Add zerossl provider

2025-08-06 17:31:47 +00:00 · 2024-09-26 16:07:51 +08:00
parent a9fdceca6f
commit 363fbdee00
16 changed files with 705 additions and 319 deletions
--- a/internal/applicant/applicant.go
+++ b/internal/applicant/applicant.go
@@ -1,11 +1,13 @@
 package applicant

 import (
+	"certimate/internal/utils/app"
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"errors"
+	"fmt"
 	"strings"

 	"github.com/go-acme/lego/v4/certcrypto"
@@ -25,6 +27,22 @@ const (
 	configTypeGodaddy    = "godaddy"
 )

+const defaultSSLProvider = "letsencrypt"
+const (
+	sslProviderLetsencrypt = "letsencrypt"
+	sslProviderZeroSSL     = "zerossl"
+)
+
+const (
+	zerosslUrl     = "https://acme.zerossl.com/v2/DV90"
+	letsencryptUrl = "https://acme-v02.api.letsencrypt.org/directory"
+)
+
+var sslProviderUrls = map[string]string{
+	sslProviderLetsencrypt: letsencryptUrl,
+	sslProviderZeroSSL:     zerosslUrl,
+}
+
 const defaultEmail = "536464346@qq.com"

 type Certificate struct {
@@ -92,7 +110,31 @@ func Get(record *models.Record) (Applicant, error) {

 }

+type SSLProviderConfig struct {
+	Config   SSLProviderConfigContent `json:"config"`
+	Provider string                   `json:"provider"`
+}
+
+type SSLProviderConfigContent struct {
+	Zerossl struct {
+		EabHmacKey string `json:"eabHmacKey"`
+		EabKid     string `json:"eabKid"`
+	}
+}
+
 func apply(option *ApplyOption, provider challenge.Provider) (*Certificate, error) {
+	record, _ := app.GetApp().Dao().FindFirstRecordByFilter("settings", "name='ssl-provider'")
+
+	sslProvider := &SSLProviderConfig{
+		Config:   SSLProviderConfigContent{},
+		Provider: defaultSSLProvider,
+	}
+	if record != nil {
+		if err := record.UnmarshalJSONField("content", sslProvider); err != nil {
+			return nil, err
+		}
+	}
+
 	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
 		return nil, err
@@ -106,7 +148,7 @@ func apply(option *ApplyOption, provider challenge.Provider) (*Certificate, erro
 	config := lego.NewConfig(&myUser)

 	// This CA URL is configured for a local dev instance of Boulder running in Docker in a VM.
-	config.CADirURL = "https://acme-v02.api.letsencrypt.org/directory"
+	config.CADirURL = sslProviderUrls[sslProvider.Provider]
 	config.Certificate.KeyType = certcrypto.RSA2048

 	// A client facilitates communication with the CA server.
@@ -124,9 +166,9 @@ func apply(option *ApplyOption, provider challenge.Provider) (*Certificate, erro
 	client.Challenge.SetDNS01Provider(provider, challengeOptions...)

 	// New users will need to register
-	reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+	reg, err := getReg(client, sslProvider)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to register: %w", err)
 	}
 	myUser.Registration = reg

@@ -155,6 +197,33 @@ func apply(option *ApplyOption, provider challenge.Provider) (*Certificate, erro
 		IssuerCertificate: string(certificates.IssuerCertificate),
 		Csr:               string(certificates.CSR),
 	}, nil
+
+}
+
+func getReg(client *lego.Client, sslProvider *SSLProviderConfig) (*registration.Resource, error) {
+	var reg *registration.Resource
+	var err error
+	switch sslProvider.Provider {
+	case sslProviderZeroSSL:
+		reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+			TermsOfServiceAgreed: true,
+			Kid:                  sslProvider.Config.Zerossl.EabKid,
+			HmacEncoded:          sslProvider.Config.Zerossl.EabHmacKey,
+		})
+
+	case sslProviderLetsencrypt:
+		reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+
+	default:
+		err = errors.New("unknown ssl provider")
+
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	return reg, nil
 }

 func ParseNameservers(ns string) []string {