Merge branch 'main' into feat/multiple-certificate-formats

internal/applicant/applicant.go

@@ -98,7 +98,7 @@ func newApplyUser(ca, email string) (*ApplyUser, error) {
 		if err != nil {
 			return nil, err
 		}
-		keyStr, err := x509.PrivateKeyToPEM(privateKey)
+		keyStr, err := x509.ConvertECPrivateKeyToPEM(privateKey)
 		if err != nil {
 			return nil, err
 		}
@@ -122,7 +122,7 @@ func (u ApplyUser) GetRegistration() *registration.Resource {
 }
 
 func (u *ApplyUser) GetPrivateKey() crypto.PrivateKey {
-	rs, _ := x509.ParsePrivateKeyFromPEM(u.key)
+	rs, _ := x509.ParseECPrivateKeyFromPEM(u.key)
 	return rs
 }
 

internal/deployer/aliyun_alb.go

@@ -0,0 +1,265 @@
+package deployer
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	alb20200616 "github.com/alibabacloud-go/alb-20200616/v2/client"
+	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	"github.com/alibabacloud-go/tea/tea"
+
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/core/uploader"
+)
+
+type AliyunALBDeployer struct {
+	option *DeployerOption
+	infos  []string
+
+	sdkClient   *alb20200616.Client
+	sslUploader uploader.Uploader
+}
+
+func NewAliyunALBDeployer(option *DeployerOption) (Deployer, error) {
+	access := &domain.AliyunAccess{}
+	json.Unmarshal([]byte(option.Access), access)
+
+	client, err := (&AliyunALBDeployer{}).createSdkClient(
+		access.AccessKeyId,
+		access.AccessKeySecret,
+		option.DeployConfig.GetConfigAsString("region"),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	uploader, err := uploader.NewAliyunCASUploader(&uploader.AliyunCASUploaderConfig{
+		AccessKeyId:     access.AccessKeyId,
+		AccessKeySecret: access.AccessKeySecret,
+		Region:          option.DeployConfig.GetConfigAsString("region"),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &AliyunALBDeployer{
+		option:      option,
+		infos:       make([]string, 0),
+		sdkClient:   client,
+		sslUploader: uploader,
+	}, nil
+}
+
+func (d *AliyunALBDeployer) GetID() string {
+	return fmt.Sprintf("%s-%s", d.option.AccessRecord.GetString("name"), d.option.AccessRecord.Id)
+}
+
+func (d *AliyunALBDeployer) GetInfo() []string {
+	return d.infos
+}
+
+func (d *AliyunALBDeployer) Deploy(ctx context.Context) error {
+	switch d.option.DeployConfig.GetConfigAsString("resourceType") {
+	case "loadbalancer":
+		if err := d.deployToLoadbalancer(ctx); err != nil {
+			return err
+		}
+	case "listener":
+		if err := d.deployToListener(ctx); err != nil {
+			return err
+		}
+	default:
+		return errors.New("unsupported resource type")
+	}
+
+	return nil
+}
+
+func (d *AliyunALBDeployer) createSdkClient(accessKeyId, accessKeySecret, region string) (*alb20200616.Client, error) {
+	if region == "" {
+		region = "cn-hangzhou" // ALB 服务默认区域：华东一杭州
+	}
+
+	aConfig := &openapi.Config{
+		AccessKeyId:     tea.String(accessKeyId),
+		AccessKeySecret: tea.String(accessKeySecret),
+	}
+
+	var endpoint string
+	switch region {
+	case "cn-hangzhou-finance":
+		endpoint = "alb.cn-hangzhou.aliyuncs.com"
+	default:
+		endpoint = fmt.Sprintf("alb.%s.aliyuncs.com", region)
+	}
+	aConfig.Endpoint = tea.String(endpoint)
+
+	client, err := alb20200616.NewClient(aConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
+
+func (d *AliyunALBDeployer) deployToLoadbalancer(ctx context.Context) error {
+	aliLoadbalancerId := d.option.DeployConfig.GetConfigAsString("loadbalancerId")
+	if aliLoadbalancerId == "" {
+		return errors.New("`loadbalancerId` is required")
+	}
+
+	aliListenerIds := make([]string, 0)
+
+	// 查询负载均衡实例的详细信息
+	// REF: https://help.aliyun.com/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-getloadbalancerattribute
+	getLoadBalancerAttributeReq := &alb20200616.GetLoadBalancerAttributeRequest{
+		LoadBalancerId: tea.String(aliLoadbalancerId),
+	}
+	getLoadBalancerAttributeResp, err := d.sdkClient.GetLoadBalancerAttribute(getLoadBalancerAttributeReq)
+	if err != nil {
+		return fmt.Errorf("failed to execute sdk request 'alb.GetLoadBalancerAttribute': %w", err)
+	}
+
+	d.infos = append(d.infos, toStr("已查询到 ALB 负载均衡实例", getLoadBalancerAttributeResp))
+
+	// 查询 HTTPS 监听列表
+	// REF: https://help.aliyun.com/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-listlisteners
+	listListenersPage := 1
+	listListenersLimit := int32(100)
+	var listListenersToken *string = nil
+	for {
+		listListenersReq := &alb20200616.ListListenersRequest{
+			MaxResults:       tea.Int32(listListenersLimit),
+			NextToken:        listListenersToken,
+			LoadBalancerIds:  []*string{tea.String(aliLoadbalancerId)},
+			ListenerProtocol: tea.String("HTTPS"),
+		}
+		listListenersResp, err := d.sdkClient.ListListeners(listListenersReq)
+		if err != nil {
+			return fmt.Errorf("failed to execute sdk request 'alb.ListListeners': %w", err)
+		}
+
+		if listListenersResp.Body.Listeners != nil {
+			for _, listener := range listListenersResp.Body.Listeners {
+				aliListenerIds = append(aliListenerIds, *listener.ListenerId)
+			}
+		}
+
+		if listListenersResp.Body.NextToken == nil {
+			break
+		} else {
+			listListenersToken = listListenersResp.Body.NextToken
+			listListenersPage += 1
+		}
+	}
+
+	d.infos = append(d.infos, toStr("已查询到 ALB 负载均衡实例下的全部 HTTPS 监听", aliListenerIds))
+
+	// 查询 QUIC 监听列表
+	// REF: https://help.aliyun.com/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-listlisteners
+	listListenersPage = 1
+	listListenersToken = nil
+	for {
+		listListenersReq := &alb20200616.ListListenersRequest{
+			MaxResults:       tea.Int32(listListenersLimit),
+			NextToken:        listListenersToken,
+			LoadBalancerIds:  []*string{tea.String(aliLoadbalancerId)},
+			ListenerProtocol: tea.String("QUIC"),
+		}
+		listListenersResp, err := d.sdkClient.ListListeners(listListenersReq)
+		if err != nil {
+			return fmt.Errorf("failed to execute sdk request 'alb.ListListeners': %w", err)
+		}
+
+		if listListenersResp.Body.Listeners != nil {
+			for _, listener := range listListenersResp.Body.Listeners {
+				aliListenerIds = append(aliListenerIds, *listener.ListenerId)
+			}
+		}
+
+		if listListenersResp.Body.NextToken == nil {
+			break
+		} else {
+			listListenersToken = listListenersResp.Body.NextToken
+			listListenersPage += 1
+		}
+	}
+
+	d.infos = append(d.infos, toStr("已查询到 ALB 负载均衡实例下的全部 QUIC 监听", aliListenerIds))
+
+	// 上传证书到 SSL
+	uploadResult, err := d.sslUploader.Upload(ctx, d.option.Certificate.Certificate, d.option.Certificate.PrivateKey)
+	if err != nil {
+		return err
+	}
+
+	d.infos = append(d.infos, toStr("已上传证书", uploadResult))
+
+	// 批量更新监听证书
+	var errs []error
+	for _, aliListenerId := range aliListenerIds {
+		if err := d.updateListenerCertificate(ctx, aliListenerId, uploadResult.CertId); err != nil {
+			errs = append(errs, err)
+		}
+	}
+	if len(errs) > 0 {
+		return errors.Join(errs...)
+	}
+
+	return nil
+}
+
+func (d *AliyunALBDeployer) deployToListener(ctx context.Context) error {
+	aliListenerId := d.option.DeployConfig.GetConfigAsString("listenerId")
+	if aliListenerId == "" {
+		return errors.New("`listenerId` is required")
+	}
+
+	// 上传证书到 SSL
+	uploadResult, err := d.sslUploader.Upload(ctx, d.option.Certificate.Certificate, d.option.Certificate.PrivateKey)
+	if err != nil {
+		return err
+	}
+
+	d.infos = append(d.infos, toStr("已上传证书", uploadResult))
+
+	// 更新监听
+	if err := d.updateListenerCertificate(ctx, aliListenerId, uploadResult.CertId); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (d *AliyunALBDeployer) updateListenerCertificate(ctx context.Context, aliListenerId string, aliCertId string) error {
+	// 查询监听的属性
+	// REF: https://help.aliyun.com/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-getlistenerattribute
+	getListenerAttributeReq := &alb20200616.GetListenerAttributeRequest{
+		ListenerId: tea.String(aliListenerId),
+	}
+	getListenerAttributeResp, err := d.sdkClient.GetListenerAttribute(getListenerAttributeReq)
+	if err != nil {
+		return fmt.Errorf("failed to execute sdk request 'alb.GetListenerAttribute': %w", err)
+	}
+
+	d.infos = append(d.infos, toStr("已查询到 ALB 监听配置", getListenerAttributeResp))
+
+	// 修改监听的属性
+	// REF: https://help.aliyun.com/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-updatelistenerattribute
+	updateListenerAttributeReq := &alb20200616.UpdateListenerAttributeRequest{
+		ListenerId: tea.String(aliListenerId),
+		Certificates: []*alb20200616.UpdateListenerAttributeRequestCertificates{{
+			CertificateId: tea.String(aliCertId),
+		}},
+	}
+	updateListenerAttributeResp, err := d.sdkClient.UpdateListenerAttribute(updateListenerAttributeReq)
+	if err != nil {
+		return fmt.Errorf("failed to execute sdk request 'alb.UpdateListenerAttribute': %w", err)
+	}
+
+	d.infos = append(d.infos, toStr("已更新 ALB 监听配置", updateListenerAttributeResp))
+
+	return nil
+}

