1.4.5.2

2026-02-04 20:27:13 +08:00
commit 3b042d1dad
9410 changed files with 1488147 additions and 0 deletions
--- a/EdgeAPI/internal/acme/account.go
+++ b/EdgeAPI/internal/acme/account.go
@@ -0,0 +1,8 @@
+// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+
+package acme
+
+type Account struct {
+	EABKid string
+	EABKey string
+}
--- a/EdgeAPI/internal/acme/acme_test.go
+++ b/EdgeAPI/internal/acme/acme_test.go
@@ -0,0 +1,147 @@
+package acme
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/lego"
+	acmelog "github.com/go-acme/lego/v4/log"
+	"io"
+	"log"
+	"testing"
+
+	"github.com/go-acme/lego/v4/registration"
+)
+
+// You'll need a user or account type that implements acme.User
+type MyUser struct {
+	Email        string
+	Registration *registration.Resource
+	key          crypto.PrivateKey
+}
+
+func (u *MyUser) GetEmail() string {
+	return u.Email
+}
+func (u MyUser) GetRegistration() *registration.Resource {
+	return u.Registration
+}
+func (u *MyUser) GetPrivateKey() crypto.PrivateKey {
+	return u.key
+}
+
+type MyProvider struct {
+	t *testing.T
+}
+
+func (this *MyProvider) Present(domain, token, keyAuth string) error {
+	fqdn, value := dns01.GetRecord(domain, keyAuth)
+	this.t.Log("provider: domain:", domain, "fqdn:", fqdn, "value:", value)
+	return nil
+}
+
+func (this *MyProvider) CleanUp(domain, token, keyAuth string) error {
+	return nil
+}
+
+// 参考  https://go-acme.github.io/lego/usage/library/
+func TestGenerate(t *testing.T) {
+	acmelog.Logger = log.New(io.Discard, "", log.LstdFlags)
+
+	// 生成私钥
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	myUser := &MyUser{
+		Email: "test1@teaos.cn",
+		key:   privateKey,
+	}
+
+	config := lego.NewConfig(myUser)
+	config.CADirURL = "https://acme.zerossl.com/v2/DV90"
+	config.Certificate.KeyType = certcrypto.RSA2048
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = client.Challenge.SetDNS01Provider(&MyProvider{t: t})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// New users will need to register
+	reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+	if err != nil {
+		t.Fatal(err)
+	}
+	myUser.Registration = reg
+
+	request := certificate.ObtainRequest{
+		Domains: []string{"teaos.com"},
+		Bundle:  true,
+	}
+	certificates, err := client.Certificate.Obtain(request)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Log(certificates)
+}
+
+func TestGenerate_EAB(t *testing.T) {
+	acmelog.Logger = log.New(io.Discard, "", log.LstdFlags)
+
+	// 生成私钥
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	myUser := &MyUser{
+		Email: "test1@teaos.cn",
+		key:   privateKey,
+	}
+
+	config := lego.NewConfig(myUser)
+	config.CADirURL = "https://acme.zerossl.com/v2/DV90"
+	config.Certificate.KeyType = certcrypto.RSA2048
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = client.Challenge.SetDNS01Provider(&MyProvider{t: t})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// New users will need to register
+	var reg *registration.Resource
+	if client.GetExternalAccountRequired() {
+		reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+			TermsOfServiceAgreed: true,
+			Kid:                  "KID",
+			HmacEncoded:          "HAMC KEY",
+		})
+	} else {
+		reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+	myUser.Registration = reg
+
+	request := certificate.ObtainRequest{
+		Domains: []string{"teaos.cn"},
+		Bundle:  true,
+	}
+	certificates, err := client.Certificate.Obtain(request)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Log(certificates)
+}
--- a/EdgeAPI/internal/acme/auth_callback.go
