南墙 WAF 系列（一）– 管理后台证书自动更新

管理后台这个东西，当然可以不在公网暴露，但是如果一旦在公网允许访问配置，此时就会出现一个很尴尬的问题，各种证书错误提示。

在上一篇文章提过，waf 是通过 docker 部署的。相对来说管理倒是也算方便，按照官方文档的说法，管理后台的证书在下面的位置：

那么要更新证书，只需要解决下面几个问题就行了，由于不想付费买证书，那么现在最好的思路就是直接通过 acme.sh 自动申请证书，让后写个小工具自动将相关的文件复制到指定的目录下，重启 docker 服务就可以了。

1.acme.sh 自动申请证书。

a.安装 acme.sh:

curl https://get.acme.sh | sh -s email=my@example.com

b.配置 dnspod的 api key 和 secret（使用子账号）：

创建策略，输入以下内容保存：

{
 "statement": [
     {
         "action": [
             "dnspod:DescribeRecordFilterList",
             "dnspod:DescribeRecordList",
             "dnspod:CreateRecord",
             "dnspod:DeleteRecord"
         ],
         "effect": "allow",
         "resource": [
             "*"
         ]
     }
 ],
 "version": "2.0"
}

登录 腾讯云控制台，进入 访问管理 页面，单击左侧菜单栏的 用户列表，进入用户列表页面，并单击新建用户。

创建 api 访问账号之后，写一个获取证书的脚本：

export Tencent_SecretId="key"
export Tencent_SecretKey="secret"
"/usr/local/acme.sh"/acme.sh --issue --dns dns_tencent -d lang.bi -d *.lang.bi

到这里第一步就完成了，不过需要注意的事有的扩展名不支持，例如 by，本来想用 oba.by 域名的，结果提示失败了：

sh cert_get.sh 
[Wed Apr  2 08:51:41 AM CST 2025] Using CA: https://acme.zerossl.com/v2/DV90
[Wed Apr  2 08:51:41 AM CST 2025] Account key creation OK.
[Wed Apr  2 08:51:41 AM CST 2025] No EAB credentials found for ZeroSSL, let's obtain them
[Wed Apr  2 08:51:43 AM CST 2025] Registering account: https://acme.zerossl.com/v2/DV90
[Wed Apr  2 08:52:14 AM CST 2025] Registered
[Wed Apr  2 08:52:14 AM CST 2025] ACCOUNT_THUMBPRINT='mri378DxKFRt5hzNd_P7HBLV1zo4c7n1g7HBVNAKG-s'
[Wed Apr  2 08:52:14 AM CST 2025] Creating domain key
[Wed Apr  2 08:52:14 AM CST 2025] The domain key is here: /root/.acme.sh/oba.by_ecc/oba.by.key
[Wed Apr  2 08:52:14 AM CST 2025] Multi domain='DNS:oba.by,DNS:*.oba.by'
[Wed Apr  2 08:52:16 AM CST 2025] Error creating new order. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:rejectedIdentifier","status":400,"detail":"DNS identifier is disallowed [oba.by]"}
[Wed Apr  2 08:52:16 AM CST 2025] Please add '--debug' or '--log' to see more information.
[Wed Apr  2 08:52:16 AM CST 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
h4ck# vim cert_get.sh
h4ck# sh cert_get.sh 
[Wed Apr  2 08:54:34 AM CST 2025] Using CA: https://acme.zerossl.com/v2/DV90
[Wed Apr  2 08:54:34 AM CST 2025] Multi domain='DNS:oba.by,DNS:www.oba.by,DNS:nas.oba.by'
[Wed Apr  2 08:55:23 AM CST 2025] Error creating new order. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:rejectedIdentifier","status":400,"detail":"DNS identifier is disallowed [oba.by]"}
[Wed Apr  2 08:55:23 AM CST 2025] Please add '--debug' or '--log' to see more information.
[Wed Apr  2 08:55:23 AM CST 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

2.复制文件重启服务

至于第二步就更简单了，直接让 cursor 给写一个：

参考下面的内容给我编写一个 Python3 的文件，实现以下功能：首先需要调用 get_cert.sh 脚本，自动获取证书文件文件，如果获取成功，证书会保存在下面的路径：/root/.acme.sh/lang.bi_ecc/fullchain.cer 私钥会保存在下面的路径/root/.acme.sh/lang.bi_ecc/lang.bi.key；获取到这两个文件之后，需要根据判断证书文件是否变化（记录旧证书内容，用于判断文件变更），如果变化则需要更新对应 docker 下的证书和私钥文件；docker 对应container Id 为f7dd0b0a990b,对应的证书文件路径为/uuwaf/web/conf/目录中的server.crt和server.key文件，在替换文件之后，需要重启对应的 docker 容器。按照步骤实现上面的内容，并且完成代码编写

