#!/bin/bash ##!name: 腾讯云 EdgeOne 证书自动同步 (子模块) ##!desc: 被主脚本调用,监控证书变化并下发至 EdgeOne 加速节点 set -euo pipefail # ================= 基础配置区域 ================= ACME_DIR="/ql/data/acme" # 作为子模块,不再独立发送邮件,将报告写入临时文件供主脚本读取 REPORT_FILE="/tmp/eo_sync_report.txt" EMAIL_REPORT="【EdgeOne 边缘节点同步明细】\n\n" HAS_UPDATE=0 HAS_ERROR=0 # ================= EO 站点配置矩阵 ================= # 格式:域名 | 腾讯云SecretId | 腾讯云SecretKey | EO站点ID(ZoneId) | 需要绑定的EO域名(多个用逗号隔开) EO_DOMAINS_CONFIG=( "example.com|${TC_ID_2:-}|${TC_KEY_2:-}|${EO_ZONE_ID_EXAMPLE:-}|example.com" # 👈 【脱敏说明】换成了 example.com ) # =================================================== # 准备内部 Python 脚本 cat > /tmp/eo_ssl_update.py << 'EOF' import os, sys, json, time, hashlib, hmac, urllib.request, urllib.error from datetime import datetime def sign(key, msg): return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest() def tencent_api_call(secret_id, secret_key, service, version, action, payload_dict): endpoint = f"{service}.tencentcloudapi.com" payload = json.dumps(payload_dict) timestamp = int(time.time()) date = datetime.utcfromtimestamp(timestamp).strftime("%Y-%m-%d") canonical_headers = f"content-type:application/json\nhost:{endpoint}\n" signed_headers = "content-type;host" hashed_request_payload = hashlib.sha256(payload.encode("utf-8")).hexdigest() canonical_request = f"POST\n/\n\n{canonical_headers}\n{signed_headers}\n{hashed_request_payload}" credential_scope = f"{date}/{service}/tc3_request" hashed_canonical_request = hashlib.sha256(canonical_request.encode("utf-8")).hexdigest() string_to_sign = f"TC3-HMAC-SHA256\n{timestamp}\n{credential_scope}\n{hashed_canonical_request}" secret_date = sign(("TC3" + secret_key).encode("utf-8"), date) secret_service = sign(secret_date, service) secret_signing = sign(secret_service, "tc3_request") signature = hmac.new(secret_signing, string_to_sign.encode("utf-8"), hashlib.sha256).hexdigest() authorization = f"TC3-HMAC-SHA256 Credential={secret_id}/{credential_scope}, SignedHeaders={signed_headers}, Signature={signature}" headers = { "Authorization": authorization, "Content-Type": "application/json", "Host": endpoint, "X-TC-Action": action, "X-TC-Version": version, "X-TC-Timestamp": str(timestamp) } req = urllib.request.Request(f"https://{endpoint}", data=payload.encode("utf-8"), headers=headers) try: with urllib.request.urlopen(req) as response: res = json.loads(response.read().decode("utf-8")) if "Error" in res.get("Response", {}): raise Exception(res["Response"]["Error"]["Message"]) return res["Response"] except urllib.error.HTTPError as e: raise Exception(e.read().decode("utf-8")) def main(): secret_id, secret_key = os.environ.get("Tencent_SecretId"), os.environ.get("Tencent_SecretKey") zone_id, hosts_str = os.environ.get("EO_ZONE_ID"), os.environ.get("EO_HOSTS") cert_path, key_path = os.environ.get("CERT_PATH"), os.environ.get("KEY_PATH") if