+++ b/EdgeAPI/internal/acme/auth_callback.go
@@ -0,0 +1,3 @@
+package acme
+
+type AuthCallback func(domain, token, keyAuth string)
--- a/EdgeAPI/internal/acme/dns_provider.go
+++ b/EdgeAPI/internal/acme/dns_provider.go
@@ -0,0 +1,88 @@
+package acme
+
+import (
+	"fmt"
+	"github.com/TeaOSLab/EdgeAPI/internal/dnsclients"
+	"github.com/TeaOSLab/EdgeAPI/internal/dnsclients/dnstypes"
+	"github.com/TeaOSLab/EdgeAPI/internal/errors"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/iwind/TeaGo/lists"
+	"os"
+	"strings"
+	"sync"
+	"time"
+)
+
+type DNSProvider struct {
+	raw       dnsclients.ProviderInterface
+	dnsDomain string
+
+	locker             sync.Mutex
+	deletedRecordNames []string
+}
+
+func NewDNSProvider(raw dnsclients.ProviderInterface, dnsDomain string) *DNSProvider {
+	return &DNSProvider{
+		raw:       raw,
+		dnsDomain: dnsDomain,
+	}
+}
+
+func (this *DNSProvider) Present(domain, token, keyAuth string) error {
+	_ = os.Setenv("LEGO_DISABLE_CNAME_SUPPORT", "true")
+	var info = dns01.GetChallengeInfo(domain, keyAuth)
+
+	var fqdn = info.EffectiveFQDN
+	var value = info.Value
+
+	// 设置记录
+	var index = strings.Index(fqdn, "."+this.dnsDomain)
+	if index < 0 {
+		return errors.New("invalid fqdn value")
+	}
+	var recordName = fqdn[:index]
+
+	// 先删除老的
+	this.locker.Lock()
+	var wasDeleted = lists.ContainsString(this.deletedRecordNames, recordName)
+	this.locker.Unlock()
+
+	if !wasDeleted {
+		records, err := this.raw.QueryRecords(this.dnsDomain, recordName, dnstypes.RecordTypeTXT)
+		if err != nil {
+			return fmt.Errorf("query DNS record failed: %w", err)
+		}
+		for _, record := range records {
+			err = this.raw.DeleteRecord(this.dnsDomain, record)
+			if err != nil {
+				return err
+			}
+		}
+		this.locker.Lock()
+		this.deletedRecordNames = append(this.deletedRecordNames, recordName)
+		this.locker.Unlock()
+	}
+
+	// 添加新的
+	err := this.raw.AddRecord(this.dnsDomain, &dnstypes.Record{
+		Id:    "",
+		Name:  recordName,
+		Type:  dnstypes.RecordTypeTXT,
+		Value: value,
+		Route: this.raw.DefaultRoute(),
+		TTL:   this.raw.MinTTL(),
+	})
+	if err != nil {
+		return fmt.Errorf("create DNS record failed: %w", err)
+	}
+
+	return nil
+}
+
+func (this *DNSProvider) Timeout() (timeout, interval time.Duration) {
+	return 2 * time.Minute, 2 * time.Second
+}
+
+func (this *DNSProvider) CleanUp(domain, token, keyAuth string) error {
+	return nil
+}
--- a/EdgeAPI/internal/acme/http_provider.go
+++ b/EdgeAPI/internal/acme/http_provider.go
@@ -0,0 +1,23 @@
+package acme
+
+type HTTPProvider struct {
+	onAuth AuthCallback
+}
+
+func NewHTTPProvider(onAuth AuthCallback) *HTTPProvider {
+	return &HTTPProvider{
+		onAuth: onAuth,
+	}
+}
+
+func (this *HTTPProvider) Present(domain, token, keyAuth string) error {
+	if this.onAuth != nil {
+		this.onAuth(domain, token, keyAuth)
+	}
+	//http01.ChallengePath()
+	return nil
+}
+
+func (this *HTTPProvider) CleanUp(domain, token, keyAuth string) error {
+	return nil
+}
--- a/EdgeAPI/internal/acme/key.go
+++ b/EdgeAPI/internal/acme/key.go
@@ -0,0 +1,15 @@
+package acme
+
+import (
+	"crypto/x509"
+	"encoding/base64"
+)
+
+func ParsePrivateKeyFromBase64(base64String string) (interface{}, error) {
+	data, err := base64.StdEncoding.DecodeString(base64String)
+	if err != nil {
+		return nil, err
+	}
+
+	return x509.ParsePKCS8PrivateKey(data)
+}
--- a/EdgeAPI/internal/acme/providers.go
+++ b/EdgeAPI/internal/acme/providers.go
@@ -0,0 +1,24 @@
+// Copyright 2021 Liuxiangchao iwind.liu@gmail.com. All rights reserved.