internal/deployer/aliyun_clb.go

@@ -0,0 +1,282 @@
+package deployer
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	slb20140515 "github.com/alibabacloud-go/slb-20140515/v4/client"
+	"github.com/alibabacloud-go/tea/tea"
+
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/core/uploader"
+)
+
+type AliyunCLBDeployer struct {
+	option *DeployerOption
+	infos  []string
+
+	sdkClient   *slb20140515.Client
+	sslUploader uploader.Uploader
+}
+
+func NewAliyunCLBDeployer(option *DeployerOption) (Deployer, error) {
+	access := &domain.AliyunAccess{}
+	json.Unmarshal([]byte(option.Access), access)
+
+	client, err := (&AliyunCLBDeployer{}).createSdkClient(
+		access.AccessKeyId,
+		access.AccessKeySecret,
+		option.DeployConfig.GetConfigAsString("region"),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	uploader, err := uploader.NewAliyunSLBUploader(&uploader.AliyunSLBUploaderConfig{
+		AccessKeyId:     access.AccessKeyId,
+		AccessKeySecret: access.AccessKeySecret,
+		Region:          option.DeployConfig.GetConfigAsString("region"),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &AliyunCLBDeployer{
+		option:      option,
+		infos:       make([]string, 0),
+		sdkClient:   client,
+		sslUploader: uploader,
+	}, nil
+}
+
+func (d *AliyunCLBDeployer) GetID() string {
+	return fmt.Sprintf("%s-%s", d.option.AccessRecord.GetString("name"), d.option.AccessRecord.Id)
+}
+
+func (d *AliyunCLBDeployer) GetInfo() []string {
+	return d.infos
+}
+
+func (d *AliyunCLBDeployer) Deploy(ctx context.Context) error {
+	switch d.option.DeployConfig.GetConfigAsString("resourceType") {
+	case "loadbalancer":
+		if err := d.deployToLoadbalancer(ctx); err != nil {
+			return err
+		}
+	case "listener":
+		if err := d.deployToListener(ctx); err != nil {
+			return err
+		}
+	default:
+		return errors.New("unsupported resource type")
+	}
+
+	return nil
+}
+
+func (d *AliyunCLBDeployer) createSdkClient(accessKeyId, accessKeySecret, region string) (*slb20140515.Client, error) {
+	if region == "" {
+		region = "cn-hangzhou" // CLB(SLB) 服务默认区域：华东一杭州
+	}
+
+	aConfig := &openapi.Config{
+		AccessKeyId:     tea.String(accessKeyId),
+		AccessKeySecret: tea.String(accessKeySecret),
+	}
+
+	var endpoint string
+	switch region {
+	case "cn-hangzhou":
+	case "cn-hangzhou-finance":
+	case "cn-shanghai-finance-1":
+	case "cn-shenzhen-finance-1":
+		endpoint = "slb.aliyuncs.com"
+	default:
+		endpoint = fmt.Sprintf("slb.%s.aliyuncs.com", region)
+	}
+	aConfig.Endpoint = tea.String(endpoint)
+
+	client, err := slb20140515.NewClient(aConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
+
+func (d *AliyunCLBDeployer) deployToLoadbalancer(ctx context.Context) error {
+	aliLoadbalancerId := d.option.DeployConfig.GetConfigAsString("loadbalancerId")
+	if aliLoadbalancerId == "" {
+		return errors.New("`loadbalancerId` is required")
+	}
+
+	aliListenerPorts := make([]int32, 0)
+
+	// 查询负载均衡实例的详细信息
+	// REF: https://help.aliyun.com/zh/slb/classic-load-balancer/developer-reference/api-slb-2014-05-15-describeloadbalancerattribute
+	describeLoadBalancerAttributeReq := &slb20140515.DescribeLoadBalancerAttributeRequest{
+		RegionId:       tea.String(d.option.DeployConfig.GetConfigAsString("region")),
+		LoadBalancerId: tea.String(aliLoadbalancerId),
+	}
+	describeLoadBalancerAttributeResp, err := d.sdkClient.DescribeLoadBalancerAttribute(describeLoadBalancerAttributeReq)
+	if err != nil {
+		return fmt.Errorf("failed to execute sdk request 'slb.DescribeLoadBalancerAttribute': %w", err)
+	}
+
+	d.infos = append(d.infos, toStr("已查询到 CLB 负载均衡实例", describeLoadBalancerAttributeResp))
+
+	// 查询 HTTPS 监听列表
+	// REF: https://help.aliyun.com/zh/slb/classic-load-balancer/developer-reference/api-slb-2014-05-15-describeloadbalancerlisteners
+	listListenersPage := 1
+	listListenersLimit := int32(100)
+	var listListenersToken *string = nil
+	for {
+		describeLoadBalancerListenersReq := &slb20140515.DescribeLoadBalancerListenersRequest{
+			RegionId:         tea.String(d.option.DeployConfig.GetConfigAsString("region")),
+			MaxResults:       tea.Int32(listListenersLimit),
+			NextToken:        listListenersToken,
+			LoadBalancerId:   []*string{tea.String(aliLoadbalancerId)},
+			ListenerProtocol: tea.String("https"),
+		}
+		describeLoadBalancerListenersResp, err := d.sdkClient.DescribeLoadBalancerListeners(describeLoadBalancerListenersReq)
+		if err != nil {
+			return fmt.Errorf("failed to execute sdk request 'slb.DescribeLoadBalancerListeners': %w", err)
+		}
+
+		if describeLoadBalancerListenersResp.Body.Listeners != nil {
+			for _, listener := range describeLoadBalancerListenersResp.Body.Listeners {
+				aliListenerPorts = append(aliListenerPorts, *listener.ListenerPort)
+			}
+		}
+
+		if describeLoadBalancerListenersResp.Body.NextToken == nil {
+			break
+		} else {
+			listListenersToken = describeLoadBalancerListenersResp.Body.NextToken
+			listListenersPage += 1
+		}
+	}
+
+	d.infos = append(d.infos, toStr("已查询到 CLB 负载均衡实例下的全部 HTTPS 监听", aliListenerPorts))
