatekey(
 OpenSSL.crypto.FILETYPE_PEM, self.get_account_key().encode())
 return OpenSSL.crypto.sign(pk, message.encode("utf8"), self._digest)
 except:
 return self.sign_message_new(message)
def sign_message_new(self, message):
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric import padding
import ssl_info
 pk = ssl_info.ssl_info().analysis_private_key(self.get_account_key())
 return pk.sign(message.encode("utf8"), padding.PKCS1v15(), hashes.SHA256())
# 系列化payload
 def stringfy_items(self, payload):
 if isinstance(payload, str):
 return payload
for k, v in payload.items():
 if isinstance(k, bytes):
 k = k.decode("utf-8")
 if isinstance(v, bytes):
 v = v.decode("utf-8")
 payload[k] = v
 return payload
# 获取随机数
 def get_nonce(self, force=False):
 # 如果没有保存上一次的随机数或force=True时则重新获取新的随机数
 if not self._replay_nonce or force:
 headers = {"User-Agent": self._user_agent}
 response = requests.get(
 self._apis['newNonce'],
 timeout=self._acme_timeout,
 headers=headers,
 verify=self._verify,
 s_type=self._request_type
 )
 self._replay_nonce = response.headers["Replay-Nonce"]
 return self._replay_nonce
# 获请ACME请求头
 def get_acme_header(self, url):
 header = {"alg": "RS256", "nonce": self.get_nonce(), "url": url}
 if url in [self._apis['newAccount'], 'GET_THUMBPRINT']:
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import serialization
 private_key = serialization.load_pem_private_key(
 self.get_account_key().encode(),
 password=None,
 backend=default_backend(),
 )
 public_key_public_numbers = private_key.public_key().public_numbers()
exponent = "{0:x}".format(public_key_public_numbers.e)
 exponent = "0{0}".format(exponent) if len(
 exponent) % 2 else exponent
 modulus = "{0:x}".format(public_key_public_numbers.n)
 jwk = {
 "kty": "RSA",
 "e": self.calculate_safe_base64(binascii.unhexlify(exponent)),
 "n": self.calculate_safe_base64(binascii.unhexlify(modulus)),
 }
 header["jwk"] = jwk
 else:
 header["kid"] = self.get_kid()
 return header
# 转为无填充的Base64
 def calculate_safe_base64(self, un_encoded_data):
 if sys.version_info[0] == 3:
 if isinstance(un_encoded_data, str):
 un_encoded_data = un_encoded_data.encode("utf8")
 r = base64.urlsafe_b64encode(un_encoded_data).rstrip(b"=")
 return r.decode("utf8")
# 获用户取密钥对
 def get_account_key(self):
 if not 'account' in self._config:
 self._config['account'] = {}
 k = self._mod_index[self._debug]
 if not k in self._config['account']:
 self._config['account'][k] = {}
if not 'key' in self._config['account'][k]:
 try:
 self._config['account'][k]['key'] = self.create_key()
 except:
 self._config['account'][k]['key'] = self.create_key_new()
 if type(self._config['account'][k]['key']) == bytes:
 self._config['account'][k]['key'] = self._config['account'][k]['key'].decode()
 self.save_config()
 return self._config['account'][k]['key']
# 获取证书密钥对
 def create_certificate_key(self, index):
 # 判断是否已经创建private_key
 if 'private_key' in self._config['orders'][index]:
 return self._config['orders'][index]['private_key']
 # 创建新的私钥
 try:
 private_key = self.create_key()
 except:
 private_key = self.create_key_new()
 if type(private_key) == bytes:
 private_key = private_key.decode()
 # 保存私钥到订单配置文件
 self._config['orders'][index]['private_key'] = private_key
 self.save_config()
 return private_key
# 创建Key
 def create_key(self, key_type=None):
 if key_type not in [OpenSSL.crypto.TYPE_RSA, OpenSSL.crypto.TYPE_DSA, OpenSSL.crypto.TYPE_EC]:
 key_type = OpenSSL.crypto.TYPE_RSA
 key = OpenSSL.crypto.PKey()
 key.generate_key(key_type, self._bits)
 private_key = OpenSSL.crypto.dump_privatekey(
 OpenSSL.crypto.FILETYPE_PEM, key)
 return private_key
def create_key_new(self, key_type='RSA'):
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import rsa, ec, ed25519
if key_type == 'RSA':
 private_key = rsa.generate_private_key(
 public_exponent=65537,
 key_size=self._bits
 )
 elif key_type == 'EC':
 private_key = ec.generate_private_key(ec.SECP256R1())
 elif key_type == 'ED25519':
 private_key = ed25519.Ed25519PrivateKey.generate()
 else:
 raise ValueError(f"Unsupported key type: {key_type}")
private_key_pem = private_key.private_bytes(
 encoding=serialization.Encoding.PEM,
 format=serialization.PrivateFormat.PKCS8,
 encryption_algorithm=serialization.NoEncryption()
 )
 return private_key_pem
# 写配置文件
 def save_config(self):
 fp = open(self._conf_file_v2, 'w+')
 fcntl.flock(fp, fcntl.LOCK_EX) # 加锁
 fp.write(json.dumps(self._config))
 fcntl.flock(fp, fcntl.LOCK_UN) # 解锁
 fp.close()
 return True
# 读配置文件
 def read_config(self):
 if not os.path.exists(self._conf_file_v2):
 self._config['orders'] = {}
 self._config['account'] = {}
 self._config['apis'] = {}
 self._config['email'] = public.M('config').where('id=?',(1,)).getField('email')
 if self._config['email'] in [public.en_hexb('4d6a67334f5459794e545932514846784c6d4e7662513d3d')]:
 self._config['email'] = None
 self.save_config()
 return self._config
 tmp_config = public.readFile(self._conf_file_v2)
 if not tmp_config:
 return self._config
 try:
 self._config = json.loads(tmp_config)
 except:
 self.save_config()
 return self._config
 return self._config
def check_config(self, index, key, value) -> bool:
 tmp_config = public.readFile(self._conf_file_v2)
 if not tmp_config:
 return False
 try:
 config_data = json.loads(tmp_config)
 except:
 return False
if index not in config_data.get("orders", {}):
 return False
if key not in config_data['orders'][index]:
 return False
 if config_data['orders'][index][key] == value:
 return True
 else:
 return False
# 申请证书
 def apply_cert(self, domains, auth_type='dns', auth_to='Dns_com|None|None', **args):
 index = ''
 write_log("", "wb+")
 for i in range(len(domains)):
 domains[i] = domains[i].replace("[", "").replace("]", "")
 try:
 if 'ca' in args:
 public.set_module_logs(args['ca'], "apply_cert_ca", 1)
 self._debug = args['ca']
 self._url = url_dic.get(self._debug, url_dic['letsencrypt'])
 self.get_apis()
 index = None
 if 'index' in args:
 index = args['index']
 if not index: # 判断是否只想验证域名
 write_log("|-正在创建订单..")