+
+package acme
+
+const DefaultProviderCode = "letsencrypt"
+
+type Provider struct {
+	Name           string `json:"name"`
+	Code           string `json:"code"`
+	Description    string `json:"description"`
+	APIURL         string `json:"apiURL"`
+	TestAPIURL     string `json:"testAPIURL"`
+	RequireEAB     bool   `json:"requireEAB"`
+	EABDescription string `json:"eabDescription"`
+}
+
+func FindProviderWithCode(code string) *Provider {
+	for _, provider := range FindAllProviders() {
+		if provider.Code == code {
+			return provider
+		}
+	}
+	return nil
+}
--- a/EdgeAPI/internal/acme/providers_ext.go
+++ b/EdgeAPI/internal/acme/providers_ext.go
@@ -0,0 +1,24 @@
+// Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build !plus
+
+package acme
+
+func FindAllProviders() []*Provider {
+	return []*Provider{
+		{
+			Name:        "Let's Encrypt",
+			Code:        DefaultProviderCode,
+			Description: "非盈利组织Let's Encrypt提供的免费证书。",
+			APIURL:      "https://acme-v02.api.letsencrypt.org/directory",
+			RequireEAB:  false,
+		},
+		{
+			Name:           "ZeroSSL",
+			Code:           "zerossl",
+			Description:    "相关文档 <a href=\"https://zerossl.com/documentation/acme/\" target=\"_blank\">https://zerossl.com/documentation/acme/</a>。",
+			APIURL:         "https://acme.zerossl.com/v2/DV90",
+			RequireEAB:     true,
+			EABDescription: "在官网<a href=\"https://app.zerossl.com/developer\" target=\"_blank\">[Developer]</a>页面底部点击\"Generate\"按钮生成。",
+		},
+	}
+}
--- a/EdgeAPI/internal/acme/providers_ext_plus.go
+++ b/EdgeAPI/internal/acme/providers_ext_plus.go
@@ -0,0 +1,67 @@
+// Copyright 2022 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+//go:build plus
+
+package acme
+
+import teaconst "github.com/TeaOSLab/EdgeAPI/internal/const"
+
+func FindAllProviders() []*Provider {
+	var providers = []*Provider{
+		{
+			Name:        "Let's Encrypt",
+			Code:        DefaultProviderCode,
+			Description: "非盈利组织Let's Encrypt提供的免费证书。",
+			APIURL:      "https://acme-v02.api.letsencrypt.org/directory",
+			RequireEAB:  false,
+		},
+	}
+
+	// 商业版
+	if teaconst.IsPlus {
+		providers = append(providers, []*Provider{
+			{
+				Name:        "Buypass",
+				Code:        "buypass",
+				Description: "Buypass提供的免费证书。",
+				APIURL:      "https://api.buypass.com/acme/directory",
+				TestAPIURL:  "https://api.test4.buypass.no/acme/directory",
+				RequireEAB:  false,
+			},
+		}...)
+	}
+
+	providers = append(providers, []*Provider{
+		{
+			Name:           "ZeroSSL",
+			Code:           "zerossl",
+			Description:    "官方相关文档 <a href=\"https://zerossl.com/documentation/acme/\" target=\"_blank\">https://zerossl.com/documentation/acme/</a>。",
+			APIURL:         "https://acme.zerossl.com/v2/DV90",
+			RequireEAB:     true,
+			EABDescription: "在官网<a href=\"https://app.zerossl.com/developer\" target=\"_blank\">[Developer]</a>页面底部点击\"Generate\"按钮生成。",
+		},
+	}...)
