From 3a37cc6e14c2e4449d43b5a550ac82523edf4729 Mon Sep 17 00:00:00 2001
From: jingrow <support@jingrow.com>
Date: Thu, 1 Jan 2026 19:28:19 +0000
Subject: [PATCH] =?UTF-8?q?=E5=88=A0=E9=99=A4ssl=5Fmanager=E5=86=97?=
 =?UTF-8?q?=E4=BD=99=E6=96=87=E4=BB=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ssl_manager/config.json              |  9 ----
 ssl_manager/delete_and_renew_cert.sh | 50 --------------------
 ssl_manager/fix_webroot_route.sh     | 71 ----------------------------
 ssl_manager/quick_test.sh            | 68 --------------------------
 ssl_manager/setup_webroot_route.sh   | 50 --------------------
 ssl_manager/ssl_manager.py           |  8 +++-
 ssl_manager/test_example.sh          | 43 -----------------
 ssl_manager/test_ssl_auto.py         |  0
 ssl_manager/webroot_route.json       | 14 ------
 9 files changed, 7 insertions(+), 306 deletions(-)
 delete mode 100644 ssl_manager/config.json
 delete mode 100755 ssl_manager/delete_and_renew_cert.sh
 delete mode 100755 ssl_manager/fix_webroot_route.sh
 delete mode 100755 ssl_manager/quick_test.sh
 delete mode 100755 ssl_manager/setup_webroot_route.sh
 delete mode 100755 ssl_manager/test_example.sh
 mode change 100755 => 100644 ssl_manager/test_ssl_auto.py
 delete mode 100644 ssl_manager/webroot_route.json

diff --git a/ssl_manager/config.json b/ssl_manager/config.json
deleted file mode 100644
index dec2a7b..0000000
--- a/ssl_manager/config.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
-  "apisix_admin_url": "http://localhost:9180",
-  "apisix_admin_key": "8206e6e42b6b53243c52a767cc633137",
-  "certbot_path": "/usr/bin/certbot",
-  "cert_dir": "/etc/letsencrypt/live",
-  "letsencrypt_email": "admin@jingrowtools.cn",
-  "letsencrypt_staging": false,
-  "webroot_path": "/var/www/certbot"
-}
diff --git a/ssl_manager/delete_and_renew_cert.sh b/ssl_manager/delete_and_renew_cert.sh
deleted file mode 100755
index 7da474a..0000000
--- a/ssl_manager/delete_and_renew_cert.sh
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/bin/bash
-# 删除旧证书并重新申请生产环境证书
-
-DOMAIN="test.jingrowtools.cn"
-
-echo "=== 删除旧 STAGING 证书 ==="
-echo "域名: $DOMAIN"
-echo ""
-
-# 删除证书
-echo "1. 删除证书..."
-certbot delete --cert-name "$DOMAIN" --non-interactive 2>&1
-
-if [ $? -eq 0 ]; then
-    echo "✅ 证书删除成功"
-else
-    echo "⚠️  证书删除失败或证书不存在"
-fi
-
-echo ""
-echo "=== 重新申请生产环境证书 ==="
-echo "使用当前配置（staging=False）重新申请..."
-echo ""
-
-# 使用 ssl_manager 重新申请
-python3 -c "
-from ssl_manager import APISIXSSLManager
-
-mgr = APISIXSSLManager()
-print(f'当前配置: staging={mgr.staging}')
-print()
-
-if mgr.staging:
-    print('❌ 警告: 配置仍然是 staging=True')
-    print('请先修改 ssl_manager.py 中的 letsencrypt_staging=False')
-    exit(1)
-else:
-    print('✅ 配置正确: staging=False (生产环境)')
-    print()
-    print('开始申请证书...')