 index = self.create_order(domains, auth_type, auth_to)
 write_log("|-正在获取验证信息..")
 self.get_auths(index)
 if auth_to == 'dns' and len(self._config['orders'][index]['auths']) > 0:
 auth_domains = [i["domain"].replace("*.", "") for i in self._config['orders'][index]['auths']]
 if len(auth_domains) != len(set(auth_domains)):
 self._config['orders'][index]["error"] = True
 self._config['orders'][index]["error_msg"] = "检测到解析记录存在冲突,请分别验证以下域名"
 return self._config['orders'][index]
 else:
 if "ca" in self._config['orders'][index]:
 self._debug = self._config['orders'][index]['ca']
 self._url = url_dic.get(self._debug, url_dic['letsencrypt'])
 self.get_apis()
 write_log("|-正在验证域名..")
 self.auth_domain(index)
 self.remove_dns_record()
 write_log("|-正在发送CSR..")
 self.send_csr(index)
 write_log("|-正在下载证书..")
 cert = self.download_cert(index)
 if domains and public.check_ip(domains[0]):
 public.set_module_logs("apply_ipssl_success", "apply_ipssl_success", 1)
 cert['status'] = True
 cert['msg'] = '申请成功!'
 write_log("|-申请成功,正在部署到站点..")
 return cert
 except Exception as ex:
 self.remove_dns_record()
 ex = str(ex)
 if ex.find(">>>>") != -1:
 msg = ex.split(">>>>")
 msg[1] = json.loads(msg[1])
 else:
 msg = ex
 write_log(public.get_error_info())
 _res = {"status": False, "msg": msg, "index": index}
 return _res
# 申请证书 - api
 def apply_cert_api(self, args):
 """
 @name 申请证书
 @param domains: list 域名列表
 @param auth_type: str 认证方式
 @param auth_to: str 认证路径
 @param auto_wildcard: str 是否自动组合泛域名
 """
 if not 'id' in args:
 return public.returnMsg(False,'网站id不能为空!')
if 'auto_wildcard' in args and args.auto_wildcard == '1':
 self._auto_wildcard = True
find = public.M('sites').where('id=?', (args.id,)).find()
 if not find:
 return public.returnMsg(False, "网站丢失,无法继续申请证书")
if args.auth_type in ['http', 'tls']:
 if find["status"] != "1":
 return public.returnMsg(False, "当前网站未开启不能使用文件验证")
 if not self.can_use_base_file_check(find["name"], find["project_type"]):
 webserver: str = public.get_webserver()
 msg = "当前项目的服务({})配置文件被修改不支持文件验证,请选择其他方式或还原配置文件".format(webserver.title())
 if webserver != 'nginx':
 return public.returnMsg(False, msg)
 # nginx 检测其他两种方案的可行性
 if not self.can_use_lua_for_site(find["name"], find["project_type"]) and \
 not self.can_use_if_for_file_check(find["name"], find["project_type"]):
return public.returnMsg(False, msg)
# 是否为指定站点
 count = public.M('sites').where(
 'id=? and project_type in (?,?,?,?)',
 (args.id, 'Java', 'Go', 'Other', "Python")
 ).count()
 if count:
 try:
 project_info = json.loads(find['project_config'])
 if 'ssl_path' not in project_info:
 ssl_path = '/www/wwwroot/java_node_ssl'
 else:
 ssl_path = project_info['ssl_path']
 if not os.path.exists(ssl_path):
 os.makedirs(ssl_path)
args.auth_to = ssl_path
 except:
 return public.returnMsg(False, '当前项目配置文件存在问题,请重新建立')
 else:
 if re.match(r"^\d+$", args.auth_to):
 import panelSite
 args.auth_to = find['path'] + '/' + panelSite.panelSite().GetRunPath(args)
 args.auth_to = args.auth_to.replace("//", "/")
 if args.auth_to[-1] == '/':
 args.auth_to = args.auth_to[:-1]
if not os.path.exists(args.auth_to):
 return public.returnMsg(False, '无效的站点目录,请检查指定站点是否存在!')
#检查认证环境
 if args.auth_type in ['http', 'tls']:
 check_result = self.check_auth_env(args)
 if check_result:
 return check_result
if "ca" in args and args.ca:
 ca = args.ca
 else:
 ca = False
return self.apply_cert(json.loads(args.domains), args.auth_type, args.auth_to,ca=ca)
# 检查认证环境
 def check_auth_env(self,args):
 for domain in json.loads(args.domains):
 if public.checkIp(domain): continue
 if domain.find('*.') != -1 and args.auth_type in ['http','tls']:
 return public.returnMsg(False, '泛域名不能使用【文件验证】的方式申请证书!')
data = public.M('sites').where('id=?', (args.id,)).find()
 if not data:
 return public.returnMsg(False, "网站丢失,无法继续申请证书")
 else:
 args.siteName = data['name']
 site_type = data["project_type"]
use_nginx_conf_to_auth = False
 if args.auth_type in ['http', 'tls'] and public.get_webserver() == "nginx": # nginx 在lua验证和可重启的
 if self.can_use_lua_for_site(args.siteName, site_type):
 use_nginx_conf_to_auth = True
 else:
 if self.can_use_if_for_file_check(args.siteName, site_type):
 use_nginx_conf_to_auth = True
import panelSite
 s = panelSite.panelSite()
 if args.auth_type in ['http', 'tls'] and use_nginx_conf_to_auth is False:
 try:
 args.sitename = args.siteName
 data = s.GetRedirectList(args)
 # 检查重定向是否开启
 if type(data) == list:
 for x in data:
 if x['type']: return public.returnMsg(False, 'SITE_SSL_ERR_301')
 data = s.GetProxyList(args)
 # 检查反向代理是否开启
 if type(data) == list:
 for x in data:
 if x['type']: return public.returnMsg(False,'已开启反向代理的站点无法申请SSL!')
 # 检查旧重定向是否开启
 data = s.Get301Status(args)
 if data['status']:
 return public.returnMsg(False,'网站已经开启重定向,请关闭后再申请!')