+
+	// 商业版
+	if teaconst.IsPlus {
+		providers = append(providers, []*Provider{
+			{
+				Name:           "SSL.com",
+				Code:           "sslcom",
+				Description:    "官方相关文档 <a href=\"https://www.ssl.com/guide/ssl-tls-certificate-issuance-and-revocation-with-acme/\" target=\"_blank\">https://www.ssl.com/guide/ssl-tls-certificate-issuance-and-revocation-with-acme/</a>。",
+				APIURL:         "https://acme.ssl.com/sslcom-dv-rsa",
+				RequireEAB:     true,
+				EABDescription: "登录SSL.com后，点击Dashboard中的api credentials链接，可以查看和创建密钥，EAB Kid对应界面中的Account/ACME Key，EAB HMAC Key对应界面中的HMAC Key。",
+			},
+			{
+				Name:           "Google Cloud",
+				Code:           "googleCloud",
+				Description:    "官方相关文档 <a href=\"https://cloud.google.com/certificate-manager/docs/public-ca-tutorial\" target=\"_blank\">https://cloud.google.com/certificate-manager/docs/public-ca-tutorial</a>",
+				APIURL:         "https://dv.acme-v02.api.pki.goog/directory",
+				RequireEAB:     true,
+				EABDescription: "请根据Google Cloud官方文档运行 <code-label>gcloud publicca external-account-keys create</code-label> 获得Kid（对应keyId）和Key（对应b64MacKey）。",
+			},
+		}...)
+	}
+
+	return providers
+}
--- a/EdgeAPI/internal/acme/request.go
+++ b/EdgeAPI/internal/acme/request.go
@@ -0,0 +1,215 @@
+package acme
+
+import (
+	"fmt"
+	teaconst "github.com/TeaOSLab/EdgeAPI/internal/const"
+	"github.com/TeaOSLab/EdgeAPI/internal/errors"
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/lego"
+	acmelog "github.com/go-acme/lego/v4/log"
+	"github.com/go-acme/lego/v4/registration"
+	"github.com/iwind/TeaGo/Tea"
+	"io"
+	"log"
+)
+
+type Request struct {
+	debug bool
+
+	task   *Task
+	onAuth AuthCallback
+}
+
+func NewRequest(task *Task) *Request {
+	return &Request{
+		task: task,
+	}
+}
+
+func (this *Request) Debug() {
+	this.debug = true
+}
+
+func (this *Request) OnAuth(onAuth AuthCallback) {
+	this.onAuth = onAuth
+}
+
+func (this *Request) Run() (certData []byte, keyData []byte, err error) {
+	if this.task.Provider == nil {
+		err = errors.New("provider should not be nil")
+		return
+	}
+	if this.task.Provider.RequireEAB && this.task.Account == nil {
+		err = errors.New("account should not be nil when provider require EAB")
+		return
+	}
+
+	switch this.task.AuthType {
+	case AuthTypeDNS:
+		return this.runDNS()
+	case AuthTypeHTTP:
+		return this.runHTTP()
+	default:
+		err = errors.New("invalid task type '" + this.task.AuthType + "'")
+		return
+	}
+}
+
+func (this *Request) runDNS() (certData []byte, keyData []byte, err error) {
+	if !this.debug {
+		if !Tea.IsTesting() {
+			acmelog.Logger = log.New(io.Discard, "", log.LstdFlags)
+		}
+	}
+
+	if this.task.User == nil {
+		err = errors.New("'user' must not be nil")
+		return
+	}
+	if this.task.DNSProvider == nil {
+		err = errors.New("'dnsProvider' must not be nil")
+		return
+	}
+	if len(this.task.DNSDomain) == 0 {
+		err = errors.New("'dnsDomain' must not be empty")
+		return
+	}
+	if len(this.task.Domains) == 0 {
+		err = errors.New("'domains' must not be empty")
+		return
+	}
+
+	var config = lego.NewConfig(this.task.User)
+	config.Certificate.KeyType = certcrypto.RSA2048
+	config.CADirURL = this.task.Provider.APIURL
+	config.UserAgent = teaconst.ProductName + "/" + teaconst.Version
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// 注册用户
+	var resource = this.task.User.GetRegistration()
+	if resource != nil {
+		_, err = client.Registration.QueryRegistration()
+		if err != nil {
+			return nil, nil, err
+		}
+	} else {
+		if this.task.Provider.RequireEAB {
+			resource, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+				TermsOfServiceAgreed: true,
+				Kid:                  this.task.Account.EABKid,
+				HmacEncoded:          this.task.Account.EABKey,
+			})
+			if err != nil {
+				return nil, nil, fmt.Errorf("register user failed: %w", err)