-    result = mgr.request_certificate('$DOMAIN')
-    if result:
-        print('✅ 证书申请成功！')
-    else:
-        print('❌ 证书申请失败')
-        exit(1)
-"
-
-echo ""
-echo "=== 完成 ==="
diff --git a/ssl_manager/fix_webroot_route.sh b/ssl_manager/fix_webroot_route.sh
deleted file mode 100755
index ff3dfc2..0000000
--- a/ssl_manager/fix_webroot_route.sh
+++ /dev/null
@@ -1,71 +0,0 @@
-#!/bin/bash
-# 修复 webroot 路由配置，解决 HTTP-01 验证问题
-
-set -e
-
-APISIX_ADMIN_URL="${APISIX_ADMIN_URL:-http://localhost:9180}"
-APISIX_ADMIN_KEY="${APISIX_ADMIN_KEY:-8206e6e42b6b53243c52a767cc633137}"
-
-echo "修复 webroot 路由配置..."
-
-# 获取所有需要配置的域名（从路由中提取）
-DOMAINS=$(curl -s "${APISIX_ADMIN_URL}/apisix/admin/routes" \
-  -H "X-API-KEY: ${APISIX_ADMIN_KEY}" \
-  | python3 -c "
-import sys, json
-try:
-    data = json.load(sys.stdin)
-    routes = data.get('list', [])
-    domains = set()
-    for r in routes:
-        host = r.get('value', {}).get('host')
-        if host and host not in ['localhost', '127.0.0.1']:
-            domains.add(host)
-    print(' '.join(domains))
-except:
-    print('')
-" 2>/dev/null || echo "")
-
-if [ -z "$DOMAINS" ]; then
-    echo "未找到域名，使用默认配置"
-    DOMAINS="jingrowtools.cn"
-fi
-
-echo "找到域名: $DOMAINS"
-
-# 创建统一的 webroot 路由（适用于所有域名，不指定 host）
-echo "创建统一的 webroot 验证路由（适用于所有域名）..."
-
-ROUTE_ID="certbot-webroot"
-
-# 创建/更新 webroot 路由
-RESPONSE=$(curl -s -X PUT "${APISIX_ADMIN_URL}/apisix/admin/routes/${ROUTE_ID}" \
-  -H "X-API-KEY: ${APISIX_ADMIN_KEY}" \
-  -H "Content-Type: application/json" \
-  -d "{
-    \"uri\": \"/.well-known/acme-challenge/*\",
-    \"name\": \"certbot-webroot\",
-    \"priority\": 10000,
-    \"plugins\": {
-      \"serverless-pre-function\": {
-        \"phase\": \"rewrite\",
-        \"functions\": [
-          \"return function(conf, ctx) local uri = ctx.var.uri; local token = string.match(uri, '/%.well%-known/acme%-challenge/(.+)'); if not token then ngx.status = 404; ngx.say('Token not found in URI: ' .. (uri or 'nil')); return; end; local path = '/var/www/certbot/.well-known/acme-challenge/' .. token; local file = io.open(path, 'r'); if file then local content = file:read('*all'); file:close(); ngx.header.content_type = 'text/plain'; ngx.say(content); else ngx.status = 404; ngx.say('File not found: ' .. path); end end\"
-        ]
-      }
-    },
-    \"status\": 1
-  }")
-
-if echo "$RESPONSE" | grep -q '"value"'; then
-    echo "✅ Webroot 路由配置成功（适用于所有域名）"
-else
-    echo "❌ Webroot 路由配置失败: $RESPONSE"
-fi
-
-echo ""
-echo "修复完成！"
-echo ""
-echo "测试验证路径："
-echo "  echo 'test-token' | sudo tee /var/www/certbot/.well-known/acme-challenge/test-token"
-echo "  curl http://jingrowtools.cn/.well-known/acme-challenge/test-token"
diff --git a/ssl_manager/quick_test.sh b/ssl_manager/quick_test.sh
deleted file mode 100755
index 8333fe6..0000000
--- a/ssl_manager/quick_test.sh
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/bin/bash
-# 快速测试脚本 - 测试 SSL 证书自动申请流程
-
-set -e
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-
-echo "=========================================="
-echo "APISIX SSL 证书自动申请 - 快速测试"
-echo "=========================================="
-echo ""
-
-echo "配置信息:"
-echo "  APISIX Admin URL: http://localhost:9180（默认）"
-echo "  Webroot 路径: /var/www/certbot"
-echo "  Staging 模式: 是（测试环境）"
-echo "  提示: 可通过环境变量或修改 Python 文件中的 DEFAULT_CONFIG 来修改配置"
-echo ""
-
-# 提示输入域名
-read -p "请输入测试域名（留空使用自动生成）: " TEST_DOMAIN
-
-if [ -z "$TEST_DOMAIN" ]; then
-    echo "使用自动生成的测试域名..."