+
+	// 上传证书到 SLB
+	uploadResult, err := d.sslUploader.Upload(ctx, d.option.Certificate.Certificate, d.option.Certificate.PrivateKey)
+	if err != nil {
+		return err
+	}
+
+	d.infos = append(d.infos, toStr("已上传证书", uploadResult))
+
+	// 批量更新监听证书
+	var errs []error
+	for _, aliListenerPort := range aliListenerPorts {
+		if err := d.updateListenerCertificate(ctx, aliLoadbalancerId, aliListenerPort, uploadResult.CertId); err != nil {
+			errs = append(errs, err)
+		}
+	}
+	if len(errs) > 0 {
+		return errors.Join(errs...)
+	}
+
+	return nil
+}
+
+func (d *AliyunCLBDeployer) deployToListener(ctx context.Context) error {
+	aliLoadbalancerId := d.option.DeployConfig.GetConfigAsString("loadbalancerId")
+	if aliLoadbalancerId == "" {
+		return errors.New("`loadbalancerId` is required")
+	}
+
+	aliListenerPort := d.option.DeployConfig.GetConfigAsInt32("listenerPort")
+	if aliListenerPort == 0 {
+		return errors.New("`listenerPort` is required")
+	}
+
+	// 上传证书到 SLB
+	uploadResult, err := d.sslUploader.Upload(ctx, d.option.Certificate.Certificate, d.option.Certificate.PrivateKey)
+	if err != nil {
+		return err
+	}
+
+	d.infos = append(d.infos, toStr("已上传证书", uploadResult))
+
+	// 更新监听
+	if err := d.updateListenerCertificate(ctx, aliLoadbalancerId, aliListenerPort, uploadResult.CertId); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (d *AliyunCLBDeployer) updateListenerCertificate(ctx context.Context, aliLoadbalancerId string, aliListenerPort int32, aliCertId string) error {
+	// 查询监听配置
+	// REF: https://help.aliyun.com/zh/slb/classic-load-balancer/developer-reference/api-slb-2014-05-15-describeloadbalancerhttpslistenerattribute
+	describeLoadBalancerHTTPSListenerAttributeReq := &slb20140515.DescribeLoadBalancerHTTPSListenerAttributeRequest{
+		LoadBalancerId: tea.String(aliLoadbalancerId),
+		ListenerPort:   tea.Int32(aliListenerPort),
+	}
+	describeLoadBalancerHTTPSListenerAttributeResp, err := d.sdkClient.DescribeLoadBalancerHTTPSListenerAttribute(describeLoadBalancerHTTPSListenerAttributeReq)
+	if err != nil {
+		return fmt.Errorf("failed to execute sdk request 'slb.DescribeLoadBalancerHTTPSListenerAttribute': %w", err)
+	}
+
+	d.infos = append(d.infos, toStr("已查询到 CLB HTTPS 监听配置", describeLoadBalancerHTTPSListenerAttributeResp))
+
+	// 查询扩展域名
+	// REF: https://help.aliyun.com/zh/slb/classic-load-balancer/developer-reference/api-slb-2014-05-15-describedomainextensions
+	describeDomainExtensionsReq := &slb20140515.DescribeDomainExtensionsRequest{
+		RegionId:       tea.String(d.option.DeployConfig.GetConfigAsString("region")),
+		LoadBalancerId: tea.String(aliLoadbalancerId),
+		ListenerPort:   tea.Int32(aliListenerPort),
+	}
+	describeDomainExtensionsResp, err := d.sdkClient.DescribeDomainExtensions(describeDomainExtensionsReq)
+	if err != nil {
+		return fmt.Errorf("failed to execute sdk request 'slb.DescribeDomainExtensions': %w", err)
+	}
+
+	d.infos = append(d.infos, toStr("已查询到 CLB 扩展域名", describeDomainExtensionsResp))
+
+	// 遍历修改扩展域名
+	// REF: https://help.aliyun.com/zh/slb/classic-load-balancer/developer-reference/api-slb-2014-05-15-setdomainextensionattribute
+	//
+	// 这里仅修改跟被替换证书一致的扩展域名
+	if describeDomainExtensionsResp.Body.DomainExtensions == nil && describeDomainExtensionsResp.Body.DomainExtensions.DomainExtension == nil {
+		for _, domainExtension := range describeDomainExtensionsResp.Body.DomainExtensions.DomainExtension {
+			if *domainExtension.ServerCertificateId == *describeLoadBalancerHTTPSListenerAttributeResp.Body.ServerCertificateId {
+				break
+			}
+
+			setDomainExtensionAttributeReq := &slb20140515.SetDomainExtensionAttributeRequest{
+				RegionId:            tea.String(d.option.DeployConfig.GetConfigAsString("region")),
+				DomainExtensionId:   tea.String(*domainExtension.DomainExtensionId),
+				ServerCertificateId: tea.String(aliCertId),
+			}
+			_, err := d.sdkClient.SetDomainExtensionAttribute(setDomainExtensionAttributeReq)
+			if err != nil {
+				return fmt.Errorf("failed to execute sdk request 'slb.SetDomainExtensionAttribute': %w", err)
+			}
+		}
+	}
+
+	// 修改监听配置
+	// REF: https://help.aliyun.com/zh/slb/classic-load-balancer/developer-reference/api-slb-2014-05-15-setloadbalancerhttpslistenerattribute
+	//
+	// 注意修改监听配置要放在修改扩展域名之后
+	setLoadBalancerHTTPSListenerAttributeReq := &slb20140515.SetLoadBalancerHTTPSListenerAttributeRequest{
+		RegionId:            tea.String(d.option.DeployConfig.GetConfigAsString("region")),
+		LoadBalancerId:      tea.String(aliLoadbalancerId),
+		ListenerPort:        tea.Int32(aliListenerPort),
+		ServerCertificateId: tea.String(aliCertId),
+	}
+	setLoadBalancerHTTPSListenerAttributeResp, err := d.sdkClient.SetLoadBalancerHTTPSListenerAttribute(setLoadBalancerHTTPSListenerAttributeReq)
+	if err != nil {
+		return fmt.Errorf("failed to execute sdk request 'slb.SetLoadBalancerHTTPSListenerAttribute': %w", err)
+	}
+
+	d.infos = append(d.infos, toStr("已更新 CLB HTTPS 监听配置", setLoadBalancerHTTPSListenerAttributeResp))
+
+	return nil
+}