 #判断是否强制HTTPS
 if s.IsToHttps(args.siteName):
 return public.returnMsg(False, '配置强制HTTPS后无法使用【文件验证】的方式申请证书!')
 except:
 return False
 else:
 if args.auth_to.find('Dns_com') != -1:
 if not os.path.exists('plugin/dns/dns_main.py'):
 return public.returnMsg(False, '请先到软件商店安装【云解析】,并完成域名NS绑定.')
return False
# DNS手动验证
 def apply_dns_auth(self, args):
 if not hasattr(args, "index") or not args.index:
 return public.returnMsg(False, "参数信息不完整,没有索引参数【index】")
 return self.apply_cert([], auth_type='dns', auth_to='dns', index=args.index)
#创建计划任务
 def set_crond(self):
 try:
 echo = public.md5(public.md5('renew_lets_ssl_bt'))
 find = public.M('crontab').where('echo=?',(echo,)).find()
 cron_id = find['id'] if find else None
import crontab
 import random
 args_obj = public.dict_obj()
 if not cron_id:
 # 计划任务不存在且未关闭自动续签则创建任务
 if os.path.exists("/www/server/panel/data/close_ssl_auto_renewal.pl"):
 return
 cronPath = public.GetConfigValue('setup_path') + '/cron/' + echo
 shell = '{} -u /www/server/panel/class/acme_v2.py --renew_v2=1'.format(sys.executable)
 public.writeFile(cronPath,shell)
# 使用随机时间
 hour = random.randint(0, 23)
 minute = random.randint(1, 59)
 args_obj.id = public.M('crontab').add('name,type,where1,where_hour,where_minute,echo,addtime,status,save,backupTo,sType,sName,sBody,urladdress',("续签Let's Encrypt证书",'day','',hour,minute,echo,time.strftime('%Y-%m-%d %X',time.localtime()),0,'','localhost','toShell','',shell,''))
 crontab.crontab().set_cron_status(args_obj)
 else:
 # 计划任务存在则检查是否关闭自动续签,关闭则删除任务
 if os.path.exists("/www/server/panel/data/close_ssl_auto_renewal.pl"):
 # 删除任务
 args_obj.id = cron_id
 crontab.crontab().DelCrontab(args_obj)
 return
 # 检查任务如果是0点10分执行,改为随机时间
 if find['where_hour'] == 0 and find['where_minute'] == 10:
 print('修改任务时间')
 # 使用随机时间
 hour = random.randint(0, 23)
 minute = random.randint(1, 59)
 public.M('crontab').where('id=?',(cron_id,)).save('where_hour,where_minute,status',(hour,minute,0))
# 停用任务
 args_obj.id = cron_id
 crontab.crontab().set_cron_status(args_obj)
# 启用任务
 public.M('crontab').where('id=?',(cron_id,)).setField('status',1)
 crontab.crontab().set_cron_status(args_obj)
cron_path = public.get_cron_path()
 if os.path.exists(cron_path):
 cron_s = public.readFile(cron_path)
 if cron_s.find(echo) == -1:
 public.M('crontab').where('id=?',(cron_id,)).setField('status',0)
 args_obj.id = cron_id
 crontab.crontab().set_cron_status(args_obj)
 except:pass
# 获取当前正在使用此证书的网站目录
 def get_ssl_used_site(self, index):
 hash_dic = self.get_exclude_hash(public.dict_obj())
 if not hash_dic: return False
 ssl_hash = hash_dic.get("exclude_hash_let", {}).get(index, '')
 if not ssl_hash: return False
cert_paths = 'vhost/cert'
 import panelSite
 args = public.dict_obj()
 args.siteName = ''
 for c_name in os.listdir(cert_paths):
 skey_file = '{}/{}/fullchain.pem'.format(cert_paths,c_name)
 try:
 skey = self._hash(cert_filename=skey_file)
 except:
 continue
 if not skey: continue
 if skey == ssl_hash:
 args.siteName = c_name
 site_info = public.M('sites').where('name=?', c_name).find()
 if not site_info or isinstance(site_info, str):
 return False
 if site_info["project_type"] not in ("PHP", "proxy"):
 if not os.path.isdir(site_info["path"]):
 return os.path.dirname(site_info["path"])
 else:
 return site_info["path"]
run_path = panelSite.panelSite().GetRunPath(args)
 if not run_path:
 continue
 sitePath = public.M('sites').where('name=?',c_name).getField('path')
 if not sitePath:
 continue
 to_path = "{}/{}".format(sitePath,run_path)
 to_path = to_path.replace("//", "/")
 return to_path
 return False
def get_index(self,domains):
 '''
 @name 获取标识
 @author hwliang<2022-02-10>
 @param domains<list> 域名列表
 @return string
 '''
 identifiers = []
 for domain_name in domains:
 identifiers.append({"type": 'dns', "value": domain_name})
 return public.md5(json.dumps(identifiers))
# 续签同品牌其它证书
 def renew_cert_other(self):
 '''
 @name 续签同品牌其它证书
 @author hwliang<2022-02-10>
 @return void
 '''
 cert_path = "{}/vhost/cert".format(public.get_panel_path())
 if not os.path.exists(cert_path): return
 new_time = time.time() + (86400 * 30)
 n=0
 if not 'orders' in self._config: self._config['orders'] = {}
 import panelSite
 siteObj = panelSite.panelSite()
 args = public.dict_obj()
 for siteName in os.listdir(cert_path):
 try:
 cert_file = '{}/{}/fullchain.pem'.format(cert_path,siteName)
 if not os.path.exists(cert_file): continue # 无证书文件
 siteInfo = public.M('sites').where('name=?',siteName).find()
 if not siteInfo: continue # 无网站信息
 cert_init = self.get_cert_init(cert_file)
 if not cert_init: continue # 无法获取证书
 end_time = time.mktime(time.strptime(cert_init['notAfter'],'%Y-%m-%d'))
 if end_time > new_time: continue # 未到期
 try:
 if not cert_init['issuer'] in ['R3',"Let's Encrypt"] and cert_init['issuer'].find("Let's Encrypt") == -1 and cert_init.get('issuer_O', "") != "Let's Encrypt":
 continue # 非同品牌证书
 except: continue
if isinstance(cert_init['dns'],str): cert_init['dns'] = [cert_init['dns']]
 index = self.get_index(cert_init['dns'])
 if index in self._config['orders'].keys(): continue # 已在订单列表
n+=1
 write_log("|-正在续签第 {} 张其它证书,域名: {}..".format(n,cert_init['subject']))
 write_log("|-正在创建订单..")