-    AUTO_DOMAIN=true
-else
-    echo "使用指定域名: $TEST_DOMAIN"
-    AUTO_DOMAIN=false
-fi
-
-echo ""
-echo "开始测试..."
-echo ""
-
-# 运行测试
-if [ "$AUTO_DOMAIN" = true ]; then
-    # 自动生成域名，测试完成后清理
-    python3 "$SCRIPT_DIR/test_ssl_auto.py" --cleanup
-else
-    # 指定域名，测试完成后不清理（保留数据）
-    python3 "$SCRIPT_DIR/test_ssl_auto.py" --domain "$TEST_DOMAIN" --no-cleanup
-fi
-
-TEST_RESULT=$?
-
-echo ""
-if [ $TEST_RESULT -eq 0 ]; then
-    echo "=========================================="
-    echo "✅ 测试完成！所有步骤都成功"
-    echo "=========================================="
-    
-    if [ "$AUTO_DOMAIN" = false ]; then
-        echo ""
-        echo "测试数据已保留，可以继续使用："
-        echo "  域名: $TEST_DOMAIN"
-        echo "  路由: http://localhost:9180/apisix/admin/routes/$TEST_DOMAIN"
-        echo "  SSL: http://localhost:9180/apisix/admin/ssls"
-        echo ""
-        echo "如需清理测试数据，请运行："
-        echo "  python3 $SCRIPT_DIR/test_ssl_auto.py --domain $TEST_DOMAIN --cleanup"
-    fi
-else
-    echo "=========================================="
-    echo "❌ 测试失败，请查看上面的错误信息"
-    echo "=========================================="
-fi
-
-exit $TEST_RESULT
diff --git a/ssl_manager/setup_webroot_route.sh b/ssl_manager/setup_webroot_route.sh
deleted file mode 100755
index 5822316..0000000
--- a/ssl_manager/setup_webroot_route.sh
+++ /dev/null
@@ -1,50 +0,0 @@
-#!/bin/bash
-# 设置 APISIX Webroot 路由脚本
-# 用于 Let's Encrypt HTTP-01 验证
-
-set -e
-
-APISIX_ADMIN_URL="${APISIX_ADMIN_URL:-http://localhost:9180}"
-APISIX_ADMIN_KEY="${APISIX_ADMIN_KEY:-8206e6e42b6b53243c52a767cc633137}"
-WEBROOT_PATH="${WEBROOT_PATH:-/var/www/certbot}"
-
-echo "配置 APISIX Webroot 路由用于 Let's Encrypt 验证..."
-
-# 创建 webroot 路由配置
-ROUTE_CONFIG=$(cat <<EOF
-{
-  "uri": "/.well-known/acme-challenge/*",
-  "name": "certbot-webroot",
-  "plugins": {
-    "file-logger": {
-      "path": "/var/log/apisix/certbot-access.log"
-    }
-  },
-  "upstream": {
-    "type": "roundrobin",
-    "nodes": {
-      "127.0.0.1:9080": 1
-    }
-  }
-}
-EOF
-)
-
-# 注意：这个路由需要配合 Nginx 或其他静态文件服务器
-# 或者使用 APISIX 的 serverless 插件直接返回文件内容
-
-echo "Webroot 路由配置："
-echo "$ROUTE_CONFIG" | jq .