internal/deployer/aliyun_nlb.go

@@ -0,0 +1,229 @@
+package deployer
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	nlb20220430 "github.com/alibabacloud-go/nlb-20220430/v2/client"
+	"github.com/alibabacloud-go/tea/tea"
+
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/core/uploader"
+)
+
+type AliyunNLBDeployer struct {
+	option *DeployerOption
+	infos  []string
+
+	sdkClient   *nlb20220430.Client
+	sslUploader uploader.Uploader
+}
+
+func NewAliyunNLBDeployer(option *DeployerOption) (Deployer, error) {
+	access := &domain.AliyunAccess{}
+	json.Unmarshal([]byte(option.Access), access)
+
+	client, err := (&AliyunNLBDeployer{}).createSdkClient(
+		access.AccessKeyId,
+		access.AccessKeySecret,
+		option.DeployConfig.GetConfigAsString("region"),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	uploader, err := uploader.NewAliyunCASUploader(&uploader.AliyunCASUploaderConfig{
+		AccessKeyId:     access.AccessKeyId,
+		AccessKeySecret: access.AccessKeySecret,
+		Region:          option.DeployConfig.GetConfigAsString("region"),
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &AliyunNLBDeployer{
+		option:      option,
+		infos:       make([]string, 0),
+		sdkClient:   client,
+		sslUploader: uploader,
+	}, nil
+}
+
+func (d *AliyunNLBDeployer) GetID() string {
+	return fmt.Sprintf("%s-%s", d.option.AccessRecord.GetString("name"), d.option.AccessRecord.Id)
+}
+
+func (d *AliyunNLBDeployer) GetInfo() []string {
+	return d.infos
+}
+
+func (d *AliyunNLBDeployer) Deploy(ctx context.Context) error {
+	switch d.option.DeployConfig.GetConfigAsString("resourceType") {
+	case "loadbalancer":
+		if err := d.deployToLoadbalancer(ctx); err != nil {
+			return err
+		}
+	case "listener":
+		if err := d.deployToListener(ctx); err != nil {
+			return err
+		}
+	default:
+		return errors.New("unsupported resource type")
+	}
+
+	return nil
+}
+
+func (d *AliyunNLBDeployer) createSdkClient(accessKeyId, accessKeySecret, region string) (*nlb20220430.Client, error) {
+	if region == "" {
+		region = "cn-hangzhou" // NLB 服务默认区域：华东一杭州
+	}
+
+	aConfig := &openapi.Config{
+		AccessKeyId:     tea.String(accessKeyId),
+		AccessKeySecret: tea.String(accessKeySecret),
+	}
+
+	var endpoint string
+	switch region {
+	default:
+		endpoint = fmt.Sprintf("nlb.%s.aliyuncs.com", region)
+	}
+	aConfig.Endpoint = tea.String(endpoint)
+
+	client, err := nlb20220430.NewClient(aConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
+
+func (d *AliyunNLBDeployer) deployToLoadbalancer(ctx context.Context) error {
+	aliLoadbalancerId := d.option.DeployConfig.GetConfigAsString("loadbalancerId")
+	if aliLoadbalancerId == "" {
+		return errors.New("`loadbalancerId` is required")
+	}
+
+	aliListenerIds := make([]string, 0)
+
+	// 查询负载均衡实例的详细信息
+	// REF: https://help.aliyun.com/zh/slb/network-load-balancer/developer-reference/api-nlb-2022-04-30-getloadbalancerattribute
+	getLoadBalancerAttributeReq := &nlb20220430.GetLoadBalancerAttributeRequest{
+		LoadBalancerId: tea.String(aliLoadbalancerId),
+	}
+	getLoadBalancerAttributeResp, err := d.sdkClient.GetLoadBalancerAttribute(getLoadBalancerAttributeReq)
+	if err != nil {
+		return fmt.Errorf("failed to execute sdk request 'nlb.GetLoadBalancerAttribute': %w", err)
+	}
+
+	d.infos = append(d.infos, toStr("已查询到 NLB 负载均衡实例", getLoadBalancerAttributeResp))
+
+	// 查询 TCPSSL 监听列表
+	// REF: https://help.aliyun.com/zh/slb/network-load-balancer/developer-reference/api-nlb-2022-04-30-listlisteners
+	listListenersPage := 1
+	listListenersLimit := int32(100)
+	var listListenersToken *string = nil
+	for {
+		listListenersReq := &nlb20220430.ListListenersRequest{
+			MaxResults:       tea.Int32(listListenersLimit),
+			NextToken:        listListenersToken,
+			LoadBalancerIds:  []*string{tea.String(aliLoadbalancerId)},
+			ListenerProtocol: tea.String("TCPSSL"),
+		}
+		listListenersResp, err := d.sdkClient.ListListeners(listListenersReq)
+		if err != nil {
+			return fmt.Errorf("failed to execute sdk request 'nlb.ListListeners': %w", err)
+		}
+
+		if listListenersResp.Body.Listeners != nil {
+			for _, listener := range listListenersResp.Body.Listeners {
+				aliListenerIds = append(aliListenerIds, *listener.ListenerId)
+			}
+		}
+
+		if listListenersResp.Body.NextToken == nil {
+			break
+		} else {
+			listListenersToken = listListenersResp.Body.NextToken
+			listListenersPage += 1
+		}
+	}
+
+	d.infos = append(d.infos, toStr("已查询到 NLB 负载均衡实例下的全部 TCPSSL 监听", aliListenerIds))
+
+	// 上传证书到 SSL
+	uploadResult, err := d.sslUploader.Upload(ctx, d.option.Certificate.Certificate, d.option.Certificate.PrivateKey)
+	if err != nil {
+		return err
+	}
+
+	d.infos = append(d.infos, toStr("已上传证书", uploadResult))
+
+	// 批量更新监听证书
+	var errs []error
+	for _, aliListenerId := range aliListenerIds {
+		if err := d.updateListenerCertificate(ctx, aliListenerId, uploadResult.CertId); err != nil {
+			errs = append(errs, err)
+		}
+	}
+	if len(errs) > 0 {
+		return errors.Join(errs...)
+	}
+
+	return nil
+}
+
+func (d *AliyunNLBDeployer) deployToListener(ctx context.Context) error {
+	aliListenerId := d.option.DeployConfig.GetConfigAsString("listenerId")
+	if aliListenerId == "" {
+		return errors.New("`listenerId` is required")
+	}
+
+	// 上传证书到 SSL
+	uploadResult, err := d.sslUploader.Upload(ctx, d.option.Certificate.Certificate, d.option.Certificate.PrivateKey)
+	if err != nil {
+		return err
+	}
+
+	d.infos = append(d.infos, toStr("已上传证书", uploadResult))
+
+	// 更新监听
+	if err := d.updateListenerCertificate(ctx, aliListenerId, uploadResult.CertId); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (d *AliyunNLBDeployer) updateListenerCertificate(ctx context.Context, aliListenerId string, aliCertId string) error {
+	// 查询监听的属性
+	// REF: https://help.aliyun.com/zh/slb/network-load-balancer/developer-reference/api-nlb-2022-04-30-getlistenerattribute
+	getListenerAttributeReq := &nlb20220430.GetListenerAttributeRequest{
+		ListenerId: tea.String(aliListenerId),
+	}
+	getListenerAttributeResp, err := d.sdkClient.GetListenerAttribute(getListenerAttributeReq)
+	if err != nil {
+		return fmt.Errorf("failed to execute sdk request 'nlb.GetListenerAttribute': %w", err)
+	}
+
+	d.infos = append(d.infos, toStr("已查询到 NLB 监听配置", getListenerAttributeResp))
+
+	// 修改监听的属性
+	// REF: https://help.aliyun.com/zh/slb/network-load-balancer/developer-reference/api-nlb-2022-04-30-updatelistenerattribute
+	updateListenerAttributeReq := &nlb20220430.UpdateListenerAttributeRequest{
+		ListenerId:     tea.String(aliListenerId),
+		CertificateIds: []*string{tea.String(aliCertId)},
+	}
+	updateListenerAttributeResp, err := d.sdkClient.UpdateListenerAttribute(updateListenerAttributeReq)
+	if err != nil {
+		return fmt.Errorf("failed to execute sdk request 'nlb.UpdateListenerAttribute': %w", err)
+	}
+
+	d.infos = append(d.infos, toStr("已更新 NLB 监听配置", updateListenerAttributeResp))
+
+	return nil
+}

internal/deployer/deployer.go

@@ -21,9 +21,14 @@ const (
 	targetAliyunOSS      = "aliyun-oss"
 	targetAliyunCDN      = "aliyun-cdn"
 	targetAliyunESA      = "aliyun-dcdn"
+	targetAliyunCLB      = "aliyun-clb"
+	targetAliyunALB      = "aliyun-alb"
+	targetAliyunNLB      = "aliyun-nlb"
 	targetTencentCDN     = "tencent-cdn"
+	targetTencentECDN    = "tencent-ecdn"
 	targetTencentCLB     = "tencent-clb"
 	targetTencentCOS     = "tencent-cos"
+	targetTencentTEO     = "tencent-teo"
 	targetHuaweiCloudCDN = "huaweicloud-cdn"
 	targetHuaweiCloudELB = "huaweicloud-elb"
 	targetQiniuCdn       = "qiniu-cdn"
@@ -109,12 +114,22 @@ func getWithDeployConfig(record *models.Record, cert *applicant.Certificate, dep
 		return NewAliyunCDNDeployer(option)
 	case targetAliyunESA:
 		return NewAliyunESADeployer(option)
+	case targetAliyunCLB:
+		return NewAliyunCLBDeployer(option)
+	case targetAliyunALB:
+		return NewAliyunALBDeployer(option)
+	case targetAliyunNLB:
+		return NewAliyunNLBDeployer(option)
 	case targetTencentCDN:
-		return NewTencentCDNDeployer(option)
+		return NewTencentCDNDeployer(option)	
+	case targetTencentECDN:
+		return NewTencentECDNDeployer(option)
 	case targetTencentCLB:
 		return NewTencentCLBDeployer(option)
 	case targetTencentCOS:
 		return NewTencentCOSDeployer(option)
+	case targetTencentTEO:
+		return NewTencentTEODeployer(option)
 	case targetHuaweiCloudCDN:
 		return NewHuaweiCloudCDNDeployer(option)
 	case targetHuaweiCloudELB:
@@ -130,7 +145,7 @@ func getWithDeployConfig(record *models.Record, cert *applicant.Certificate, dep
 	case targetK8sSecret:
 		return NewK8sSecretDeployer(option)
 	}
-	return nil, errors.New("not implemented")
+	return nil, errors.New("unsupported deploy target")
 }
 
 func getProduct(t string) string {

internal/deployer/huaweicloud_cdn.go

@@ -41,9 +41,9 @@ func NewHuaweiCloudCDNDeployer(option *DeployerOption) (Deployer, error) {
 