最终代码：

#!/usr/bin/env python3
import os
import subprocess
import hashlib
import json
from pathlib import Path

# Configuration
DOCKER_CONTAINER_ID = "f7dd0b0a990b"
CERT_SOURCE_DIR = "/root/.acme.sh/lang.bi_ecc"
CERT_DEST_DIR = "/uuwaf/web/conf"
CERT_FILE = "fullchain.cer"
KEY_FILE = "lang.bi.key"
DEST_CERT_FILE = "server.crt"
DEST_KEY_FILE = "server.key"
HASH_FILE = "cert_hash.json"
CERT_SCRIPT = "get_cert.sh"

def get_cert_hash(file_path):
    """Calculate SHA-256 hash of a file."""
    sha256_hash = hashlib.sha256()
    with open(file_path, "rb") as f:
        for byte_block in iter(lambda: f.read(4096), b""):
            sha256_hash.update(byte_block)
    return sha256_hash.hexdigest()

def save_cert_hash(cert_hash):
    """Save certificate hash to a JSON file."""
    with open(HASH_FILE, 'w') as f:
        json.dump({'cert_hash': cert_hash}, f)

def load_cert_hash():
    """Load certificate hash from JSON file."""
    try:
        with open(HASH_FILE, 'r') as f:
            data = json.load(f)
            return data.get('cert_hash')
    except (FileNotFoundError, json.JSONDecodeError):
        return None

def run_get_cert_script():
    """Run the get_cert.sh script."""
    script_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), CERT_SCRIPT)
    
    # Check if script exists
    if not os.path.exists(script_path):
        print(f"Error: {CERT_SCRIPT} not found in the current directory")
        print(f"Expected path: {script_path}")
        return False
    
    # Check if script is executable
    if not os.access(script_path, os.X_OK):
        print(f"Error: {CERT_SCRIPT} is not executable")
        print("Attempting to make it executable...")
        try:
            os.chmod(script_path, 0o755)
            print("Successfully made the script executable")
        except Exception as e:
            print(f"Failed to make script executable: {str(e)}")
            return False
    
    try:
        # Use absolute path to the script
        result = subprocess.run(['sh', script_path], capture_output=True, text=True)
        if result.returncode == 0:
            print("Certificate generation successful")
            return True
        else:
            print(f"Certificate generation ignored: {result.stderr}")
            return True
    except Exception as e:
        print(f"Error running {CERT_SCRIPT}: {str(e)}")
        return False

def copy_cert_files():
    """Copy certificate files to Docker container."""
    try:
        # Copy certificate
        subprocess.run([
            'docker', 'cp',
            f"{CERT_SOURCE_DIR}/{CERT_FILE}",
            f"{DOCKER_CONTAINER_ID}:{CERT_DEST_DIR}/{DEST_CERT_FILE}"
        ], check=True)
        
        # Copy private key
        subprocess.run([
            'docker', 'cp',
            f"{CERT_SOURCE_DIR}/{KEY_FILE}",
            f"{DOCKER_CONTAINER_ID}:{CERT_DEST_DIR}/{DEST_KEY_FILE}"
        ], check=True)
        
        print("Certificate files copied successfully")
        return True
    except subprocess.CalledProcessError as e:
        print(f"Error copying files: {str(e)}")
        return False

def restart_docker_container():
    """Restart the Docker container."""
    try:
        subprocess.run(['docker', 'restart', DOCKER_CONTAINER_ID], check=True)
        print("Docker container restarted successfully")
        return True
    except subprocess.CalledProcessError as e:
        print(f"Error restarting container: {str(e)}")
        return False

def main():
    # Step 1: Run get_cert.sh script
    if not run_get_cert_script():
        print("Failed to generate certificates")
        return

    # Step 2: Check if certificate files exist
    cert_path = os.path.join(CERT_SOURCE_DIR, CERT_FILE)
    key_path = os.path.join(CERT_SOURCE_DIR, KEY_FILE)
    
    if not (os.path.exists(cert_path) and os.path.exists(key_path)):
        print("Certificate files not found")
        return

    # Step 3: Calculate new certificate hash
    new_cert_hash = get_cert_hash(cert_path)
    old_cert_hash = load_cert_hash()

    # Step 4: Check if certificate has changed
    if new_cert_hash != old_cert_hash:
        print("Certificate has changed, updating...")
        
        # Copy new certificate files
        if copy_cert_files():
            # Restart Docker container
            if restart_docker_container():
                # Save new certificate hash
                save_cert_hash(new_cert_hash)
                print("Certificate update completed successfully")
            else:
                print("Failed to restart Docker container")
        else:
            print("Failed to copy certificate files")
    else:
        print("Certificate has not changed, no update needed")

if __name__ == "__main__":
    main()

除了运行sh 脚本有点问题，需要改一下，其他的基本都没啥问题。最终执行效果：

此时刷新页面，一切就都 ok 了：