-
-echo ""
-echo "请手动在 APISIX 中创建此路由，或使用以下命令："
-echo ""
-echo "curl -X PUT '$APISIX_ADMIN_URL/apisix/admin/routes/certbot-webroot' \\"
-echo "  -H 'X-API-KEY: $APISIX_ADMIN_KEY' \\"
-echo "  -H 'Content-Type: application/json' \\"
-echo "  -d '$ROUTE_CONFIG'"
-echo ""
-echo "或者配置 Nginx 直接服务静态文件："
-echo "  location /.well-known/acme-challenge/ {"
-echo "    root $WEBROOT_PATH;"
-echo "  }"
diff --git a/ssl_manager/ssl_manager.py b/ssl_manager/ssl_manager.py
index 12feeb0..d47f69f 100755
--- a/ssl_manager/ssl_manager.py
+++ b/ssl_manager/ssl_manager.py
@@ -247,7 +247,13 @@ class APISIXSSLManager:
                         existing_snis = ssl_value.get('snis', [])
                         # 检查 SNI 列表是否相同（忽略顺序）
                         if set(existing_snis) == set(cert_domains):
-                            existing_ssl_id = ssl_item.get('id') or ssl_item.get('key', {}).get('id')
+                            # 从 value 中获取 id，或从 key 字段中提取 id
+                            existing_ssl_id = ssl_value.get('id')
+                            if not existing_ssl_id and isinstance(ssl_item, dict):
+                                # 如果 value 中没有 id，尝试从 key 字段提取（格式：/apisix/ssls/xxx）
+                                key_str = ssl_item.get('key', '')
+                                if key_str and isinstance(key_str, str):
+                                    existing_ssl_id = key_str.split('/')[-1]
                             logger.info(f"找到现有 SSL 配置，SNI 匹配 (ID: {existing_ssl_id})")
                             break
             
diff --git a/ssl_manager/test_example.sh b/ssl_manager/test_example.sh
deleted file mode 100755
index 7225857..0000000
--- a/ssl_manager/test_example.sh
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/bin/bash
-# 测试脚本使用示例
-
-set -e
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-
-echo "APISIX SSL 证书自动申请测试"
-echo "================================"
-echo ""
-
-# 示例1: 使用自动生成的测试域名
-echo "示例1: 使用自动生成的测试域名（测试完成后自动清理）"
-echo "python3 $SCRIPT_DIR/test_ssl_auto.py"
-echo ""
-
-# 示例2: 指定测试域名
-echo "示例2: 指定测试域名"
-echo "python3 $SCRIPT_DIR/test_ssl_auto.py --domain test.example.com"
-echo ""
-
-# 示例3: 使用环境变量配置（可选）
-echo "示例3: 使用环境变量配置（可选）"
-echo "export APISIX_ADMIN_URL='http://localhost:9180'"
-echo "export APISIX_ADMIN_KEY='your-key'"
-echo "python3 $SCRIPT_DIR/test_ssl_auto.py --domain test.example.com"
-echo ""
-
-# 示例4: 测试完成后不清理（保留测试数据）
-echo "示例4: 测试完成后不清理（保留测试数据）"
-echo "python3 $SCRIPT_DIR/test_ssl_auto.py --domain test.example.com --no-cleanup"
-echo ""
-
-# 示例5: 强制清理
-echo "示例5: 强制清理测试数据"
-echo "python3 $SCRIPT_DIR/test_ssl_auto.py --domain test.example.com --cleanup"
-echo ""
-
-echo "运行测试..."
-echo ""
-
-# 实际运行测试（使用默认配置，staging 模式）
-python3 "$SCRIPT_DIR/test_ssl_auto.py" --cleanup
diff --git a/ssl_manager/test_ssl_auto.py b/ssl_manager/test_ssl_auto.py
old mode 100755
new mode 100644
diff --git a/ssl_manager/webroot_route.json b/ssl_manager/webroot_route.json
deleted file mode 100644
index e27be06..0000000
--- a/ssl_manager/webroot_route.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-  "uri": "/.well-known/acme-challenge/*",
-  "name": "certbot-webroot",
-  "priority": 10000,
-  "plugins": {
-    "serverless-pre-function": {
-      "phase": "rewrite",
-      "functions": [
-        "return function(conf, ctx) local uri = ctx.var.uri; local token = string.match(uri, '/%.well%-known/acme%-challenge/(.+)'); if not token then ngx.status = 404; ngx.say('Token not found in URI: ' .. (uri or 'nil')); return; end; local path = '/var/www/certbot/.well-known/acme-challenge/' .. token; local file = io.open(path, 'r'); if file then local content = file:read('*all'); file:close(); ngx.header.content_type = 'text/plain'; ngx.say(content); else ngx.status = 404; ngx.say('File not found: ' .. path); end end"
-      ]
-    }
-  },
-  "status": 1
-}