 	// TODO: SCM 服务与 DNS 服务所支持的区域可能不一致，这里暂时不传而是使用默认值，仅支持华为云国内版
 	uploader, err := uploader.NewHuaweiCloudSCMUploader(&uploader.HuaweiCloudSCMUploaderConfig{
-		Region:          "",
 		AccessKeyId:     access.AccessKeyId,
 		SecretAccessKey: access.SecretAccessKey,
+		Region:          "",
 	})
 	if err != nil {
 		return nil, err

internal/deployer/huaweicloud_elb.go

@@ -46,9 +46,9 @@ func NewHuaweiCloudELBDeployer(option *DeployerOption) (Deployer, error) {
 	}
 
 	uploader, err := uploader.NewHuaweiCloudELBUploader(&uploader.HuaweiCloudELBUploaderConfig{
-		Region:          option.DeployConfig.GetConfigAsString("region"),
 		AccessKeyId:     access.AccessKeyId,
 		SecretAccessKey: access.SecretAccessKey,
+		Region:          option.DeployConfig.GetConfigAsString("region"),
 	})
 	if err != nil {
 		return nil, err
@@ -176,10 +176,15 @@ func (u *HuaweiCloudELBDeployer) getSdkProjectId(accessKeyId, secretAccessKey, r
 }
 
 func (d *HuaweiCloudELBDeployer) deployToCertificate(ctx context.Context) error {
+	hcCertId := d.option.DeployConfig.GetConfigAsString("certificateId")
+	if hcCertId == "" {
+		return errors.New("`certificateId` is required")
+	}
+
 	// 更新证书
 	// REF: https://support.huaweicloud.com/api-elb/UpdateCertificate.html
 	updateCertificateReq := &hcElbModel.UpdateCertificateRequest{
-		CertificateId: d.option.DeployConfig.GetConfigAsString("certificateId"),
+		CertificateId: hcCertId,
 		Body: &hcElbModel.UpdateCertificateRequestBody{
 			Certificate: &hcElbModel.UpdateCertificateOption{
 				Certificate: cast.StringPtr(d.option.Certificate.Certificate),
@@ -198,21 +203,27 @@ func (d *HuaweiCloudELBDeployer) deployToCertificate(ctx context.Context) error
 }
 
 func (d *HuaweiCloudELBDeployer) deployToLoadbalancer(ctx context.Context) error {
+	hcLoadbalancerId := d.option.DeployConfig.GetConfigAsString("loadbalancerId")
+	if hcLoadbalancerId == "" {
+		return errors.New("`loadbalancerId` is required")
+	}
+
+	hcListenerIds := make([]string, 0)
+
 	// 查询负载均衡器详情
 	// REF: https://support.huaweicloud.com/api-elb/ShowLoadBalancer.html
 	showLoadBalancerReq := &hcElbModel.ShowLoadBalancerRequest{
-		LoadbalancerId: d.option.DeployConfig.GetConfigAsString("loadbalancerId"),
+		LoadbalancerId: hcLoadbalancerId,
 	}
 	showLoadBalancerResp, err := d.sdkClient.ShowLoadBalancer(showLoadBalancerReq)
 	if err != nil {
 		return fmt.Errorf("failed to execute sdk request 'elb.ShowLoadBalancer': %w", err)
 	}
 
-	d.infos = append(d.infos, toStr("已查询到到 ELB 负载均衡器", showLoadBalancerResp))
+	d.infos = append(d.infos, toStr("已查询到 ELB 负载均衡器", showLoadBalancerResp))
 
 	// 查询监听器列表
 	// REF: https://support.huaweicloud.com/api-elb/ListListeners.html
-	listenerIds := make([]string, 0)
 	listListenersLimit := int32(2000)
 	var listListenersMarker *string = nil
 	for {
@@ -229,7 +240,7 @@ func (d *HuaweiCloudELBDeployer) deployToLoadbalancer(ctx context.Context) error
 
 		if listListenersResp.Listeners != nil {
 			for _, listener := range *listListenersResp.Listeners {
-				listenerIds = append(listenerIds, listener.Id)
+				hcListenerIds = append(hcListenerIds, listener.Id)
 			}
 		}
 
@@ -240,7 +251,7 @@ func (d *HuaweiCloudELBDeployer) deployToLoadbalancer(ctx context.Context) error
 		}
 	}
 
-	d.infos = append(d.infos, toStr("已查询到到 ELB 负载均衡器下的监听器", listenerIds))
+	d.infos = append(d.infos, toStr("已查询到 ELB 负载均衡器下的监听器", hcListenerIds))
 
 	// 上传证书到 SCM
 	uploadResult, err := d.sslUploader.Upload(ctx, d.option.Certificate.Certificate, d.option.Certificate.PrivateKey)
@@ -252,8 +263,8 @@ func (d *HuaweiCloudELBDeployer) deployToLoadbalancer(ctx context.Context) error
 
 	// 批量更新监听器证书
 	var errs []error
-	for _, listenerId := range listenerIds {
-		if err := d.updateListenerCertificate(ctx, listenerId, uploadResult.CertId); err != nil {
+	for _, hcListenerId := range hcListenerIds {
+		if err := d.updateListenerCertificate(ctx, hcListenerId, uploadResult.CertId); err != nil {
 			errs = append(errs, err)
 		}
 	}
@@ -265,6 +276,11 @@ func (d *HuaweiCloudELBDeployer) deployToLoadbalancer(ctx context.Context) error
 }
 
 func (d *HuaweiCloudELBDeployer) deployToListener(ctx context.Context) error {
+	hcListenerId := d.option.DeployConfig.GetConfigAsString("listenerId")
+	if hcListenerId == "" {
+		return errors.New("`listenerId` is required")
+	}
+
 	// 上传证书到 SCM
 	uploadResult, err := d.sslUploader.Upload(ctx, d.option.Certificate.Certificate, d.option.Certificate.PrivateKey)
 	if err != nil {
@@ -274,7 +290,7 @@ func (d *HuaweiCloudELBDeployer) deployToListener(ctx context.Context) error {
 	d.infos = append(d.infos, toStr("已上传证书", uploadResult))
 
 	// 更新监听器证书
-	if err := d.updateListenerCertificate(ctx, d.option.DeployConfig.GetConfigAsString("listenerId"), uploadResult.CertId); err != nil {
+	if err := d.updateListenerCertificate(ctx, hcListenerId, uploadResult.CertId); err != nil {
 		return err
 	}
 
@@ -292,7 +308,7 @@ func (d *HuaweiCloudELBDeployer) updateListenerCertificate(ctx context.Context,
 		return fmt.Errorf("failed to execute sdk request 'elb.ShowListener': %w", err)
 	}
 
-	d.infos = append(d.infos, toStr("已查询到到 ELB 监听器", showListenerResp))
+	d.infos = append(d.infos, toStr("已查询到 ELB 监听器", showListenerResp))
 
 	// 更新监听器
 	// REF: https://support.huaweicloud.com/api-elb/UpdateListener.html
@@ -359,7 +375,7 @@ func (d *HuaweiCloudELBDeployer) updateListenerCertificate(ctx context.Context,
 		return fmt.Errorf("failed to execute sdk request 'elb.UpdateListener': %w", err)
 	}
 
