Merge branch 'main' into feat/cloud-load-balance

2025-10-05 05:54:53 +00:00 · 2024-10-29 09:12:39 +08:00
parent e1a3a3e7c7 edeac86f06
commit aeaa45b713
39 changed files with 2637 additions and 308 deletions
--- a/internal/deployer/deployer.go
+++ b/internal/deployer/deployer.go
@@ -1,16 +1,21 @@
 package deployer

 import (
+	"bytes"
 	"context"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"fmt"
-	"strings"
+	"time"

+	"github.com/pavlo-v-chernykh/keystore-go/v4"
 	"github.com/pocketbase/pocketbase/models"
+	"software.sslmate.com/src/go-pkcs12"

 	"github.com/usual2970/certimate/internal/applicant"
 	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/utils/x509"
 	"github.com/usual2970/certimate/internal/utils/app"
 )

@@ -38,7 +43,6 @@ const (
 type DeployerOption struct {
 	DomainId     string                `json:"domainId"`
 	Domain       string                `json:"domain"`
-	Product      string                `json:"product"`
 	Access       string                `json:"access"`
 	AccessRecord *models.Record        `json:"-"`
 	DeployConfig domain.DeployConfig   `json:"deployConfig"`
@@ -90,7 +94,6 @@ func getWithDeployConfig(record *models.Record, cert *applicant.Certificate, dep
 	option := &DeployerOption{
 		DomainId:     record.Id,
 		Domain:       record.GetString("domain"),
-		Product:      getProduct(deployConfig.Type),
 		Access:       access.GetString("config"),
 		AccessRecord: access,
 		DeployConfig: deployConfig,
@@ -145,14 +148,6 @@ func getWithDeployConfig(record *models.Record, cert *applicant.Certificate, dep
 	return nil, errors.New("unsupported deploy target")
 }

-func getProduct(t string) string {
-	rs := strings.Split(t, "-")
-	if len(rs) < 2 {
-		return ""
-	}
-	return rs[1]
-}
-
 func toStr(tag string, data any) string {
 	if data == nil {
 		return tag
@@ -195,3 +190,57 @@ func getDeployVariables(conf domain.DeployConfig) map[string]string {

 	return rs
 }
+
+func convertPEMToPFX(certificate string, privateKey string, password string) ([]byte, error) {
+	cert, err := x509.ParseCertificateFromPEM(certificate)
+	if err != nil {
+		return nil, err
+	}
+
+	privkey, err := x509.ParsePKCS1PrivateKeyFromPEM(privateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	pfxData, err := pkcs12.LegacyRC2.Encode(privkey, cert, nil, password)
+	if err != nil {
+		return nil, fmt.Errorf("failed to encode as pfx %w", err)
+	}
+
+	return pfxData, nil
+}
+
+func convertPEMToJKS(certificate string, privateKey string, alias string, keypass string, storepass string) ([]byte, error) {
+	certBlock, _ := pem.Decode([]byte(certificate))
+	if certBlock == nil {
+		return nil, errors.New("failed to decode certificate PEM")
+	}
+
+	privkeyBlock, _ := pem.Decode([]byte(privateKey))
+	if privkeyBlock == nil {
+		return nil, errors.New("failed to decode private key PEM")
+	}
+
+	ks := keystore.New()
+	entry := keystore.PrivateKeyEntry{
+		CreationTime: time.Now(),
+		PrivateKey:   privkeyBlock.Bytes,
+		CertificateChain: []keystore.Certificate{
+			{
+				Type:    "X509",
+				Content: certBlock.Bytes,
+			},
+		},
+	}
+
+	if err := ks.SetPrivateKeyEntry(alias, entry, []byte(keypass)); err != nil {
+		return nil, err
+	}
+
+	var buf bytes.Buffer
+	if err := ks.Store(&buf, []byte(storepass)); err != nil {
+		return nil, err
+	}
+
+	return buf.Bytes(), nil
+}
--- a/internal/deployer/k8s_secret.go
+++ b/internal/deployer/k8s_secret.go
@@ -108,7 +108,7 @@ func (d *K8sSecretDeployer) Deploy(ctx context.Context) error {
 	}