+			}
+			err = this.task.User.Register(resource)
+			if err != nil {
+				return nil, nil, err
+			}
+		} else {
+			resource, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+			if err != nil {
+				return nil, nil, err
+			}
+			err = this.task.User.Register(resource)
+			if err != nil {
+				return nil, nil, err
+			}
+		}
+	}
+
+	err = client.Challenge.SetDNS01Provider(NewDNSProvider(this.task.DNSProvider, this.task.DNSDomain))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// 申请证书
+	var request = certificate.ObtainRequest{
+		Domains: this.task.Domains,
+		Bundle:  true,
+	}
+	certResource, err := client.Certificate.Obtain(request)
+	if err != nil {
+		return nil, nil, fmt.Errorf("obtain cert failed: %w", err)
+	}
+
+	return certResource.Certificate, certResource.PrivateKey, nil
+}
+
+func (this *Request) runHTTP() (certData []byte, keyData []byte, err error) {
+	if !this.debug {
+		if !Tea.IsTesting() {
+			acmelog.Logger = log.New(io.Discard, "", log.LstdFlags)
+		}
+	}
+
+	if this.task.User == nil {
+		err = errors.New("'user' must not be nil")
+		return
+	}
+
+	var config = lego.NewConfig(this.task.User)
+	config.Certificate.KeyType = certcrypto.RSA2048
+	config.CADirURL = this.task.Provider.APIURL
+	config.UserAgent = teaconst.ProductName + "/" + teaconst.Version
+
+	client, err := lego.NewClient(config)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// 注册用户
+	var resource = this.task.User.GetRegistration()
+	if resource != nil {
+		_, err = client.Registration.QueryRegistration()
+		if err != nil {
+			return nil, nil, err
+		}
+	} else {
+		if this.task.Provider.RequireEAB {
+			resource, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+				TermsOfServiceAgreed: true,
+				Kid:                  this.task.Account.EABKid,
+				HmacEncoded:          this.task.Account.EABKey,
+			})
+			if err != nil {
+				return nil, nil, fmt.Errorf("register user failed: %w", err)
+			}
+			err = this.task.User.Register(resource)
+			if err != nil {
+				return nil, nil, err
+			}
+		} else {
+			resource, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+			if err != nil {
+				return nil, nil, err
+			}
+			err = this.task.User.Register(resource)
+			if err != nil {
+				return nil, nil, err
+			}
+		}
+	}
+
+	err = client.Challenge.SetHTTP01Provider(NewHTTPProvider(this.onAuth))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// 申请证书
+	var request = certificate.ObtainRequest{
+		Domains: this.task.Domains,
+		Bundle:  true,
+	}
+	certResource, err := client.Certificate.Obtain(request)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return certResource.Certificate, certResource.PrivateKey, nil
+}
--- a/EdgeAPI/internal/acme/request_test.go
+++ b/EdgeAPI/internal/acme/request_test.go
@@ -0,0 +1,109 @@
+package acme
+
+import (
+	"encoding/json"
+	"github.com/TeaOSLab/EdgeAPI/internal/dnsclients"
+	"github.com/go-acme/lego/v4/registration"
+	_ "github.com/go-sql-driver/mysql"
+	_ "github.com/iwind/TeaGo/bootstrap"
+	"github.com/iwind/TeaGo/dbs"
+	"github.com/iwind/TeaGo/maps"
+	"testing"
+)
+
+func TestRequest_Run_DNS(t *testing.T) {
+	privateKey, err := ParsePrivateKeyFromBase64("MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgD3xxDXP4YVqHCfub21Yi3QL1Kvgow23J8CKJ7vU3L4+hRANCAARRl5ZKAlgGRc5RETSMYFCTXvjnePDgjALWgtgfClQGLB2rGyRecJvlesAM6Q7LQrDxVxvxdSQQmPGRqJGiBtjd")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	user := NewUser("19644627@qq.com", privateKey, func(resource *registration.Resource) error {
+		resourceJSON, err := json.Marshal(resource)
+		if err != nil {
+			return err
+		}
+		t.Log(string(resourceJSON))
+		return nil
+	})
+
+	regResource := []byte(`{"body":{"status":"valid","contact":["mailto:19644627@qq.com"]},"uri":"https://acme-v02.api.letsencrypt.org/acme/acct/103672877"}`)
