fix: 面板IP证书续签

2026-02-04 01:57:19 +08:00 · 2026-01-31 18:40:41 +08:00
parent 2d3250bc51
commit cef8d7caa7
6 changed files with 33 additions and 30 deletions
--- a/internal/data/cert.go
+++ b/internal/data/cert.go
@@ -65,7 +65,7 @@ func (r *certRepo) List(page, limit uint) ([]*types.CertList, int64, error) {
 			CreatedAt:   cert.CreatedAt,
 			UpdatedAt:   cert.UpdatedAt,
 		}
-		if decode, err := pkgcert.ParseCert(cert.Cert); err == nil {
+		if decode, err := pkgcert.ParseCert([]byte(cert.Cert)); err == nil {
 			item.NotBefore = decode.NotBefore
 			item.NotAfter = decode.NotAfter
 			item.Issuer = decode.Issuer.CommonName
@@ -95,11 +95,11 @@ func (r *certRepo) GetByWebsite(WebsiteID uint) (*biz.Cert, error) {
 }

 func (r *certRepo) Upload(ctx context.Context, req *request.CertUpload) (*biz.Cert, error) {
-	info, err := pkgcert.ParseCert(req.Cert)
+	info, err := pkgcert.ParseCert([]byte(req.Cert))
 	if err != nil {
 		return nil, errors.New(r.t.Get("failed to parse certificate: %v", err))
 	}
-	if _, err = pkgcert.ParseKey(req.Key); err != nil {
+	if _, err = pkgcert.ParseKey([]byte(req.Key)); err != nil {
 		return nil, errors.New(r.t.Get("failed to parse private key: %v", err))
 	}

@@ -145,7 +145,7 @@ func (r *certRepo) Create(ctx context.Context, req *request.CertCreate) (*biz.Ce
 }

 func (r *certRepo) Update(ctx context.Context, req *request.CertUpdate) error {
-	info, err := pkgcert.ParseCert(req.Cert)
+	info, err := pkgcert.ParseCert([]byte(req.Cert))
 	if err == nil && req.Type == "upload" {
 		// 合并 DNSNames 和 IPAddresses
 		req.Domains = info.DNSNames
@@ -364,7 +364,7 @@ func (r *certRepo) RefreshRenewalInfo(id uint) (mholtacme.RenewalInfo, error) {
 		return mholtacme.RenewalInfo{}, err
 	}

-	crt, err := pkgcert.ParseCert(cert.Cert)
+	crt, err := pkgcert.ParseCert([]byte(cert.Cert))
 	if err != nil {
 		return mholtacme.RenewalInfo{}, err
 	}
--- a/internal/data/setting.go
+++ b/internal/data/setting.go
@@ -284,10 +284,10 @@ func (r *settingRepo) UpdatePanel(ctx context.Context, req *request.SettingPanel
 		}
 		restartFlag = true
 	}
-	if _, err := cert.ParseCert(req.Cert); err != nil {
+	if _, err := cert.ParseCert([]byte(req.Cert)); err != nil {
 		return false, errors.New(r.t.Get("failed to parse certificate: %v", err))
 	}
-	if _, err := cert.ParseKey(req.Key); err != nil {
+	if _, err := cert.ParseKey([]byte(req.Key)); err != nil {
 		return false, errors.New(r.t.Get("failed to parse private key: %v", err))
 	}
 	if err := io.Write(filepath.Join(app.Root, "panel/storage/cert.pem"), req.Cert, 0600); err != nil {
@@ -357,10 +357,10 @@ func (r *settingRepo) UpdateCert(req *request.SettingCert) error {
 	if r.task.HasRunningTask() {
 		return errors.New(r.t.Get("background task is running, modifying some settings is prohibited, please try again later"))
 	}
-	if _, err := cert.ParseCert(req.Cert); err != nil {
+	if _, err := cert.ParseCert([]byte(req.Cert)); err != nil {
 		return errors.New(r.t.Get("failed to parse certificate: %v", err))
 	}
-	if _, err := cert.ParseKey(req.Key); err != nil {
+	if _, err := cert.ParseKey([]byte(req.Key)); err != nil {
 		return errors.New(r.t.Get("failed to parse private key: %v", err))
 	}

--- a/internal/data/website.go
+++ b/internal/data/website.go
@@ -176,10 +176,10 @@ func (r *websiteRepo) Get(id uint) (*types.WebsiteSetting, error) {
 		setting.SSLCiphers = sslConfig.Ciphers
 	}
 	// 证书
-	crt, _ := io.Read(filepath.Join(app.Root, "sites", website.Name, "config", "fullchain.pem"))
-	setting.SSLCert = crt
-	key, _ := io.Read(filepath.Join(app.Root, "sites", website.Name, "config", "private.key"))
-	setting.SSLKey = key
+	crt, _ := os.ReadFile(filepath.Join(app.Root, "sites", website.Name, "config", "fullchain.pem"))
+	setting.SSLCert = string(crt)
+	key, _ := os.ReadFile(filepath.Join(app.Root, "sites", website.Name, "config", "private.key"))
+	setting.SSLKey = string(key)
 	// 解析证书信息
 	if decode, err := cert.ParseCert(crt); err == nil {
 		setting.SSLNotBefore = decode.NotBefore.Format(time.DateTime)
@@ -259,7 +259,7 @@ func (r *websiteRepo) List(typ string, page, limit uint) ([]*biz.Website, int64,