 	// 更新 Secret 实例
-	_, err = client.CoreV1().Secrets(namespace).Update(ctx, &secretPayload, k8sMeta.UpdateOptions{})
+	_, err = client.CoreV1().Secrets(namespace).Update(context.TODO(), &secretPayload, k8sMetaV1.UpdateOptions{})
 	if err != nil {
 		return fmt.Errorf("failed to update k8s secret: %w", err)
 	}
--- a/internal/deployer/local.go
+++ b/internal/deployer/local.go
@@ -1,15 +1,15 @@
 package deployer

 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
-	"os"
 	"os/exec"
-	"path/filepath"
 	"runtime"

 	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/utils/fs"
 )

 type LocalDeployer struct {
@@ -17,6 +17,18 @@ type LocalDeployer struct {
 	infos  []string
 }

+const (
+	certFormatPEM = "pem"
+	certFormatPFX = "pfx"
+	certFormatJKS = "jks"
+)
+
+const (
+	shellEnvSh         = "sh"
+	shellEnvCmd        = "cmd"
+	shellEnvPowershell = "powershell"
+)
+
 func NewLocalDeployer(option *DeployerOption) (Deployer, error) {
 	return &LocalDeployer{
 		option: option,
@@ -38,74 +50,114 @@ func (d *LocalDeployer) Deploy(ctx context.Context) error {
 		return err
 	}

-	preCommand := getDeployString(d.option.DeployConfig, "preCommand")
-
+	// 执行前置命令
+	preCommand := d.option.DeployConfig.GetConfigAsString("preCommand")
 	if preCommand != "" {
-		if err := execCmd(preCommand); err != nil {
-			return fmt.Errorf("执行前置命令失败: %w", err)
+		stdout, stderr, err := d.execCommand(preCommand)
+		if err != nil {
+			return fmt.Errorf("failed to run pre-command: %w, stdout: %s, stderr: %s", err, stdout, stderr)
 		}
+
+		d.infos = append(d.infos, toStr("执行前置命令成功", stdout))
 	}

-	// 复制证书文件
-	if err := copyFile(getDeployString(d.option.DeployConfig, "certPath"), d.option.Certificate.Certificate); err != nil {
-		return fmt.Errorf("复制证书失败: %w", err)
-	}
+	// 写入证书和私钥文件
+	switch d.option.DeployConfig.GetConfigOrDefaultAsString("format", certFormatPEM) {
+	case certFormatPEM:
+		if err := fs.WriteFileString(d.option.DeployConfig.GetConfigAsString("certPath"), d.option.Certificate.Certificate); err != nil {
+			return fmt.Errorf("failed to save certificate file: %w", err)
+		}

-	// 复制私钥文件
-	if err := copyFile(getDeployString(d.option.DeployConfig, "keyPath"), d.option.Certificate.PrivateKey); err != nil {
-		return fmt.Errorf("复制私钥失败: %w", err)
+		d.infos = append(d.infos, toStr("保存证书成功", nil))
+
+		if err := fs.WriteFileString(d.option.DeployConfig.GetConfigAsString("keyPath"), d.option.Certificate.PrivateKey); err != nil {
+			return fmt.Errorf("failed to save private key file: %w", err)
+		}
+
+		d.infos = append(d.infos, toStr("保存私钥成功", nil))
+
+	case certFormatPFX:
+		pfxData, err := convertPEMToPFX(
+			d.option.Certificate.Certificate,
+			d.option.Certificate.PrivateKey,
+			d.option.DeployConfig.GetConfigAsString("pfxPassword"),
+		)
+		if err != nil {
+			return fmt.Errorf("failed to convert pem to pfx %w", err)
+		}
+
+		if err := fs.WriteFile(d.option.DeployConfig.GetConfigAsString("certPath"), pfxData); err != nil {
+			return fmt.Errorf("failed to save certificate file: %w", err)
+		}
+
+		d.infos = append(d.infos, toStr("保存证书成功", nil))
+
+	case certFormatJKS:
+		jksData, err := convertPEMToJKS(
+			d.option.Certificate.Certificate,
+			d.option.Certificate.PrivateKey,
+			d.option.DeployConfig.GetConfigAsString("jksAlias"),
+			d.option.DeployConfig.GetConfigAsString("jksKeypass"),
+			d.option.DeployConfig.GetConfigAsString("jksStorepass"),
+		)
+		if err != nil {
+			return fmt.Errorf("failed to convert pem to pfx %w", err)
+		}
+
+		if err := fs.WriteFile(d.option.DeployConfig.GetConfigAsString("certPath"), jksData); err != nil {
+			return fmt.Errorf("failed to save certificate file: %w", err)
+		}
+
+		d.infos = append(d.infos, toStr("保存证书成功", nil))
 	}