-	d.infos = append(d.infos, toStr("已更新监听器", updateListenerResp))
+	d.infos = append(d.infos, toStr("已更新 ELB 监听器", updateListenerResp))
 
 	return nil
 }

internal/deployer/k8s_secret.go

@@ -9,6 +9,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	k8sMetaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 
 	"github.com/usual2970/certimate/internal/domain"
@@ -118,11 +119,18 @@ func (d *K8sSecretDeployer) Deploy(ctx context.Context) error {
 }
 
 func (d *K8sSecretDeployer) createClient(access *domain.KubernetesAccess) (*kubernetes.Clientset, error) {
-	kubeConfig, err := clientcmd.NewClientConfigFromBytes([]byte(access.KubeConfig))
-	if err != nil {
-		return nil, err
+	var config *rest.Config
+	var err error
+	if access.KubeConfig == "" {
+		config, err = rest.InClusterConfig()
+	} else {
+		kubeConfig, err := clientcmd.NewClientConfigFromBytes([]byte(access.KubeConfig))
+		if err != nil {
+			return nil, err
+		}
+		config, err = kubeConfig.ClientConfig()
+
 	}
-	config, err := kubeConfig.ClientConfig()
 	if err != nil {
 		return nil, err
 	}
@@ -131,6 +139,5 @@ func (d *K8sSecretDeployer) createClient(access *domain.KubernetesAccess) (*kube
 	if err != nil {
 		return nil, err
 	}
-
 	return client, nil
 }

internal/deployer/tencent_ecdn.go

@@ -0,0 +1,146 @@
+package deployer
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	cdn "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cdn/v20180606"
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
+	ssl "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl/v20191205"
+
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/utils/rand"
+)
+
+type TencentECDNDeployer struct {
+	option     *DeployerOption
+	credential *common.Credential
+	infos      []string
+}
+
+func NewTencentECDNDeployer(option *DeployerOption) (Deployer, error) {
+	access := &domain.TencentAccess{}
+	if err := json.Unmarshal([]byte(option.Access), access); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal tencent access: %w", err)
+	}
+
+	credential := common.NewCredential(
+		access.SecretId,
+		access.SecretKey,
+	)
+
+	return &TencentECDNDeployer{
+		option:     option,
+		credential: credential,
+		infos:      make([]string, 0),
+	}, nil
+}
+
+func (d *TencentECDNDeployer) GetID() string {
+	return fmt.Sprintf("%s-%s", d.option.AccessRecord.GetString("name"), d.option.AccessRecord.Id)
+}
+
+func (d *TencentECDNDeployer) GetInfo() []string {
+	return d.infos
+}
+
+func (d *TencentECDNDeployer) Deploy(ctx context.Context) error {
+	// 上传证书
+	certId, err := d.uploadCert()
+	if err != nil {
+		return fmt.Errorf("failed to upload certificate: %w", err)
+	}
+	d.infos = append(d.infos, toStr("上传证书", certId))
+
+	if err := d.deploy(certId); err != nil {
+		return fmt.Errorf("failed to deploy: %w", err)
+	}
+
+	return nil
+}
+
+func (d *TencentECDNDeployer) uploadCert() (string, error) {
+	cpf := profile.NewClientProfile()
+	cpf.HttpProfile.Endpoint = "ssl.tencentcloudapi.com"
+
+	client, _ := ssl.NewClient(d.credential, "", cpf)
+
+	request := ssl.NewUploadCertificateRequest()
+
+	request.CertificatePublicKey = common.StringPtr(d.option.Certificate.Certificate)
+	request.CertificatePrivateKey = common.StringPtr(d.option.Certificate.PrivateKey)
+	request.Alias = common.StringPtr(d.option.Domain + "_" + rand.RandStr(6))
+	request.Repeatable = common.BoolPtr(false)
+
+	response, err := client.UploadCertificate(request)
+	if err != nil {
+		return "", fmt.Errorf("failed to upload certificate: %w", err)
+	}
+
+	return *response.Response.CertificateId, nil
+}
+
+func (d *TencentECDNDeployer) deploy(certId string) error {
+	cpf := profile.NewClientProfile()
+	cpf.HttpProfile.Endpoint = "ssl.tencentcloudapi.com"
+	// 实例化要请求产品的client对象,clientProfile是可选的
+	client, _ := ssl.NewClient(d.credential, "", cpf)
+
+	// 实例化一个请求对象,每个接口都会对应一个request对象
+	request := ssl.NewDeployCertificateInstanceRequest()
+
+	request.CertificateId = common.StringPtr(certId)
+	request.ResourceType = common.StringPtr("ecdn")
+	request.Status = common.Int64Ptr(1)
+
+	// 如果是泛域名就从cdn列表下获取SSL证书中的可用域名
+	domain := getDeployString(d.option.DeployConfig, "domain")
+	if strings.Contains(domain, "*") {
+		list, errGetList := d.getDomainList()
+		if errGetList != nil {
+			return fmt.Errorf("failed to get certificate domain list: %w", errGetList)
+		}
+		if list == nil || len(list) == 0 {
+			return fmt.Errorf("failed to get certificate domain list: empty list.")
+		}
+		request.InstanceIdList = common.StringPtrs(list)
+	} else { // 否则直接使用传入的域名
+		request.InstanceIdList = common.StringPtrs([]string{domain})
+	}
+
+	// 返回的resp是一个DeployCertificateInstanceResponse的实例，与请求对象对应
+	resp, err := client.DeployCertificateInstance(request)
+	if err != nil {
+		return fmt.Errorf("failed to deploy certificate: %w", err)
+	}
+	d.infos = append(d.infos, toStr("部署证书", resp.Response))
+	return nil
+}
+
+func (d *TencentECDNDeployer) getDomainList() ([]string, error) {
+	cpf := profile.NewClientProfile()
+	cpf.HttpProfile.Endpoint = "cdn.tencentcloudapi.com"
+	client, _ := cdn.NewClient(d.credential, "", cpf)
+
+	request := cdn.NewDescribeCertDomainsRequest()
+
+	cert := base64.StdEncoding.EncodeToString([]byte(d.option.Certificate.Certificate))
+	request.Cert = &cert
+	request.Product = common.StringPtr("ecdn")
+
+	response, err := client.DescribeCertDomains(request)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get domain list: %w", err)
+	}
+
+	domains := make([]string, 0)
+	for _, domain := range response.Response.Domains {
+		domains = append(domains, *domain)
+	}
+
+	return domains, nil
+}

internal/deployer/tencent_teo.go

@@ -0,0 +1,111 @@
+package deployer
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	teo "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901"
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
+	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
+	ssl "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl/v20191205"
+
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/utils/rand"
+)
+
+type TencentTEODeployer struct {
+	option     *DeployerOption
+	credential *common.Credential
+	infos      []string
+}
+
+func NewTencentTEODeployer(option *DeployerOption) (Deployer, error) {
+	access := &domain.TencentAccess{}
+	if err := json.Unmarshal([]byte(option.Access), access); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal tencent access: %w", err)
+	}
+
+	credential := common.NewCredential(
+		access.SecretId,
+		access.SecretKey,
+	)
+
+	return &TencentTEODeployer{
+		option:     option,
+		credential: credential,
+		infos:      make([]string, 0),
+	}, nil
+}
+
+func (d *TencentTEODeployer) GetID() string {
+	return fmt.Sprintf("%s-%s", d.option.AccessRecord.GetString("name"), d.option.AccessRecord.Id)
+}
+
+func (d *TencentTEODeployer) GetInfo() []string {
+	return d.infos
+}
+
+func (d *TencentTEODeployer) Deploy(ctx context.Context) error {
+	// 上传证书
+	certId, err := d.uploadCert()
+	if err != nil {
+		return fmt.Errorf("failed to upload certificate: %w", err)
+	}
+	d.infos = append(d.infos, toStr("上传证书", certId))
+
+	if err := d.deploy(certId); err != nil {
+		return fmt.Errorf("failed to deploy: %w", err)
+	}
+
+	return nil
+}
+
+func (d *TencentTEODeployer) uploadCert() (string, error) {
+	cpf := profile.NewClientProfile()
+	cpf.HttpProfile.Endpoint = "ssl.tencentcloudapi.com"
+
+	client, _ := ssl.NewClient(d.credential, "", cpf)
+
+	request := ssl.NewUploadCertificateRequest()
+
+	request.CertificatePublicKey = common.StringPtr(d.option.Certificate.Certificate)
+	request.CertificatePrivateKey = common.StringPtr(d.option.Certificate.PrivateKey)
+	request.Alias = common.StringPtr(d.option.Domain + "_" + rand.RandStr(6))
+	request.Repeatable = common.BoolPtr(false)
+
+	response, err := client.UploadCertificate(request)
+	if err != nil {
+		return "", fmt.Errorf("failed to upload certificate: %w", err)
+	}
+
+	return *response.Response.CertificateId, nil
+}
+
+func (d *TencentTEODeployer) deploy(certId string) error {
+	cpf := profile.NewClientProfile()
+	cpf.HttpProfile.Endpoint = "teo.tencentcloudapi.com"
+	// 实例化要请求产品的client对象,clientProfile是可选的
+	client, _ := teo.NewClient(d.credential, "", cpf)
+
+	// 实例化一个请求对象,每个接口都会对应一个request对象
+	request := teo.NewModifyHostsCertificateRequest()
+
+	request.ZoneId = common.StringPtr(getDeployString(d.option.DeployConfig, "zoneId"))
+	request.Mode = common.StringPtr("sslcert")
+	request.ServerCertInfo = []*teo.ServerCertInfo{{
+		CertId: common.StringPtr(certId),
+	}}
+
+	domains := strings.Split(strings.ReplaceAll(d.option.Domain, "\r\n", "\n"),"\n")
+	request.Hosts = common.StringPtrs(domains)
+
+	// 返回的resp是一个DeployCertificateInstanceResponse的实例，与请求对象对应
+	resp, err := client.ModifyHostsCertificate(request)
+	if err != nil {
+		return fmt.Errorf("failed to deploy certificate: %w", err)
+	}
+	d.infos = append(d.infos, toStr("部署证书", resp.Response))
+	return nil
+}