not all([secret_id, secret_key, zone_id, hosts_str, cert_path, key_path]): print("⚠️ 缺少必要的 EdgeOne 环境变量。") sys.exit(1) hosts = [h.strip() for h in hosts_str.split(',') if h.strip()] with open(cert_path, 'r') as f: cert_content = f.read() with open(key_path, 'r') as f: key_content = f.read() print(f" [API] 正在将新证书上传至腾讯云 SSL 托管中心...") ssl_payload = { "CertificatePublicKey": cert_content, "CertificatePrivateKey": key_content, "CertificateType": "SVR", "Alias": f"AutoDeploy_{hosts[0]}_{int(time.time())}" } try: cert_id = tencent_api_call(secret_id, secret_key, "ssl", "2019-12-05", "UploadCertificate", ssl_payload)["CertificateId"] print(f" [API] 上传成功,获得托管证书 ID: {cert_id}") except Exception as e: print(f"❌ SSL 上传失败: {e}"); sys.exit(1) print(f" [API] 正在将证书下发至 EdgeOne 节点: {hosts} ...") teo_payload = {"ZoneId": zone_id, "Hosts": hosts, "Mode": "sslcert", "ServerCertInfo": [{"CertId": cert_id}]} try: tencent_api_call(secret_id, secret_key, "teo", "2022-09-01", "ModifyHostsCertificate", teo_payload) print(" [API] EdgeOne 边缘节点证书绑定成功!") except Exception as e: print(f"❌ EdgeOne 绑定失败: {e}"); sys.exit(1) if __name__ == "__main__": main() EOF # ================= 核心业务逻辑 ================= for config in "${EO_DOMAINS_CONFIG[@]}"; do IFS='|' read -r DOMAIN TC_ID TC_KEY EO_ZONE_ID EO_HOSTS <<< "$config" if [ -z "$EO_ZONE_ID" ]; then continue fi # 1. 提取当前青龙面板中最新的证书 LOCAL_SSL_DIR="/tmp/eo_ssl_$DOMAIN" mkdir -p "$LOCAL_SSL_DIR" bash "$ACME_DIR/acme.sh" --install-cert --home "$ACME_DIR" -d "$DOMAIN" --key-file "$LOCAL_SSL_DIR/$DOMAIN.key.pem" --fullchain-file "$LOCAL_SSL_DIR/$DOMAIN.pem" >/dev/null 2>&1 || true if [ ! -f "$LOCAL_SSL_DIR/$DOMAIN.pem" ]; then continue; fi # 2. 计算 MD5 判断是否需要更新 MD5_FILE="/ql/data/eo_cert_md5_$DOMAIN.txt" CURRENT_MD5=$(md5sum "$LOCAL_SSL_DIR/$DOMAIN.pem" | awk '{print $1}') OLD_MD5="" [ -f "$MD5_FILE" ] && OLD_MD5=$(cat "$MD5_FILE") if [ "$CURRENT_MD5" == "$OLD_MD5" ]; then echo "✅ [$DOMAIN] 证书 MD5 未变化,跳过 EdgeOne 同步。" EMAIL_REPORT="${EMAIL_REPORT}✅ [${DOMAIN}]: 证书指纹未变化,跳过 EdgeOne 同步。\n" continue fi # 3. 触发 Python 脚本同步 API echo "⚡ [$DOMAIN] 检测到新证书!开始执行 EdgeOne 节点同步..." HAS_UPDATE=1 export Tencent_SecretId="$TC_ID" export Tencent_SecretKey="$TC_KEY" export EO_ZONE_ID="$EO_ZONE_ID" export EO_HOSTS="$EO_HOSTS" export CERT_PATH="$LOCAL_SSL_DIR/$DOMAIN.pem" export KEY_PATH="$LOCAL_SSL_DIR/$DOMAIN.key.pem" if python3 /tmp/eo_ssl_update.py; then echo "🎉 [$DOMAIN] EdgeOne 同步成功!" EMAIL_REPORT="${EMAIL_REPORT}🎉 [${DOMAIN}]: 新证书已成功上传并绑定至 EdgeOne 节点 (${EO_HOSTS})!\n" echo "$CURRENT_MD5" > "$MD5_FILE" else echo "❌ [$DOMAIN] EdgeOne 同步失败!" EMAIL_REPORT="${EMAIL_REPORT}❌ [${DOMAIN}]: EdgeOne 节点同步失败,请检查日志。\n" HAS_ERROR=1 fi done # 清理 Python 临时脚本 rm -f /tmp/eo_ssl_update.py # 将合并报告输出到指定文件,供主脚本读取 echo -e "$EMAIL_REPORT" > "$REPORT_FILE" # 返回状态码给主脚本 if [ $HAS_ERROR -eq 1 ]; then exit 1 else exit 0 fi