 	// 执行命令
-	if err := execCmd(getDeployString(d.option.DeployConfig, "command")); err != nil {
-		return fmt.Errorf("执行命令失败: %w", err)
+	command := d.option.DeployConfig.GetConfigAsString("command")
+	if command != "" {
+		stdout, stderr, err := d.execCommand(command)
+		if err != nil {
+			return fmt.Errorf("failed to run command: %w, stdout: %s, stderr: %s", err, stdout, stderr)
+		}
+
+		d.infos = append(d.infos, toStr("执行命令成功", stdout))
 	}

 	return nil
 }

-func execCmd(command string) error {
-	// 执行命令
+func (d *LocalDeployer) execCommand(command string) (string, string, error) {
 	var cmd *exec.Cmd

-	if runtime.GOOS == "windows" {
-		cmd = exec.Command("cmd", "/C", command)
-	} else {
+	switch d.option.DeployConfig.GetConfigAsString("shell") {
+	case shellEnvSh:
 		cmd = exec.Command("sh", "-c", command)
+
+	case shellEnvCmd:
+		cmd = exec.Command("cmd", "/C", command)
+
+	case shellEnvPowershell:
+		cmd = exec.Command("powershell", "-Command", command)
+
+	case "":
+		if runtime.GOOS == "windows" {
+			cmd = exec.Command("cmd", "/C", command)
+		} else {
+			cmd = exec.Command("sh", "-c", command)
+		}
+
+	default:
+		return "", "", fmt.Errorf("unsupported shell")
 	}

-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
+	var stdoutBuf bytes.Buffer
+	cmd.Stdout = &stdoutBuf
+	var stderrBuf bytes.Buffer
+	cmd.Stderr = &stderrBuf

 	err := cmd.Run()
 	if err != nil {
-		return fmt.Errorf("执行命令失败: %w", err)
+		return "", "", fmt.Errorf("failed to execute script: %w", err)
 	}

-	return nil
-}
-
-func copyFile(path string, content string) error {
-	dir := filepath.Dir(path)
-
-	// 如果目录不存在，创建目录
-	err := os.MkdirAll(dir, os.ModePerm)
-	if err != nil {
-		return fmt.Errorf("创建目录失败: %w", err)
-	}
-
-	// 创建或打开文件
-	file, err := os.Create(path)
-	if err != nil {
-		return fmt.Errorf("创建文件失败: %w", err)
-	}
-	defer file.Close()
-
-	// 写入内容到文件
-	_, err = file.Write([]byte(content))
-	if err != nil {
-		return fmt.Errorf("写入文件失败: %w", err)
-	}
-
-	return nil
+	return stdoutBuf.String(), stderrBuf.String(), err
 }
--- a/internal/deployer/qiniu_cdn_test.go
+++ b/internal/deployer/qiniu_cdn_test.go
@@ -24,7 +24,6 @@ func Test_qiuniu_uploadCert(t *testing.T) {
 				option: &DeployerOption{
 					DomainId: "1",
 					Domain:   "example.com",
-					Product:  "test",
 					Access:   `{"bucket":"test","accessKey":"","secretKey":""}`,
 					Certificate: applicant.Certificate{
 						Certificate: "",
@@ -70,7 +69,6 @@ func Test_qiuniu_modifyDomainCert(t *testing.T) {
 				option: &DeployerOption{
 					DomainId: "1",
 					Domain:   "jt1.ikit.fun",
-					Product:  "test",
 					Access:   `{"bucket":"test","accessKey":"","secretKey":""}`,
 				},
 			},
--- a/internal/deployer/ssh.go
+++ b/internal/deployer/ssh.go
@@ -6,12 +6,13 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
-	xpath "path"
+	"path/filepath"