internal/domain/domains.go

@@ -18,7 +18,6 @@ type DeployConfig struct {
 	Config map[string]any `json:"config"`
 }
 
-
 // 以字符串形式获取配置项。
 //
 // 入参：
@@ -52,6 +51,39 @@ func (dc *DeployConfig) GetConfigOrDefaultAsString(key string, defaultValue stri
 	return defaultValue
 }
 
+// 以 32 位整数形式获取配置项。
+//
+// 入参：
+//   - key: 配置项的键。
+//
+// 出参：
+//   - 配置项的值。如果配置项不存在或者类型不是 32 位整数，则返回 0。
+func (dc *DeployConfig) GetConfigAsInt32(key string) int32 {
+	return dc.GetConfigOrDefaultAsInt32(key, 0)
+}
+
+// 以 32 位整数形式获取配置项。
+//
+// 入参：
+//   - key: 配置项的键。
+//   - defaultValue: 默认值。
+//
+// 出参：
+//   - 配置项的值。如果配置项不存在或者类型不是 32 位整数，则返回默认值。
+func (dc *DeployConfig) GetConfigOrDefaultAsInt32(key string, defaultValue int32) int32 {
+	if dc.Config == nil {
+		return defaultValue
+	}
+
+	if value, ok := dc.Config[key]; ok {
+		if result, ok := value.(int32); ok {
+			return result
+		}
+	}
+
+	return defaultValue
+}
+
 // 以布尔形式获取配置项。
 //
 // 入参：

internal/domain/notify.go

@@ -5,6 +5,7 @@ const (
 	NotifyChannelWebhook  = "webhook"
 	NotifyChannelTelegram = "telegram"
 	NotifyChannelLark     = "lark"
+	NotifyChannelServerChan = "serverchan"
 )
 
 type NotifyTestPushReq struct {

internal/notify/notify.go

@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"strconv"
 
+	stdhttp "net/http"
+
 	"github.com/usual2970/certimate/internal/domain"
 	"github.com/usual2970/certimate/internal/utils/app"
 
@@ -102,6 +104,8 @@ func getNotifier(channel string, conf map[string]any) (notifyPackage.Notifier, e
 		return getLarkNotifier(conf), nil
 	case domain.NotifyChannelWebhook:
 		return getWebhookNotifier(conf), nil
+	case domain.NotifyChannelServerChan:
+		return getServerChanNotifier(conf), nil
 	}
 
 	return nil, fmt.Errorf("notifier not found")
@@ -132,6 +136,25 @@ func getTelegramNotifier(conf map[string]any) notifyPackage.Notifier {
 	return rs
 }
 
+func getServerChanNotifier(conf map[string]any) notifyPackage.Notifier {
+	rs := http.New()
+
+	rs.AddReceivers(&http.Webhook{
+		URL:         getString(conf, "url"),
+		Header:      stdhttp.Header{},
+		ContentType: "application/json",
+		Method:      stdhttp.MethodPost,
+		BuildPayload: func(subject, message string) (payload any) {
+			return map[string]string{
+				"text": subject,
+				"desp": message,
+			}
+		},
+	})
+
+	return rs
+}
+
 func getDingTalkNotifier(conf map[string]any) notifyPackage.Notifier {
 	return dingding.New(&dingding.Config{
 		Token:  getString(conf, "accessToken"),

internal/pkg/core/uploader/uploader_aliyun_cas.go

@@ -15,9 +15,9 @@ import (
 )
 
 type AliyunCASUploaderConfig struct {
-	Region          string `json:"region"`
 	AccessKeyId     string `json:"accessKeyId"`
 	AccessKeySecret string `json:"accessKeySecret"`
+	Region          string `json:"region"`
 }
 
 type AliyunCASUploader struct {
@@ -28,9 +28,9 @@ type AliyunCASUploader struct {
 
 func NewAliyunCASUploader(config *AliyunCASUploaderConfig) (Uploader, error) {
 	client, err := (&AliyunCASUploader{}).createSdkClient(
-		config.Region,
 		config.AccessKeyId,
 		config.AccessKeySecret,
+		config.Region,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create sdk client: %w", err)
@@ -81,12 +81,12 @@ func (u *AliyunCASUploader) Upload(ctx context.Context, certPem string, privkeyP
 					if *getUserCertificateDetailResp.Body.Cert == certPem {
 						isSameCert = true
 					} else {
-						cert, err := x509.ParseCertificateFromPEM(*getUserCertificateDetailResp.Body.Cert)
+						oldCertX509, err := x509.ParseCertificateFromPEM(*getUserCertificateDetailResp.Body.Cert)
 						if err != nil {
 							continue
 						}
 
-						isSameCert = x509.EqualCertificate(certX509, cert)
+						isSameCert = x509.EqualCertificate(certX509, oldCertX509)
 					}
 
 					// 如果已存在相同证书，直接返回已有的证书信息
@@ -133,7 +133,7 @@ func (u *AliyunCASUploader) Upload(ctx context.Context, certPem string, privkeyP
 	}, nil
 }
 
-func (u *AliyunCASUploader) createSdkClient(region, accessKeyId, accessKeySecret string) (*cas20200407.Client, error) {
+func (u *AliyunCASUploader) createSdkClient(accessKeyId, accessKeySecret, region string) (*cas20200407.Client, error) {
 	if region == "" {
 		region = "cn-hangzhou" // CAS 服务默认区域：华东一杭州
 	}
@@ -147,10 +147,6 @@ func (u *AliyunCASUploader) createSdkClient(region, accessKeyId, accessKeySecret
 	switch region {
 	case "cn-hangzhou":
 		endpoint = "cas.aliyuncs.com"
-	case "ap-southeast-1":
-		endpoint = "cas.ap-southeast-1.aliyuncs.com"
-	case "eu-central-1":
-		endpoint = "cas.eu-central-1.aliyuncs.com"
 	default:
 		endpoint = fmt.Sprintf("cas.%s.aliyuncs.com", region)
 	}

