CDN Certificate Automatic Refresh

Apr 29, 2024295

AI Translation

This post is translated from Chinese into English through AI.View Original

AI-generated summary

The reason for this script is to automatically update SSL certificates for CDN using a panel called 1panel. The script makes API calls to a cloud service provider (Dogecloud) to delete existing certificates, upload new ones, and activate them. This allows for automatic configuration of CDN certificates, which can be scheduled to run monthly for certificate updates.

Cause: Because configuring domestic CDNs usually requires manually uploading certificates, but the domain name certificates I applied for are usually valid for three months, so I wanted to write a script to automatically update the certificates.
Environment:
1panel (a domestic panel, automatically applies for certificates, and has other powerful functions, very convenient)

Taking the Doyun cloud I use as an example, you can find the corresponding SDK for other manufacturers.
The code is as follows:

from hashlib import sha1
import hmac
import requests
import json
import urllib

def dogecloud_api(api_path, data={}, json_mode=False):
    """
    Call the Doyun cloud API

    :param api_path:    The API interface address to call, including the URL request parameters QueryString, for example: /console/vfetch/add.json?url=xxx&a=1&b=2
    :param data:        The data to be POSTed, a dictionary, for example {'a': 1, 'b': 2}, passing this parameter indicates that it is not a GET request but a POST request
    :param json_mode:   Whether the data is requested in JSON format, the default is false, which means to use the form format (a=1&b=2)

    :type api_path: string
    :type data: dict
    :type json_mode bool

    :return dict: The returned data
    """

    # Replace with your Doyun cloud permanent AccessKey and SecretKey, which can be viewed in the user center - key management
    # Do not expose the AccessKey and SecretKey on the client, otherwise malicious users will gain full control of the account
    access_key = ''
    secret_key = ''

    body = ''
    mime = ''
    if json_mode:
        body = json.dumps(data)
        mime = 'application/json'
    else:
        body = urllib.parse.urlencode(data) # In Python 2, you can directly use urllib.urlencode
        mime = 'application/x-www-form-urlencoded'
    sign_str = api_path + "\n" + body
    signed_data = hmac.new(secret_key.encode('utf-8'), sign_str.encode('utf-8'), sha1)
    sign = signed_data.digest().hex()
    authorization = 'TOKEN ' + access_key + ':' + sign
    response = requests.post('https://api.dogecloud.com' + api_path, data=body, headers = {
        'Authorization': authorization,
        'Content-Type': mime
    })
    return response.json()
api = dogecloud_api('/cdn/cert/list.json')
if api['code'] == 200:
    for cert in api['data']['certs']:
        ssl_next_id = cert['id']
        delet_api = dogecloud_api('/cdn/cert/delete.json', {
    'id': cert['id']
})
else:
    print("api failed: " + api['msg']) # Failed
# The following two paths are the certificate paths automatically generated by 1panel
with open('/opt/1panel/apps/openresty/openresty/www/sites/xxxx/ssl/fullchain.pem') as fullchain:
    full = fullchain.read()
with open('/opt/1panel/apps/openresty/openresty/www/sites/xxxx/ssl/privkey.pem') as privkey:
    priv = privkey.read()
api = dogecloud_api('/cdn/cert/upload.json', {
    "note": f"Automatic certificate {ssl_next_id}",
    "cert": full,
    "private": priv
})
if api['code'] == 200:
    ssl_id = api['data']['id']
else:
    print("api failed: " + api['msg']) # Failed
api = dogecloud_api('/cdn/domain/config.json?domain=cdn.example.com', {
    'cert_id': ssl_id
}, True)

The basic implementation idea is to first delete the existing certificate, then add the read certificate, and then upload and activate the uploaded certificate, so as to achieve automatic configuration of CDN certificates. You can use the automatic timing execution script function of 1panel to execute it every month to update the certificate. It really implements a strange little trick✊✊✊.

from hashlib import sha1 import hmac import requests import json import urllib def dogecloud_api(api_path, data={}, json_mode=False): """ Call the Doyun cloud API :param api_path: The API interface address to call, including the URL request parameters QueryString, for example: /console/vfetch/add.json?url=xxx&a=1&b=2 :param data: The data to be POSTed, a dictionary, for example {'a': 1, 'b': 2}, passing this parameter indicates that it is not a GET request but a POST request :param json_mode: Whether the data is requested in JSON format, the default is false, which means to use the form format (a=1&b=2) :type api_path: string :type data: dict :type json_mode bool :return dict: The returned data """ # Replace with your Doyun cloud permanent AccessKey and SecretKey, which can be viewed in the user center - key management # Do not expose the AccessKey and SecretKey on the client, otherwise malicious users will gain full control of the account access_key = '' secret_key = '' body = '' mime = '' if json_mode: body = json.dumps(data) mime = 'application/json' else: body = urllib.parse.urlencode(data) # In Python 2, you can directly use urllib.urlencode mime = 'application/x-www-form-urlencoded' sign_str = api_path + "\n" + body signed_data = hmac.new(secret_key.encode('utf-8'), sign_str.encode('utf-8'), sha1) sign = signed_data.digest().hex() authorization = 'TOKEN ' + access_key + ':' + sign response = requests.post('https://api.dogecloud.com' + api_path, data=body, headers = { 'Authorization': authorization, 'Content-Type': mime }) return response.json() api = dogecloud_api('/cdn/cert/list.json') if api['code'] == 200: for cert in api['data']['certs']: ssl_next_id = cert['id'] delet_api = dogecloud_api('/cdn/cert/delete.json', { 'id': cert['id'] }) else: print("api failed: " + api['msg']) # Failed # The following two paths are the certificate paths automatically generated by 1panel with open('/opt/1panel/apps/openresty/openresty/www/sites/xxxx/ssl/fullchain.pem') as fullchain: full = fullchain.read() with open('/opt/1panel/apps/openresty/openresty/www/sites/xxxx/ssl/privkey.pem') as privkey: priv = privkey.read() api = dogecloud_api('/cdn/cert/upload.json', { "note": f"Automatic certificate {ssl_next_id}", "cert": full, "private": priv }) if api['code'] == 200: ssl_id = api['data']['id'] else: print("api failed: " + api['msg']) # Failed api = dogecloud_api('/cdn/domain/config.json?domain=cdn.example.com', { 'cert_id': ssl_id }, True)