 	"github.com/pkg/sftp"
-	sshPkg "golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh"

 	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/utils/fs"
 )

 type SSHDeployer struct {
@@ -41,49 +42,120 @@ func (d *SSHDeployer) Deploy(ctx context.Context) error {
 	}

 	// 连接
-	client, err := d.createClient(access)
+	client, err := d.createSshClient(access)
 	if err != nil {
 		return err
 	}
 	defer client.Close()

-	d.infos = append(d.infos, toStr("ssh连接成功", nil))
+	d.infos = append(d.infos, toStr("SSH 连接成功", nil))

 	// 执行前置命令
-	preCommand := getDeployString(d.option.DeployConfig, "preCommand")
+	preCommand := d.option.DeployConfig.GetConfigAsString("preCommand")
 	if preCommand != "" {
 		stdout, stderr, err := d.sshExecCommand(client, preCommand)
 		if err != nil {
 			return fmt.Errorf("failed to run pre-command: %w, stdout: %s, stderr: %s", err, stdout, stderr)
 		}
+
+		d.infos = append(d.infos, toStr("SSH 执行前置命令成功", stdout))
 	}

-	// 上传证书
-	if err := d.upload(client, d.option.Certificate.Certificate, getDeployString(d.option.DeployConfig, "certPath")); err != nil {
-		return fmt.Errorf("failed to upload certificate: %w", err)
+	// 上传证书和私钥文件
+	switch d.option.DeployConfig.GetConfigOrDefaultAsString("format", certFormatPEM) {
+	case certFormatPEM:
+		if err := d.writeSftpFileString(client, d.option.DeployConfig.GetConfigAsString("certPath"), d.option.Certificate.Certificate); err != nil {
+			return fmt.Errorf("failed to upload certificate file: %w", err)
+		}
+
+		d.infos = append(d.infos, toStr("SSH 上传证书成功", nil))
+
+		if err := d.writeSftpFileString(client, d.option.DeployConfig.GetConfigAsString("keyPath"), d.option.Certificate.PrivateKey); err != nil {
+			return fmt.Errorf("failed to upload private key file: %w", err)
+		}
+
+		d.infos = append(d.infos, toStr("SSH 上传私钥成功", nil))
+
+	case certFormatPFX:
+		pfxData, err := convertPEMToPFX(
+			d.option.Certificate.Certificate,
+			d.option.Certificate.PrivateKey,
+			d.option.DeployConfig.GetConfigAsString("pfxPassword"),
+		)
+		if err != nil {
+			return fmt.Errorf("failed to convert pem to pfx %w", err)
+		}
+
+		if err := d.writeSftpFile(client, d.option.DeployConfig.GetConfigAsString("certPath"), pfxData); err != nil {
+			return fmt.Errorf("failed to upload certificate file: %w", err)
+		}
+
+		d.infos = append(d.infos, toStr("SSH 上传证书成功", nil))
+
+	case certFormatJKS:
+		jksData, err := convertPEMToJKS(
+			d.option.Certificate.Certificate,
+			d.option.Certificate.PrivateKey,
+			d.option.DeployConfig.GetConfigAsString("jksAlias"),
+			d.option.DeployConfig.GetConfigAsString("jksKeypass"),
+			d.option.DeployConfig.GetConfigAsString("jksStorepass"),
+		)
+		if err != nil {
+			return fmt.Errorf("failed to convert pem to pfx %w", err)
+		}
+
+		if err := fs.WriteFile(d.option.DeployConfig.GetConfigAsString("certPath"), jksData); err != nil {
+			return fmt.Errorf("failed to save certificate file: %w", err)
+		}
+
+		d.infos = append(d.infos, toStr("保存证书成功", nil))
 	}

-	d.infos = append(d.infos, toStr("ssh上传证书成功", nil))
-
-	// 上传私钥
-	if err := d.upload(client, d.option.Certificate.PrivateKey, getDeployString(d.option.DeployConfig, "keyPath")); err != nil {
-		return fmt.Errorf("failed to upload private key: %w", err)
-	}
-
-	d.infos = append(d.infos, toStr("ssh上传私钥成功", nil))
-
 	// 执行命令
-	stdout, stderr, err := d.sshExecCommand(client, getDeployString(d.option.DeployConfig, "command"))
-	if err != nil {
-		return fmt.Errorf("failed to run command: %w, stdout: %s, stderr: %s", err, stdout, stderr)
-	}
+	command := d.option.DeployConfig.GetConfigAsString("command")
+	if command != "" {
+		stdout, stderr, err := d.sshExecCommand(client, command)
+		if err != nil {
+			return fmt.Errorf("failed to run command: %w, stdout: %s, stderr: %s", err, stdout, stderr)
+		}