 	// 取证书剩余有效时间和PHP版本
 	for _, website := range websites {
-		crt, _ := io.Read(filepath.Join(app.Root, "sites", website.Name, "config", "fullchain.pem"))
+		crt, _ := os.ReadFile(filepath.Join(app.Root, "sites", website.Name, "config", "fullchain.pem"))
 		if decode, err := cert.ParseCert(crt); err == nil {
 			hours := time.Until(decode.NotAfter).Hours()
 			website.CertExpire = fmt.Sprintf("%.2f", hours/24)
@@ -605,10 +605,10 @@ func (r *websiteRepo) Update(ctx context.Context, req *request.WebsiteUpdate) er
 	}
 	website.SSL = req.SSL
 	if req.SSL {
-		if _, err = cert.ParseCert(req.SSLCert); err != nil {
+		if _, err = cert.ParseCert([]byte(req.SSLCert)); err != nil {
 			return errors.New(r.t.Get("failed to parse certificate: %v", err))
 		}
-		if _, err = cert.ParseKey(req.SSLKey); err != nil {
+		if _, err = cert.ParseKey([]byte(req.SSLKey)); err != nil {
 			return errors.New(r.t.Get("failed to parse private key: %v", err))
 		}
 		quic := false
@@ -925,10 +925,10 @@ func (r *websiteRepo) UpdateCert(req *request.WebsiteUpdateCert) error {
 		return err
 	}

-	if _, err := cert.ParseCert(req.Cert); err != nil {
+	if _, err := cert.ParseCert([]byte(req.Cert)); err != nil {
 		return errors.New(r.t.Get("failed to parse certificate: %v", err))
 	}
-	if _, err := cert.ParseKey(req.Key); err != nil {
+	if _, err := cert.ParseKey([]byte(req.Key)); err != nil {
 		return errors.New(r.t.Get("failed to parse private key: %v", err))
 	}

--- a/internal/job/cert_renew.go
+++ b/internal/job/cert_renew.go
@@ -3,6 +3,7 @@ package job
 import (
 	"encoding/json"
 	"log/slog"
+	"os"
 	"path/filepath"
 	"time"

@@ -74,14 +75,16 @@ func (r *CertRenew) Run() {

 	// 面板证书续签
 	if r.conf.HTTP.ACME {
-		decode, err := pkgcert.ParseCert(filepath.Join(app.Root, "panel/storage/cert.pem"))
-		if err != nil {
+		crt, _ := os.ReadFile(filepath.Join(app.Root, "panel/storage/cert.pem"))
+		decode, err := pkgcert.ParseCert(crt)
+		if err == nil {
+			// 结束时间大于 2 天不续签
+			if time.Until(decode.NotAfter) > 24*2*time.Hour {
+				return
+			}
+		} else {
+			// 解析失败则继续续签流程，可能是证书格式不对或者文件不存在
 			r.log.Warn("failed to parse panel certificate", slog.String("type", biz.OperationTypeCert), slog.Uint64("operator_id", 0), slog.Any("err", err))
-			return
-		}
-		// 结束时间大于 2 天不续签
-		if time.Until(decode.NotAfter) > 24*2*time.Hour {
-			return
 		}

 		ip, err := r.settingRepo.Get(biz.SettingKeyPublicIPs)
--- a/pkg/acme/acme.go
+++ b/pkg/acme/acme.go
@@ -76,7 +76,7 @@ func NewPrivateKeyAccount(email string, privateKey string, CA string, eab *EAB,
 		return nil, err
 	}

-	key, err := cert.ParseKey(privateKey)
+	key, err := cert.ParseKey([]byte(privateKey))
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/cert/cert.go
+++ b/pkg/cert/cert.go
@@ -18,8 +18,8 @@ import (
 	"time"
 )

-func ParseCert(crt string) (x509.Certificate, error) {
-	certBlock, _ := pem.Decode([]byte(crt))
+func ParseCert(crt []byte) (x509.Certificate, error) {
+	certBlock, _ := pem.Decode(crt)
 	if certBlock == nil {
 		return x509.Certificate{}, errors.New("invalid PEM block")
 	}
@@ -31,8 +31,8 @@ func ParseCert(crt string) (x509.Certificate, error) {
 	return *cert, nil
 }

-func ParseKey(key string) (crypto.Signer, error) {
-	keyBlockDER, _ := pem.Decode([]byte(key))
+func ParseKey(key []byte) (crypto.Signer, error) {
+	keyBlockDER, _ := pem.Decode(key)
 	if keyBlockDER == nil {
 		return nil, errors.New("invalid PEM block")
 	}