 args.id = siteInfo['id']
 runPath = siteObj.GetRunPath(args)
 if runPath and not runPath in ['/']:
 path = siteInfo['path'] + '/' + runPath
 else:
 path = siteInfo['path']
self.renew_cert_to(cert_init['dns'],'http',path.replace('//','/'))
 except:
 write_log("|-[{}]续签失败".format(siteName))
# 关闭强制https
 def close_httptohttps(self,siteName):
 try:
if not siteName: siteName
 import panelSite
 site_obj = panelSite.panelSite()
 if not site_obj.IsToHttps(siteName):
 return False
 get = public.dict_obj()
 get.siteName = siteName
 site_obj.CloseToHttps(get)
 return True
 except:
 return False
# 恢复强制https
 def rep_httptohttps(self,siteName):
 try:
 if not siteName: return False
 import panelSite
 site_obj = panelSite.panelSite()
 if not site_obj.IsToHttps(siteName):
 get = public.dict_obj()
 get.siteName = siteName
 site_obj.HttpToHttps(get)
 return True
 except:
 return False
def renew_cert_to(self,domains,auth_type,auth_to,index = None):
 siteName = None
 cert = {}
 if os.path.exists(auth_to):
 if public.M('sites').where('path=?',auth_to).count() == 1:
 site_id = public.M('sites').where('path=?',auth_to).getField('id')
 siteName = public.M('sites').where('path=?',auth_to).getField('name')
 r_status = public.M('sites').where('path=?',auth_to).getField('status')
 if r_status != '1':
 write_log("|- 该证书使用了【文件验证】方式,但网站【{}】未启动,只能跳过续签。".format(siteName))
 return public.returnMsg(False, "该证书使用了【文件验证】方式,但网站【{}】未启动,只能跳过续签。".format(siteName))
 import panelSite
 siteObj = panelSite.panelSite()
 args = public.dict_obj()
 args.id = site_id
 runPath = siteObj.GetRunPath(args)
 if runPath and not runPath in ['/']:
 path = auth_to + '/' + runPath
 if os.path.exists(path): auth_to = path.replace('//','/')
else:
 siteName, _ = self.get_site_name_by_domains(domains)
isError = public.checkWebConfig()
 if isError is not True and public.get_webserver() == "nginx":
 write_log("|- 该证书使用了【文件验证】方式,但目前无法重载nginx服务器配置文件,只能跳过续签。")
 write_log("|- 配置文件报错信息如下:")
 write_log(isError)
is_rep = self.close_httptohttps(siteName)
 try:
 index = self.create_order(
 domains,
 auth_type,
 auth_to.replace('//','/'),
 index
 )
write_log("|-正在获取验证信息..")
 self.get_auths(index)
 write_log("|-正在验证域名..")
 self.auth_domain(index)
 write_log("|-正在发送CSR..")
 self.remove_dns_record()
 self.send_csr(index)
 write_log("|-正在下载证书..")
 cert = self.download_cert(index)
 self._config['orders'][index]['renew_time'] = int(time.time())
# 清理失败重试记录
 self._config['orders'][index]['retry_count'] = 0
 self._config['orders'][index]['next_retry_time'] = 0
# 保存证书配置
 self.save_config()
 cert['status'] = True
 cert['msg'] = '续签成功!'
 write_log("|-续签成功!")
 except Exception as e:
if str(e).find('请稍候重试') == -1: # 受其它证书影响和连接CA失败的的不记录重试次数
 if index:
 # 设置下次重试时间
 self._config['orders'][index]['next_retry_time'] = int(time.time() + (86400 * 2))
 # 记录重试次数
 if not 'retry_count' in self._config['orders'][index].keys():
 self._config['orders'][index]['retry_count'] = 1
 self._config['orders'][index]['retry_count'] += 1
 # 保存证书配置
 self.save_config()
 e = str(e)
 if e.find(">>>>") != -1:
 msg = e.split(">>>>")[0]
 err = json.loads(e.split(">>>>")[1])
 else:
 msg = e
 err = {}
 write_log("|-" + msg)
 return {"status": False, "msg": msg, "err": err}
 finally:
 if is_rep: self.rep_httptohttps(siteName)
 write_log("-" * 70)
 return cert
def set_auto_renew_status(self, index, status, error_msg=''):
 """
 @name 设置自动续签状态
 @param index:
 @param status:
 @param error_msg:
 @return:
 """
 path = "{}/config/letsencrypt_auto_renew.json".format(public.get_panel_path())
 try:
 data = json.loads(public.readFile(path))
 data[index] = {"status": status, "error_msg": error_msg}
 except:
 data = {index: {"status": status, "error_msg": error_msg}}
 public.writeFile(path, json.dumps(data))
# 续签证书
 def renew_cert(self, index, cycle=None):
 write_log("", "wb+")
 set_status = False
 index_info = None
 try:
 order_index = []
 if index:
 set_status = True
 if type(index) != str:
 index = index.index
 if not index in self._config['orders']:
 write_log("|-指定订单号不存在,无法续签!")
 self.set_auto_renew_status(index, -1, "指定订单号不存在,无法续签!")
 raise Exception("指定订单号不存在,无法续签!")
 if cycle:
 s_time = time.time() + (int(cycle) * 86400)
 if self._config['orders'][index]['cert_timeout'] > s_time:
 self.set_auto_renew_status(index, 0, "|-过期时间大于{}天,跳过续签!".format(cycle))
 write_log("|-过期时间大于{}天,跳过续签!".format(cycle))
 return
 order_index.append(index)
 else:
 s_time = time.time() + (30 * 86400)
 if not 'orders' in self._config: self._config['orders'] = {}
 for i in self._config['orders'].keys():
 if not 'save_path' in self._config['orders'][i]:
 continue
 if 'cert' in self._config['orders'][i]:
 self._config['orders'][i]['cert_timeout'] = self._config['orders'][i]['cert']['cert_timeout']
 if not 'cert_timeout' in self._config['orders'][i]:
 self._config['orders'][i]['cert_timeout'] = int(time.time())
 if self._config['orders'][i]['cert_timeout'] > s_time:
 continue
# 已删除的网站直接跳过续签
 # is_file_check = (self._config['orders'][i]['auth_to'].find('|') == -1 or
 # not self._config['orders'][i]['auth_to'].startswith("dns")
 # ) and self._config['orders'][i]['auth_to'].find('/') != -1
 # if is_file_check:
 # if not os.path.exists(self._config['orders'][i]['auth_to']):
 # ^^^^^^^^^^——————————这个不能判断网站已被删除的情况下,文件夹未删除时的问题
 # _auth_to = self.get_ssl_used_site(self._config['orders'][i]['save_path'])
 _auth_to = self.get_ssl_used_site(i)
 if not _auth_to:
 continue
# 域名不存在?
 for domain in self._config['orders'][i]['domains']:
 if domain.find('*') != -1:
 break
 if not public.M('domain').where("name=?",(domain,)).count() and not public.M('binding').where("domain=?",domain).count():
 _auth_to = None
 write_log("|-跳过被删除的域名: {}".format(self._config['orders'][i]['domains']))
 if not _auth_to: continue
 self._config['orders'][i]['auth_to'] = _auth_to
# 是否到了允许重试的时间
 if 'next_retry_time' in self._config['orders'][i]:
 timeout = self._config['orders'][i]['next_retry_time'] - int(time.time())
 if timeout > 0:
 write_log('|-本次跳过域名:{},因第上次续签失败,还需要等待{}小时后再重试'.format(self._config['orders'][i]['domains'],int(timeout / 60 / 60)))
 continue
# # 是否到了最大重试次数
 # if 'retry_count' in self._config['orders'][i]:
 # if self._config['orders'][i]['retry_count'] >= 5:
 # write_log('|-本次跳过域名:{},因连续5次续签失败,不再续签此证书(可尝试手动续签此证书,成功后错误次数将被重置)'.format(self._config['orders'][i]['domains']))
 # continue
# 加入到续签订单
 order_index.append(i)
 if not order_index:
 write_log("|-没有找到30天内到期的SSL证书,正在尝试去寻找其它可续签证书!")
 self.get_apis()
 self.renew_cert_other()
 write_log("|-所有任务已处理完成!")
 return
 write_log("|-共需要续签 {} 张证书".format(len(order_index)))
 n = 0
 self.get_apis()
 cert = None
 for index in order_index:
 n += 1
 domains = _test_domains(self._config['orders'][index]['domains'], self._config['orders'][index]['auth_to'],self._config['orders'][index]['auth_type'])
 if len(domains) == 0:
 write_log("|-第 {} 张证书下的域名全部未使用(这些域名是:[{}]),已跳过。".format(n, ",".join(self._config['orders'][index]['domains'])))
 err_msg = "域名全部未使用,已跳过。"
 if set_status:
 self.set_auto_renew_status(index, -1, err_msg)
 continue
 else:
 index_info = self._config['orders'][index]
 self._config['orders'][index]['domains'] = domains
 write_log("|-正在续签第 {} 张,域名: {}..".format(n,self._config['orders'][index]['domains']))
 write_log("|-正在创建订单..")
 cert = self.renew_cert_to(self._config['orders'][index]['domains'],self._config['orders'][index]['auth_type'],self._config['orders'][index]['auth_to'],index)
 err_msg = "续签失败!"
 if not cert:
 return public.returnMsg(False, err_msg)
 if cert.get('status') is False and set_status:
 self.set_auto_renew_status(index, -1, cert.get('msg'))
 self._config['orders'][index] = index_info
 self.save_config()
 if (cert.get('status') is None or cert.get('status') is True) and set_status:
 self.set_auto_renew_status(index, 1, "续签成功!")
 return cert
except Exception as ex:
 self.remove_dns_record()
 ex = str(ex)
 if ex.find(">>>>") != -1:
 msg = ex.split(">>>>")
 msg[1] = json.loads(msg[1])
 else:
 msg = ex
 write_log(public.get_error_info())
 if set_status:
 self.set_auto_renew_status(index, -1, msg)
 if index_info:
 self._config['orders'][index] = index_info
 self.save_config()
 return public.returnMsg(False, msg)
def renew_cert_v2(self, index, cycle):
 if index:
 hash_list = [index]
 else:
 # 获取所有网站证书
 from sslModel import certModel
 certModel = certModel.main()
 use_cert_list = certModel.get_cert_to_site(True)
 hash_list = use_cert_list.keys()
 s = 0
 from sslModel import base
 dns_data = base.sslBase().get_dns_data(None)
 for ssl_hash in hash_list:
 s += 1
 write_log("|-正在续签第 {} 张证书,共 {} 张..".format(s, len(hash_list)))
 cert_data = public.M('ssl_info').where('hash=?', ssl_hash).find()
 if not cert_data:
 write_log("|-【{}】没有找到指定证书信息,无法续签!".format(ssl_hash))
 continue
 # 借用ps字段,记录证书续签状态
 if cert_data['ps'] == "renewed":
 write_log("|-【{}】证书已续签,无需续签!".format(ssl_hash))
 continue
 try:
 cert_info = json.loads(cert_data['info'])
 except:
 write_log(public.get_error_info())
 write_log("|-【{}】证书信息格式错误,无法续签,请尝试手动续签!".format(ssl_hash))
 continue
 ca = ""
 if cert_info.get('issuer') in ("R3", "R8", "R11", "R10", "R5") or cert_info.get('issuer_O', '') == "Let's Encrypt":
 ca = "Let's Encrypt"
 self._debug = False
 self._url = "https://acme-v02.api.letsencrypt.org/directory"
 if "LiteSSl" in cert_info.get('issuer') or cert_info.get('issuer_O', '') == "TrustAsia Technologies, Inc.":
 ca = "TrustAsia Technologies, Inc."