-	d.infos = append(d.infos, toStr("ssh执行命令成功", stdout))
+		d.infos = append(d.infos, toStr("SSH 执行命令成功", stdout))
+	}

 	return nil
 }

-func (d *SSHDeployer) sshExecCommand(client *sshPkg.Client, command string) (string, string, error) {
+func (d *SSHDeployer) createSshClient(access *domain.SSHAccess) (*ssh.Client, error) {
+	var authMethod ssh.AuthMethod
+
+	if access.Key != "" {
+		var signer ssh.Signer
+		var err error
+
+		if access.KeyPassphrase != "" {
+			signer, err = ssh.ParsePrivateKeyWithPassphrase([]byte(access.Key), []byte(access.KeyPassphrase))
+		} else {
+			signer, err = ssh.ParsePrivateKey([]byte(access.Key))
+		}
+
+		if err != nil {
+			return nil, err
+		}
+		authMethod = ssh.PublicKeys(signer)
+	} else {
+		authMethod = ssh.Password(access.Password)
+	}
+
+	return ssh.Dial("tcp", fmt.Sprintf("%s:%s", access.Host, access.Port), &ssh.ClientConfig{
+		User: access.Username,
+		Auth: []ssh.AuthMethod{
+			authMethod,
+		},
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+	})
+}
+
+func (d *SSHDeployer) sshExecCommand(client *ssh.Client, command string) (string, string, error) {
 	session, err := client.NewSession()
 	if err != nil {
 		return "", "", fmt.Errorf("failed to create ssh session: %w", err)
@@ -98,14 +170,18 @@ func (d *SSHDeployer) sshExecCommand(client *sshPkg.Client, command string) (str
 	return stdoutBuf.String(), stderrBuf.String(), err
 }

-func (d *SSHDeployer) upload(client *sshPkg.Client, content, path string) error {
+func (d *SSHDeployer) writeSftpFileString(client *ssh.Client, path string, content string) error {
+	return d.writeSftpFile(client, path, []byte(content))
+}
+
+func (d *SSHDeployer) writeSftpFile(client *ssh.Client, path string, data []byte) error {
 	sftpCli, err := sftp.NewClient(client)
 	if err != nil {
 		return fmt.Errorf("failed to create sftp client: %w", err)
 	}
 	defer sftpCli.Close()

-	if err := sftpCli.MkdirAll(xpath.Dir(path)); err != nil {
+	if err := sftpCli.MkdirAll(filepath.Dir(path)); err != nil {
 		return fmt.Errorf("failed to create remote directory: %w", err)
 	}

@@ -115,40 +191,10 @@ func (d *SSHDeployer) upload(client *sshPkg.Client, content, path string) error
 	}
 	defer file.Close()

-	_, err = file.Write([]byte(content))
+	_, err = file.Write(data)
 	if err != nil {
 		return fmt.Errorf("failed to write to remote file: %w", err)
 	}

 	return nil
 }
-
-func (d *SSHDeployer) createClient(access *domain.SSHAccess) (*sshPkg.Client, error) {
-	var authMethod sshPkg.AuthMethod
-
-	if access.Key != "" {
-		var signer sshPkg.Signer
-		var err error
-
-		if access.KeyPassphrase != "" {
-			signer, err = sshPkg.ParsePrivateKeyWithPassphrase([]byte(access.Key), []byte(access.KeyPassphrase))
-		} else {
-			signer, err = sshPkg.ParsePrivateKey([]byte(access.Key))
-		}
-
-		if err != nil {
-			return nil, err
-		}
-		authMethod = sshPkg.PublicKeys(signer)
-	} else {
-		authMethod = sshPkg.Password(access.Password)
-	}
-
-	return sshPkg.Dial("tcp", fmt.Sprintf("%s:%s", access.Host, access.Port), &sshPkg.ClientConfig{
-		User: access.Username,
-		Auth: []sshPkg.AuthMethod{
-			authMethod,
-		},
-		HostKeyCallback: sshPkg.InsecureIgnoreHostKey(),
-	})
-}
--- a/internal/deployer/tencent_cdn.go
+++ b/internal/deployer/tencent_cdn.go
@@ -2,10 +2,10 @@ package deployer

