这是一个创建于 455 天前的主题,其中的信息可能已经有所发展或是发生改变。
试着写了一下 ACME dnsapi 的腾讯云 API3.0 版本,但是执行的时候卡到了计算签名的过程 签名算法说明文档: https://cloud.tencent.com/document/api/1427/56189
++ _hmac sha256 de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa dnspod hex
++ alg=sha256
++ secret_hex=de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa
++ outputhex=dnspod
++ '[' -z de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa ']'
++ '[' sha256 = sha256 ']'
++ '[' dnspod ']'
++ tr -d ' '
++ openssl dgst -sha256 -mac HMAC -macopt hexkey:de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa
卡这不动了
代码如下
#!/usr/bin/env sh
set -x
Tencent_API="https://dnspod.tencentcloudapi.com"
#Tencent_SecretId="AKIDz8krbsJ5yKBZQpn74WFkmLPx3gnPhESA"
#Tencent_SecretKey="Gu5t9xGARNpq86cd98joQYCN3Cozk1qA"
#Usage: dns_tencent_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
dns_tencent_add() {
fulldomain=$1
txtvalue=$2
Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}"
Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}"
if [ -z "$Tencent_SecretId" ] || [ -z "$Tencent_SecretKey" ]; then
Tencent_SecretId=""
Tencent_SecretKey=""
_err "You don't specify tencent api SecretId and SecretKey yet."
return 1
fi
#save the api SecretId and SecretKey to the account conf file.
_saveaccountconf_mutable Tencent_SecretId "$Tencent_SecretId"
_saveaccountconf_mutable Tencent_SecretKey "$Tencent_SecretKey"
_debug "First detect the root zone"
if ! _get_root "$fulldomain"; then
return 1
fi
_debug "Add record"
_add_record_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "CreateRecord"
}
dns_tencent_rm() {
fulldomain=$1
txtvalue=$2
Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}"
Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}"
_debug "First detect the root zone"
if ! _get_root "$fulldomain"; then
return 1
fi
_debug "Get record list"
_describe_records_query "$_domain" "$_sub_domain" && _tencent_rest "DescribeRecordList"
record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")"
_debug2 record_id "$record_id"
if [ -z "$record_id" ]; then
_debug "record not found, skip"
else
_debug "Delete record"
_delete_record_query "$record_id" && _tencent_rest "DeleteRecord"
fi
}
#################### Private functions below ##################################
_get_root() {
domain=$1
i=2
p=1
while true; do
h=$(printf "%s" "$domain" | cut -d . -f $i-100)
if [ -z "$h" ]; then
#not valid
return 1
fi
_describe_records_query "$h" "@"
if ! _tencent_rest "DescribeRecordList" "ignore"; then
return 1
fi
if _contains "$response" "\"TotalCount\":"; then
_sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
_debug _sub_domain "$_sub_domain"
_domain="$h"
_debug _domain "$_domain"
return 0
fi
p="$i"
i=$(_math "$i" + 1)
done
return 1
}
_tencent_rest() {
action=$1
timestamp=$(date -u +%s)
date=$(date -u +"%Y-%m-%d")
service="dnspod"
algorithm="TC3-HMAC-SHA256"
signedHeaders="content-type;host;x-tc-action;x-tc-timestamp;x-tc-version;x-tc-region"
payloadHash=$(printf "%s" "$query" | _digest "sha256" hex)
canonicalRequest="POST\n/\n\ncontent-type:application/json;charset=utf-8\nhost:dnspod.tencentcloudapi.com\nx-tc-action:$action\nx-tc-timestamp:$timestamp\nx-tc-version:2018-08-13\nx-tc-region:ap-guangzhou\n\n$signedHeaders\n$payloadHash"
hashedCanonicalRequest=$(printf "%s" "$canonicalRequest" | _digest "sha256" hex)
credentialScope="$date/$service/tc3_request"
stringToSign="$algorithm\n$timestamp\n$credentialScope\n$hashedCanonicalRequest"
secretDate=$(printf "%s" "TC3$Tencent_SecretKey" | _hmac "sha256" "$date" hex)
secretService=$(_hmac "sha256" "$secretDate" "$service" hex)
secretSigning=$(_hmac "sha256" "$secretService" "tc3_request" hex)
signature=$(_hmac "sha256" "$secretSigning" "$stringToSign" hex)
authorization="$algorithm Credential=$Tencent_SecretId/$credentialScope, SignedHeaders=$signedHeaders, Signature=$signature"
header="Authorization: $authorization"
header="$header"$'\n'"Content-Type: application/json;charset=utf-8"
header="$header"$'\n'"Host: dnspod.tencentcloudapi.com"
header="$header"$'\n'"X-TC-Action: $action"
header="$header"$'\n'"X-TC-Timestamp: $timestamp"
header="$header"$'\n'"X-TC-Version: 2018-08-13"
header="$header"$'\n'"X-TC-Region: ap-guangzhou"
if ! response="$(_post "$query" "$Tencent_API" "" "POST" "application/json" "$header")"; then
_err "Error <$1>"
return 1
fi
_debug2 response "$response"
if [ -z "$2" ]; then
message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")"
if [ "$message" ]; then
_err "$message"
return 1
fi
fi
}
_add_record_query() {
query=$(cat <<EOF
{
"Domain": "$1",
"SubDomain": "$2",
"RecordType": "TXT",
"RecordLine": "默认",
"Value": "$3",
"TTL": 600
}
EOF
)
}
_describe_records_query() {
query=$(cat <<EOF
{
"Offset": 0,
"Limit": 3000,
"Domain": "$1",
"Subdomain": "$2",
"RecordType": "TXT",
"RecordLine": "默认"
}
EOF
)
}
_delete_record_query() {
query=$(cat <<EOF
{
"Domain": "$_domain",
"RecordId": $1
}
EOF
)
}
_clean() {
_describe_records_query "$_domain" "$_sub_domain" && _tencent_rest "DescribeRecordList"
record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")"
_debug2 record_id "$record_id"
if [ -z "$record_id" ]; then
_debug "record not found, skip"
else
_delete_record_query "$record_id" && _tencent_rest "DeleteRecord"
fi
}
加了个 set -x 便于调试
第 1 条附言 · 2023-08-31 20:11:27 +08:00
官方答复后续将支持 shell 、lua 、dart 、swift 四个语言的签名代码,发布到官网 API 中心+github ,预计 9 月 30 日完成;
另外 shell 可以参考另外一个大佬的 demo: https://www.rehiy.com/post/534/
另外 shell 可以参考另外一个大佬的 demo: https://www.rehiy.com/post/534/
 |
1
xiangyuecn 2023-08-25 08:23:33 +08:00
中情局最喜欢你这样的了
|
 |
2
kincaid OP @xiangyuecn 腾讯云搞这套算法搞的,想要签名就得装一堆依赖,在 acme 上基本行不通哇
|
Select Language