 self._debug = "litessl"
 self._url = "https://acme.litessl.com/acme/v2/directory"
 if ca not in ("Let's Encrypt", "TrustAsia Technologies, Inc."):
 write_log("|-【{}】非Let's Encrypt或TrustAsia证书,无法续签,请尝试手动续签!".format(ssl_hash))
 continue
 # 计算 30 天后的日期
 if cycle:
 cycle = int(cycle)
 # 计算 30 天后的日期
 future_date = (datetime.datetime.now().date() + datetime.timedelta(days=cycle)).strftime('%Y-%m-%d')
 if future_date < cert_info['notAfter']:
 write_log("|-【{}】到期时间大于{}天,无需续签!".format(ssl_hash, cycle))
 continue
 else:
 try:
 notBefore = datetime.datetime.strptime(cert_info['notBefore'][:10], "%Y-%m-%d").timestamp()
 notAfter = datetime.datetime.strptime(cert_info['notAfter'][:10], "%Y-%m-%d").timestamp()
 except Exception as e:
 write_log("|-【{}】证书时间格式错误,无法续签,请尝试手动续签!".format(ssl_hash))
 write_log(public.get_error_info())
 continue
 total_time = notAfter - notBefore
 if total_time >= 90 * 86400:
 renew_time = notAfter - (30 * 86400)
 else:
 renew_time = notAfter - (total_time / 3)
if renew_time > time.time():
 write_log("|-【{}】未到续签时间,下次续签:{}".format(ssl_hash, time.strftime('%Y-%m-%d', time.localtime(renew_time))))
 continue
 # 判断是否有泛域名
 wildcard = False
 if "*" in ",".join(cert_info['dns']):
 write_log("|-【{}】存在泛域名,只能用dns验证方式续签!".format(ssl_hash))
 wildcard = True
 # 判断是否绑定了dns-api
 auth_domains = []
 for i in cert_info['dns']:
 root_domain, _, _ = base.sslBase().extract_zone(i)
 root_domain_info = public.M('ssl_domains').where("domain=?", root_domain).find()
 if not root_domain_info or (root_domain_info.get("dns_id") not in dns_data.keys() and "cloud_id=" not in root_domain_info.get("dns_id")):
 write_log("|-根域名【{}】未绑定dns-api,跳过域名: {}!".format(root_domain, i))
 continue
 auth_domains.append(i)
 if not auth_domains:
 write_log("|-【{}】域名全部未绑定dns-api,无法使用dns验证续签!".format(ssl_hash))
 dns_auth = False
 if wildcard:
 continue
 else:
 dns_auth = True
 if set(auth_domains) == set(cert_info['dns']):
 write_log("|-【{}】全部域名已绑定dns-api,正在尝试使用dns验证续签!".format(ssl_hash))
 self.get_apis()
 cert = self.renew_cert_to(auth_domains, "dns", "dns-api")
 if cert.get('status') is False:
 continue
 public.M('ssl_info').where('hash=?', ssl_hash).update({"ps": "renewed"})
 continue
 else:
 http_auth = False
 write_log("|-【{}】正在检测文件验证是否可用".format(ssl_hash))
 sites = {}
 for domain in cert_info['dns']:
 domain_info = public.M('domain').where("name=?", domain).find()
 if not domain_info:
 write_log("|-域名【{}】不存在,跳过!".format(domain))
 continue
 if not sites.get(domain_info["pid"]):
 sites[domain_info["pid"]] = [domain]
 else:
 sites[domain_info["pid"]].append(domain)
 if not sites:
 write_log("|-【{}】没有找到可用的文件验证站点,请尝试手动续签!".format(ssl_hash))
 # 暂时不做多网站文件验证
 if len(sites.keys()) > 1:
 write_log("|-【{}】检测到验证域名分散在多个站点,暂时不支持多个站点文件验证!".format(ssl_hash))
 for site_id, domains in sites.items():
 site_info = public.M('sites').where("id=?", site_id).find()
 if not site_info:
 write_log("|-站点【{}】不存在,跳过!".format(site_id))
 break
 if set(domains) == set(cert_info['dns']) or len(domains) > len(auth_domains):
 http_auth = True
 break
 if http_auth:
 write_log("|-【{}】正在尝试使用文件验证续签!".format(ssl_hash))
 self.get_apis()
 cert = self.renew_cert_to(domains, "http", site_info['path'])
 if cert.get('status') is False:
 continue
 public.M('ssl_info').where('hash=?', ssl_hash).update({"ps": "renewed"})
 continue
 elif dns_auth:
 write_log("|-【{}】正在尝试使用dns验证续签!".format(ssl_hash))
 self.get_apis()
 cert = self.renew_cert_to(auth_domains, "dns", "dns-api")
 if cert.get('status') is False:
 continue
 public.M('ssl_info').where('hash=?', ssl_hash).update({"ps": "renewed"})
 continue
 else:
 write_log("|-【{}】没有找到可用的验证方式,请尝试手动续签!".format(ssl_hash))
 continue
 return
def get_order_list(self, get):
 """
 获取订单列表
 """
 self.get_exclude_hash(get)
 data = self.read_config()
 if not data.get('orders'):
 return []
 status_id = int(get.status_id) if hasattr(get, 'status_id') else -1
del_list = []
 _return = []
import panelSSL
 exclude_hash = panelSSL.panelSSL().get_exclude_hash(get)
 format_time_strs = ("%Y-%m-%d", "%Y-%m-%d %H:%M:%S")
 today_time = datetime.datetime.today().timestamp()
orders = list(data['orders'].values())
 for i in range(len(orders) - 1, -1, -1):
 if orders[i]['status'] == "valid" and (not orders[i].get("save_path") or not orders[i].get("cert_timeout")):
 del_list.append(orders[i]['index'])
 del orders[i]
 continue
 if orders[i]['status'] == "valid":
 orders[i]['expires'] = orders[i]['cert_timeout']
 if orders[i]['status'] == "ready":
 orders[i]['status'] = "pending"
 try:
 end_time = int(
 (orders[i]['expires'] - datetime.datetime.today().timestamp()) / (60 * 60 * 24)
 )
 except Exception as e:
 end_time = 90
 hash = exclude_hash.get("exclude_hash_let", {}).get(orders[i]['index'], '')
 if hash:
 cert_data = public.M('ssl_info').where('hash=?', hash).find()
 if cert_data:
 for f_str in format_time_strs:
 try:
 end_time = int(
 (datetime.datetime.strptime(cert_data["not_after"], f_str).timestamp() - today_time) / (60 * 60 * 24)
 )
 except Exception as e:
 continue
orders[i]['endDay'] = end_time
if status_id == 0 and (orders[i]['status'] != "pending" or orders[i]['endDay'] <= 0):
 del orders[i]
 continue
 elif status_id == 1 and (orders[i]['endDay'] <= 0 or orders[i]['status'] == "pending"):
 del orders[i]
 continue
 elif status_id == 2 and (orders[i]['endDay'] > 30 or orders[i]['endDay'] <= 0):
 del orders[i]
 continue
 elif status_id == 3 and (orders[i]['endDay'] > 0):
 del orders[i]
 continue
 try:
 arg = public.to_dict_obj({"index": ",".join(del_list), "d": "1"})
 self.delete_order(arg)
 except:
 pass
 orders.sort(key=lambda x: x['endDay'], reverse=True)
 orders.sort(key=lambda x: x['status']=="valid", reverse=True)
 return orders
def get_order_detail(self, get):
 """
 订单详情
 """
 order_index = get.index
 orders = self.read_config()
data = orders["orders"].get(order_index)
if not data:
 return public.returnMsg(False, "没有找到此订单信息")
 if not data.get('auths'):
 if not data.get('authorizations'):
 return public.ReturnMsg(False, "订单验证信息丢失,请尝试重新申请!")
 try:
 self.get_apis()
 data['auths'] = []
 for auth_url in data['authorizations']:
 res = self.acme_request(auth_url, "")
 if res.status_code not in [200, 201]:
 return public.ReturnMsg(False, "订单验证信息丢失,请尝试重新申请!")
 s_body = res.json()
 identifier_auth = self.get_identifier_auth(order_index, auth_url, s_body)
 acme_keyauthorization, auth_value = self.get_keyauthorization(
 identifier_auth['token'])
 identifier_auth['acme_keyauthorization'] = acme_keyauthorization
 identifier_auth['auth_value'] = auth_value
 identifier_auth['expires'] = s_body['expires']
 identifier_auth['auth_to'] = self._config['orders'][order_index]['auth_to']
 identifier_auth['type'] = self._config['orders'][order_index]['auth_type']
 data['auths'].append(identifier_auth)
 self.save_config()
 except:
 return public.ReturnMsg(False, "订单验证信息丢失,请尝试重新申请!")
endtime = ((data.get('expires', 0) or 0) - datetime.datetime.today().timestamp()) / (60 * 60 * 24)
 if endtime <= 0:
 return public.ReturnMsg(False, "订单已过期,请重新申请!")