 import (
 	"context"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"strings"
+	"golang.org/x/exp/slices"

 	cdn "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cdn/v20180606"
 	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
@@ -100,16 +100,23 @@ func (d *TencentCDNDeployer) deploy(certId string) error {
 	// 如果是泛域名就从cdn列表下获取SSL证书中的可用域名
 	domain := getDeployString(d.option.DeployConfig, "domain")
 	if strings.Contains(domain, "*") {
-		list, errGetList := d.getDomainList()
+		list, errGetList := d.getDomainList(certId)
 		if errGetList != nil {
 			return fmt.Errorf("failed to get certificate domain list: %w", errGetList)
 		}
-		if list == nil || len(list) == 0 {
-			return fmt.Errorf("failed to get certificate domain list: empty list.")
+		if len(list) == 0 {
+			d.infos = append(d.infos, "没有需要部署的实例")
+			return nil
 		}
 		request.InstanceIdList = common.StringPtrs(list)
 	} else { // 否则直接使用传入的域名
-		request.InstanceIdList = common.StringPtrs([]string{domain})
+		deployed, _ := d.isDomainDeployed(certId, domain)
+		if(deployed){
+			d.infos = append(d.infos, "域名已部署")
+			return nil
+		}else{
+			request.InstanceIdList = common.StringPtrs([]string{domain})
+		}
 	}

 	// 返回的resp是一个DeployCertificateInstanceResponse的实例，与请求对象对应
@@ -121,23 +128,61 @@ func (d *TencentCDNDeployer) deploy(certId string) error {
 	return nil
 }

-func (d *TencentCDNDeployer) getDomainList() ([]string, error) {
+func (d *TencentCDNDeployer) getDomainList(certId string) ([]string, error) {
 	cpf := profile.NewClientProfile()
 	cpf.HttpProfile.Endpoint = "cdn.tencentcloudapi.com"
 	client, _ := cdn.NewClient(d.credential, "", cpf)

 	request := cdn.NewDescribeCertDomainsRequest()

-	cert := base64.StdEncoding.EncodeToString([]byte(d.option.Certificate.Certificate))
-	request.Cert = &cert
+	request.CertId = common.StringPtr(certId)

 	response, err := client.DescribeCertDomains(request)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get domain list: %w", err)
 	}

+	deployedDomains, err := d.getDeployedDomainList(certId)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get deployed domain list: %w", err)
+	}
+
 	domains := make([]string, 0)
 	for _, domain := range response.Response.Domains {
+		domainStr := *domain
+		if(slices.Contains(deployedDomains, domainStr)){
+			domains = append(domains, domainStr)
+		}
+	}
+
+	return domains, nil
+}
+
+func (d *TencentCDNDeployer) isDomainDeployed(certId, domain string) (bool, error) {
+	deployedDomains, err := d.getDeployedDomainList(certId)
+	if(err != nil){
+		return false, err
+	}
+
+	return slices.Contains(deployedDomains, domain), nil
+}
+
+func (d *TencentCDNDeployer) getDeployedDomainList(certId string) ([]string, error) {
+	cpf := profile.NewClientProfile()
+	cpf.HttpProfile.Endpoint = "ssl.tencentcloudapi.com"
+	client, _ := ssl.NewClient(d.credential, "", cpf)
+
+	request := ssl.NewDescribeDeployedResourcesRequest()
+	request.CertificateIds = common.StringPtrs([]string{certId})
+	request.ResourceType = common.StringPtr("cdn")
+
+	response, err := client.DescribeDeployedResources(request)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get deployed domain list: %w", err)
+	}
+
+	domains := make([]string, 0)
+	for _, domain := range response.Response.DeployedResources[0].Resources {
 		domains = append(domains, *domain)
 	}