internal/pkg/core/uploader/uploader_aliyun_slb.go

@@ -0,0 +1,134 @@
+package uploader
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"strings"
+	"time"
+
+	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
+	slb20140515 "github.com/alibabacloud-go/slb-20140515/v4/client"
+	util "github.com/alibabacloud-go/tea-utils/v2/service"
+	"github.com/alibabacloud-go/tea/tea"
+
+	"github.com/usual2970/certimate/internal/pkg/utils/x509"
+)
+
+type AliyunSLBUploaderConfig struct {
+	AccessKeyId     string `json:"accessKeyId"`
+	AccessKeySecret string `json:"accessKeySecret"`
+	Region          string `json:"region"`
+}
+
+type AliyunSLBUploader struct {
+	config     *AliyunSLBUploaderConfig
+	sdkClient  *slb20140515.Client
+	sdkRuntime *util.RuntimeOptions
+}
+
+func NewAliyunSLBUploader(config *AliyunSLBUploaderConfig) (Uploader, error) {
+	client, err := (&AliyunSLBUploader{}).createSdkClient(
+		config.AccessKeyId,
+		config.AccessKeySecret,
+		config.Region,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create sdk client: %w", err)
+	}
+
+	return &AliyunSLBUploader{
+		config:     config,
+		sdkClient:  client,
+		sdkRuntime: &util.RuntimeOptions{},
+	}, nil
+}
+
+func (u *AliyunSLBUploader) Upload(ctx context.Context, certPem string, privkeyPem string) (res *UploadResult, err error) {
+	// 解析证书内容
+	certX509, err := x509.ParseCertificateFromPEM(certPem)
+	if err != nil {
+		return nil, err
+	}
+
+	// 查询证书列表，避免重复上传
+	// REF: https://help.aliyun.com/zh/slb/classic-load-balancer/developer-reference/api-slb-2014-05-15-describeservercertificates
+	describeServerCertificatesReq := &slb20140515.DescribeServerCertificatesRequest{
+		RegionId: tea.String(u.config.Region),
+	}
+	describeServerCertificatesResp, err := u.sdkClient.DescribeServerCertificatesWithOptions(describeServerCertificatesReq, u.sdkRuntime)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute sdk request 'slb.DescribeServerCertificates': %w", err)
+	}
+
+	if describeServerCertificatesResp.Body.ServerCertificates != nil && describeServerCertificatesResp.Body.ServerCertificates.ServerCertificate != nil {
+		fingerprint := sha256.Sum256(certX509.Raw)
+		fingerprintHex := hex.EncodeToString(fingerprint[:])
+		for _, certDetail := range describeServerCertificatesResp.Body.ServerCertificates.ServerCertificate {
+			isSameCert := *certDetail.IsAliCloudCertificate == 0 &&
+				strings.EqualFold(fingerprintHex, strings.ReplaceAll(*certDetail.Fingerprint, ":", "")) &&
+				strings.EqualFold(certX509.Subject.CommonName, *certDetail.CommonName)
+			// 如果已存在相同证书，直接返回已有的证书信息
+			if isSameCert {
+				return &UploadResult{
+					CertId:   *certDetail.ServerCertificateId,
+					CertName: *certDetail.ServerCertificateName,
+				}, nil
+			}
+		}
+	}
+
+	// 生成新证书名（需符合阿里云命名规则）
+	var certId, certName string
+	certName = fmt.Sprintf("certimate_%d", time.Now().UnixMilli())
+
+	// 上传新证书
+	// REF: https://help.aliyun.com/zh/slb/classic-load-balancer/developer-reference/api-slb-2014-05-15-uploadservercertificate
+	uploadServerCertificateReq := &slb20140515.UploadServerCertificateRequest{
+		RegionId:              tea.String(u.config.Region),
+		ServerCertificateName: tea.String(certName),
+		ServerCertificate:     tea.String(certPem),
+		PrivateKey:            tea.String(privkeyPem),
+	}
+	uploadServerCertificateResp, err := u.sdkClient.UploadServerCertificateWithOptions(uploadServerCertificateReq, u.sdkRuntime)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute sdk request 'slb.UploadServerCertificate': %w", err)
+	}
+
+	certId = *uploadServerCertificateResp.Body.ServerCertificateId
+	return &UploadResult{
+		CertId:   certId,
+		CertName: certName,
+	}, nil
+}
+
+func (u *AliyunSLBUploader) createSdkClient(accessKeyId, accessKeySecret, region string) (*slb20140515.Client, error) {
+	if region == "" {
+		region = "cn-hangzhou" // SLB 服务默认区域：华东一杭州
+	}
+
+	aConfig := &openapi.Config{
+		AccessKeyId:     tea.String(accessKeyId),
+		AccessKeySecret: tea.String(accessKeySecret),
+	}
+
+	var endpoint string
+	switch region {
+	case "cn-hangzhou":
+	case "cn-hangzhou-finance":
+	case "cn-shanghai-finance-1":
+	case "cn-shenzhen-finance-1":
+		endpoint = "slb.aliyuncs.com"
+	default:
+		endpoint = fmt.Sprintf("slb.%s.aliyuncs.com", region)
+	}
+	aConfig.Endpoint = tea.String(endpoint)
+
+	client, err := slb20140515.NewClient(aConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}

internal/pkg/utils/x509/x509.go

@@ -7,6 +7,23 @@ import (
 	"fmt"
 )
 
+// 比较两个 x509.Certificate 对象，判断它们是否是同一张证书。
+// 注意，这不是精确比较，而只是基于证书序列号和数字签名的快速判断，但对于权威 CA 签发的证书来说不会存在误判。
+//
+// 入参:
+//   - a: 待比较的第一个 x509.Certificate 对象。
+//   - b: 待比较的第二个 x509.Certificate 对象。
+//
+// 出参:
+//   - 是否相同。
+func EqualCertificate(a, b *x509.Certificate) bool {
+	return string(a.Signature) == string(b.Signature) &&
+		a.SignatureAlgorithm == b.SignatureAlgorithm &&
+		a.SerialNumber.String() == b.SerialNumber.String() &&
+		a.Issuer.SerialNumber == b.Issuer.SerialNumber &&
+		a.Subject.SerialNumber == b.Subject.SerialNumber
+}
+
 // 从 PEM 编码的证书字符串解析并返回一个 x509.Certificate 对象。
 //
 // 入参:
@@ -31,26 +48,40 @@ func ParseCertificateFromPEM(certPem string) (cert *x509.Certificate, err error)
 	return cert, nil
 }
 
-// 比较两个 x509.Certificate 对象，判断它们是否是同一张证书。
-// 注意，这不是精确比较，而只是基于证书序列号和数字签名的快速判断，但对于权威 CA 签发的证书来说不会存在误判。
+// 从 PEM 编码的私钥字符串解析并返回一个 ECDSA 私钥对象。
 //
 // 入参:
-//   - a: 待比较的第一个 x509.Certificate 对象。
-//   - b: 待比较的第二个 x509.Certificate 对象。
+//   - privkeyPem: 私钥 PEM 内容。
 //
 // 出参:
-//   - 是否相同。
-func EqualCertificate(a, b *x509.Certificate) bool {
-	return string(a.Signature) == string(b.Signature) &&
-		a.SignatureAlgorithm == b.SignatureAlgorithm &&
-		a.SerialNumber.String() == b.SerialNumber.String() &&
-		a.Issuer.SerialNumber == b.Issuer.SerialNumber &&
-		a.Subject.SerialNumber == b.Subject.SerialNumber
+//   - privkey: ecdsa.PrivateKey 对象。
+//   - err: 错误。
+func ParseECPrivateKeyFromPEM(privkeyPem string) (privkey *ecdsa.PrivateKey, err error) {
+	pemData := []byte(privkeyPem)
+
+	block, _ := pem.Decode(pemData)
+	if block == nil {
+		return nil, fmt.Errorf("failed to decode PEM block")
+	}
+
+	privkey, err = x509.ParseECPrivateKey(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse private key: %w", err)
+	}
+
+	return privkey, nil
 }
 
-// 将 ECDSA 私钥转换为 PEM 格式的字符串。
-func PrivateKeyToPEM(privateKey *ecdsa.PrivateKey) (string, error) {
-	data, err := x509.MarshalECPrivateKey(privateKey)
+// 将 ECDSA 私钥转换为 PEM 编码的字符串。
+//
+// 入参:
+//   - privkey: ecdsa.PrivateKey 对象。
+//
+// 出参:
+//   - privkeyPem: 私钥 PEM 内容。
+//   - err: 错误。
+func ConvertECPrivateKeyToPEM(privkey *ecdsa.PrivateKey) (privkeyPem string, err error) {
+	data, err := x509.MarshalECPrivateKey(privkey)
 	if err != nil {
 		return "", fmt.Errorf("failed to marshal EC private key: %w", err)
 	}
@@ -62,20 +93,3 @@ func PrivateKeyToPEM(privateKey *ecdsa.PrivateKey) (string, error) {
 
 	return string(pem.EncodeToMemory(block)), nil
 }
-
-// 从 PEM 编码的私钥字符串解析并返回一个 ECDSA 私钥对象。
-func ParsePrivateKeyFromPEM(privateKeyPem string) (*ecdsa.PrivateKey, error) {
-	pemData := []byte(privateKeyPem)
-
-	block, _ := pem.Decode(pemData)
-	if block == nil {
-		return nil, fmt.Errorf("failed to decode PEM block")
-	}
-
-	privateKey, err := x509.ParseECPrivateKey(block.Bytes)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse private key: %w", err)
-	}
-
-	return privateKey, nil
-}