_return = {"auths": []}
 if data['auth_type'] == 'dns':
 auth_domains = [i["domain"].replace("*.", "") for i in data['auths']]
 if len(auth_domains) != len(set(auth_domains)):
 _return["error"] = True
 _return["error_msg"] = "检测到解析记录存在冲突,请分别验证以下域名"
for auth in data['auths']:
 domain = auth['domain']
 domains = auth['domain'].split('.')
 if domains[0] == '*':
 domain = ".".join(domains[1:])
 dns_auth = [{
 "domain": "_acme-challenge.{}".format(domain),
 "auth_value": auth["auth_value"],
 "type": "TXT",
 "must": "是"
 }]
 if 'ca' in data and data['ca'] != 'litessl':
 dns_auth.append({
 "domain": domain,
 "auth_value": '0 issue "letsencrypt.org"',
 "type": "CAA",
 "must": "否"})
 _return["auths"].append({
 "domain": auth['domain'],
 "status": auth.get('status', "pending"),
 "data": dns_auth
 })
 return _return
 else:
 for auth in data['auths']:
 domain = auth['domain']
 _return["auths"].append({
 "domain": domain,
 "data": [{
 "domain": auth['domain'],
 "file_path": os.path.join(auth['auth_to'], ".well-known/acme-challenge/", auth['token']),
 "content": auth['acme_keyauthorization'],
 "must": "是"
 }]
 })
 return _return
def validate_domain(self, get):
 order_index = get.index
data = self.read_config()
 data = data["orders"].get(order_index)
if not data:
 return public.returnMsg(False, "没有找到此订单信息")
 if not data.get('auths'):
 return public.ReturnMsg(False, "订单验证信息丢失,请尝试重新申请!")
 endtime = ((data.get('expires', 0) or 0) - datetime.datetime.today().timestamp()) / (60 * 60 * 24)
 if endtime <= 0:
 return public.ReturnMsg(False, "订单已过期,请重新申请!")
 # for auth in data['auths']:
 # self.set_auth_info(auth, order_index)
 return self.apply_cert([], "dns", "dns", index=order_index)
def delete_order(self, get):
 return self._delete_order(get)["finish_list"][0]
def _delete_order(self, get):
 from sslModel import certModel
 certModel = certModel.main()
 if ('index' not in get or not get.index) and ('ssl_hash' not in get or not get.ssl_hash):
 return {'status': False, 'msg': "缺少必填参数", 'finish_list': []}
 # 强制删除已经部署的证书
 force = False
 if hasattr(get, 'force'):
 force = get.force
 local = True if 'local' not in get else get.local
 cloud = True if 'cloud' not in get else get.cloud
path = '{}/data/exclude_hash.json'.format(public.get_panel_path())
 exclude_data = self.get_exclude_hash(get)
# 组合删除数据
 del_data = []
 if 'index' in get and get.index:
 index_list = get.index.split(',')
 for index in index_list:
 ssl_hash = exclude_data.get("exclude_hash_let", {}).get(index)
 del_data.append({"index": index, "ssl_hash": ssl_hash})
 if 'ssl_hash' in get and get.ssl_hash:
 ssl_hash_list = get.ssl_hash.split(',')
 for ssl_hash in ssl_hash_list:
 append_data = {"index": "", "ssl_hash": ssl_hash}
 for index, value in exclude_data.get("exclude_hash_let", {}).items():
 if value == ssl_hash:
 append_data["index"] = index
 break
 del_data.append(append_data)
data = self.read_config()
 finish_list = []
 for d in del_data:
 finish = {"name": "let's Encrypt", "status": True, "msg": "删除成功"}
 local_err = ""
 order_err = ""
 # 删除本地证书
 if d['ssl_hash']:
 try:
 certModel.remove_cert(ssl_hash=d['ssl_hash'], local=local, cloud=cloud, force=force)
 except Exception as e:
 local_err = str(e)
 # 删除订单
 if d['index'] and d['index'] in data['orders'] and local:
 try:
 if d['index'] in exclude_data["exclude_hash_let"]:
 del exclude_data["exclude_hash_let"][d['index']]
 del data['orders'][d['index']]
 except Exception as e:
 order_err = str(e)
 if local_err:
 finish["status"] = False
 finish["msg"] = "本地证书删除失败: {}".format(local_err)
 if order_err:
 finish["status"] = False
 if finish["msg"] == "删除成功":
 finish["msg"] = "订单删除失败: {}".format(order_err)
 else:
 finish["msg"] += ";订单删除失败: {}".format(order_err)
finish_list.append(finish)
public.writeFile(path, json.dumps(exclude_data))
 public.writeFile(self._conf_file_v2, json.dumps(data))
 if 'd' in get:
 return data
 return {'status': True, 'msg': "删除成功", 'finish_list': finish_list}
def download_cert_to_local(self, get):
 index = get.index
orders = self.read_config()
 order = orders['orders'].get(index)
 if not order:
 return public.returnMsg(False, "下载失败,未找到此订单")
exclude_data = self.get_exclude_hash(get)
ssl_hash = exclude_data.get("exclude_hash_let", {}).get(index)
 if not ssl_hash:
 return public.returnMsg(False, "订单未完成或订单信息有误,下载失败")
 from sslModel import certModel
 return certModel.main().download_cert(public.to_dict_obj({"ssl_hash": ssl_hash}))
def SetCertToSite(self,get):
 import panelSSL
 exclude_data = self.get_exclude_hash(get)
 ssl_hash = exclude_data['exclude_hash_let'].get(get.index)
 if not ssl_hash:
 return public.returnMsg(False, "未找到此证书")
 get.ssl_hash = ssl_hash
 return panelSSL.panelSSL().SetCertToSite(get)
def _test_domains(domains, auth_to, auth_type):
 # 检查站点域名变更情况, 若有删除域名,则在续签时,删除已经不使用的域名,再执行续签任务
 # 是dns验证的跳过
 if auth_to.find("|") != -1 or auth_to.startswith("dns#@"):
 return domains
 # 是泛域名的跳过
 for domain in domains:
 if domain.find("*.") != -1:
 return domains
 sql = public.M('domain')
 site_sql = public.M('sites')
 for domain in domains:
 pid = sql.where('name=?', domain).getField('pid')
 if pid and site_sql.where('id=?',pid).find():
 site_domains = [i["name"] for i in sql.where('pid=?',(pid,)).field("name").select()]
 break
 else:
 site_id = site_sql.where('path=?', auth_to).getField('id')
 if bool(site_id) and str(site_id).isdigit():
 site_domains = [i["name"] for i in sql.where('pid=?',(site_id,)).field("name").select()]
 else:
 # 全都查询不到,认为这个站点已经被删除
 return []
del_domains = list(set(domains) - set(site_domains))
 for i in del_domains:
 domains.remove(i)
 return domains
def echo_err(msg):
 write_log("\033[31m=" * 65)
 write_log("|-错误:{}\033[0m".format(msg))
 exit()
# 写日志
def write_log(log_str, mode="ab+"):
 if __name__ == "__main__":
 print(log_str)
 return
 _log_file = 'logs/letsencrypt.log'
 f = open(_log_file, mode)
 log_str += "\n"
 f.write(log_str.encode('utf-8'))
 f.close()
 return True
# todo:兼容控制台,目前不兼容
if __name__ == "__main__":
 import argparse
 p = argparse.ArgumentParser(usage="必要的参数:--domain 域名列表,多个以逗号隔开!")