+	err = user.SetRegistration(regResource)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	dnsProvider, err := testDNSPodProvider()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req := NewRequest(&Task{
+		User:        user,
+		AuthType:    AuthTypeDNS,
+		DNSProvider: dnsProvider,
+		DNSDomain:   "yun4s.cn",
+		Domains:     []string{"www.yun4s.cn"},
+	})
+	certData, keyData, err := req.Run()
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Log("cert:", string(certData))
+	t.Log("key:", string(keyData))
+}
+
+func TestRequest_Run_HTTP(t *testing.T) {
+	privateKey, err := ParsePrivateKeyFromBase64("MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgD3xxDXP4YVqHCfub21Yi3QL1Kvgow23J8CKJ7vU3L4+hRANCAARRl5ZKAlgGRc5RETSMYFCTXvjnePDgjALWgtgfClQGLB2rGyRecJvlesAM6Q7LQrDxVxvxdSQQmPGRqJGiBtjd")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	user := NewUser("19644627@qq.com", privateKey, func(resource *registration.Resource) error {
+		resourceJSON, err := json.Marshal(resource)
+		if err != nil {
+			return err
+		}
+		t.Log(string(resourceJSON))
+		return nil
+	})
+
+	regResource := []byte(`{"body":{"status":"valid","contact":["mailto:19644627@qq.com"]},"uri":"https://acme-v02.api.letsencrypt.org/acme/acct/103672877"}`)
+	err = user.SetRegistration(regResource)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req := NewRequest(&Task{
+		User:     user,
+		AuthType: AuthTypeHTTP,
+		Domains:  []string{"teaos.cn", "www.teaos.cn", "meloy.cn"},
+	})
+	certData, keyData, err := req.runHTTP()
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Log(string(certData))
+	t.Log(string(keyData))
+}
+
+func testDNSPodProvider() (dnsclients.ProviderInterface, error) {
+	db, err := dbs.Default()
+	if err != nil {
+		return nil, err
+	}
+	one, err := db.FindOne("SELECT * FROM edgeDNSProviders WHERE type='dnspod' ORDER BY id DESC")
+	if err != nil {
+		return nil, err
+	}
+	apiParams := maps.Map{}
+	err = json.Unmarshal([]byte(one.GetString("apiParams")), &apiParams)
+	if err != nil {
+		return nil, err
+	}
+	provider := &dnsclients.DNSPodProvider{}
+	err = provider.Auth(apiParams)
+	if err != nil {
+		return nil, err
+	}
+	return provider, nil
+}
--- a/EdgeAPI/internal/acme/task.go
+++ b/EdgeAPI/internal/acme/task.go
@@ -0,0 +1,22 @@
+package acme
+
+import "github.com/TeaOSLab/EdgeAPI/internal/dnsclients"
+
+type AuthType = string
+
+const (
+	AuthTypeDNS  AuthType = "dns"
+	AuthTypeHTTP AuthType = "http"
+)
+
+type Task struct {
+	Provider *Provider
+	Account  *Account
+	User     *User
+	AuthType AuthType
+	Domains  []string
+
+	// DNS相关
+	DNSProvider dnsclients.ProviderInterface
+	DNSDomain   string
+}
--- a/EdgeAPI/internal/acme/user.go
+++ b/EdgeAPI/internal/acme/user.go
@@ -0,0 +1,49 @@
+package acme
+
+import (
+	"crypto"
+	"encoding/json"
+	"github.com/go-acme/lego/v4/registration"
+)
+
+type User struct {
+	email        string
+	resource     *registration.Resource
+	key          crypto.PrivateKey
+	registerFunc func(resource *registration.Resource) error
+}
+
+func NewUser(email string, key crypto.PrivateKey, registerFunc func(resource *registration.Resource) error) *User {
+	return &User{
+		email:        email,
+		key:          key,
+		registerFunc: registerFunc,
+	}
+}
+
+func (this *User) GetEmail() string {
+	return this.email
+}
+
+func (this *User) GetRegistration() *registration.Resource {
+	return this.resource
+}
+
+func (this *User) SetRegistration(resourceData []byte) error {
+	resource := &registration.Resource{}
+	err := json.Unmarshal(resourceData, resource)
+	if err != nil {
+		return err
+	}
+	this.resource = resource
+	return nil
+}
+
+func (this *User) GetPrivateKey() crypto.PrivateKey {
+	return this.key
+}
+
+func (this *User) Register(resource *registration.Resource) error {
+	this.resource = resource
+	return this.registerFunc(resource)
+}