 p.add_argument('--domain', default=None,
 help="请指定要申请证书的域名", dest="domains")
 p.add_argument('--type', default=None, help="请指定验证类型", dest="auth_type")
 p.add_argument('--path', default=None, help="请指定网站根目录", dest="path")
 p.add_argument('--dnsapi', default=None, help="请指定DNSAPI", dest="dnsapi")
 p.add_argument('--dns_key', default=None, help="请指定DNSAPI的key", dest="key")
 p.add_argument('--dns_secret', default=None,
 help="请指定DNSAPI的secret", dest="secret")
 p.add_argument('--index', default=None, help="指定订单索引", dest="index")
 p.add_argument('--renew', default=None, help="续签证书", dest="renew")
 p.add_argument('--renew_v2', default=None, help="续签证书v2", dest="renew_v2")
 p.add_argument('--revoke', default=None, help="吊销证书", dest="revoke")
 p.add_argument('--cycle', default=None, help="到期时间小于等于时续签", dest="cycle")
 args = p.parse_args()
 cert = None
 if args.revoke:
 if not args.index:
 echo_err("请在--index参数中传入要被吊销的订单索引")
 p = acme_v2()
 result = p.revoke_order(args.index)
 write_log(result)
 exit()
if args.renew_v2:
 sys.path.append(public.get_panel_path())
 p = acme_v2()
 if args.cycle:
 try:
 int(args.cycle)
 except:
 args.cycle = None
 p.renew_cert_v2(args.index, args.cycle)
 exit()
if args.renew:
 sys.path.append(public.get_panel_path())
 p = acme_v2()
 if args.cycle:
 try:
 int(args.cycle)
 except:
 args.cycle = None
 p.renew_cert(args.index, args.cycle)
 else:
 try:
 if not args.index:
 if not args.domains:
 echo_err("请在--domain参数中指定要申请证书的域名,多个以逗号(,)隔开")
 if not args.auth_type in ['http', 'tls', 'dns']:
 echo_err("请在--type参数中指定正确的验证类型,支持dns和http")
 auth_to = ''
 if args.auth_type in ['http', 'tls']:
 if not args.path:
 echo_err("请在--path参数中指定网站根目录!")
 if not os.path.exists(args.path):
 echo_err("指定网站根目录不存在,请检查:{}".format(args.path))
 auth_to = args.path
 else:
 if args.dnsapi == '0':
 auth_to = 'dns'
 else:
 if not args.key:
 echo_err("使用dnsapi申请时请在--dns_key参数中指定dnsapi的key!")
 if not args.secret:
 echo_err(
 "使用dnsapi申请时请在--dns_secret参数中指定dnsapi的secret!")
 auth_to = "{}|{}|{}".format(
 args.dnsapi, args.key, args.secret)
domains = args.domains.strip().split(',')
 p = acme_v2()
 cert = p.apply_cert(
 domains, auth_type=args.auth_type, auth_to=auth_to)
 if args.dnsapi == '0':
 acme_txt = '_acme-challenge.'
 acme_caa = '1 issue letsencrypt.org'
 write_log("=" * 65)
 write_log("\033[32m|-手动订单提交成功,请按以下提示解析DNS记录: \033[0m")
 write_log("=" * 65)
 write_log("|-订单索引: {}".format(cert['index']))
 write_log(
 "|-重试命令: ./acme_v2.py --index=\"{}\"".format(cert['index']))
 write_log(
 "|-共需要解析 \033[36m{}\033[0m 个域名记录。".format(len(cert['auths'])))
 for i in range(len(cert['auths'])):
 write_log('-' * 70)
 write_log(
 "|-第 \033[36m{}\033[0m 个域名为:{} , 请解析以下信息:".format(i+1, cert['auths'][i]['domain']))
 write_log("|-记录类型: TXT 记录名: \033[41m{}\033[0m 记录值: \033[41m{}\033[0m [必需]".format(
 acme_txt + cert['auths'][i]['domain'].replace('*.', ''), cert['auths'][i]['auth_value']))
 write_log("|-记录类型: CAA 记录名: \033[41m{}\033[0m 记录值: \033[41m{}\033[0m [可选]".format(
 cert['auths'][i]['domain'].replace('*.', ''), acme_caa))
 write_log('-' * 70)
 input_data = ""
 while input_data not in ['y', 'Y', 'n', 'N']:
 input_msg = "请在完成解析后等待2-3分钟后输入Y按回车以继续验证域名: "
 if sys.version_info[0] == 2:
 input_data = raw_input(input_msg)
 else:
 input_data = input(input_msg)
 if input_data in ['n', 'N']:
 write_log("=" * 65)
 write_log("|-用户放弃申请,退出程序!")
 exit()
 cert = p.apply_cert(
 [], auth_type=args.auth_type, auth_to='dns', index=cert['index'])
 else:
 # 重新验证
 p = acme_v2()
 cert = p.apply_cert([], auth_type='dns',
 auth_to='dns', index=args.index)
 except Exception as ex:
 write_log("|-{}".format(public.get_error_info()))
 exit()
 if not cert:
 exit()
 write_log("=" * 65)
 write_log("|-证书获取成功!")
 write_log("=" * 65)
 write_log("证书到期时间: {}".format(
 public.format_date(times=cert['cert_timeout'])))
 write_log("证书已保存在: {}/".format(cert['save_path']))