[GH-ISSUE #1199] [Bug] 网宿CDN Pro私钥上传加密方式错误 #814

New issue

Open

opened 2026-03-03 01:06:11 +03:00 by kerem · 2 comments

kerem commented

2026-03-03 01:06:11 +03:00

Owner

Originally created by @VupHub on GitHub (Feb 21, 2026).
Original GitHub issue: https://github.com/certimate-go/certimate/issues/1199

Originally assigned to: @VupHub on GitHub.

Release Version / 软件版本

v0.4.17

Description / 缺陷描述

网宿文档

网宿CDN Pro文档中关于privateKey字段的说明为：
用于指定证书私钥，必须是PEM格式的私钥。如果您选择生成自签名证书，则此处的值应为'RSA2048'或'ECC256'。请使用您API账号的密钥和时间戳对私钥进行加密再上传。请使用AES-128-CBC加密算法，并用base64编码。当您将私钥上传到CDN Pro时，这种加密方式可以保护您的私钥。

日志分析

根据工作流的错误日志与网宿CDN Pro的OpenAPI 调用复现，可知：

privateKey为直接明文上传
未按照网宿文档要求加密再上传（加密方式不对）
联系网宿侧工程师排查，后台可见上传证书鉴权传参异常，但是读取加速项目配置时传参正常，不知原因。

报错示例

{
  "code": "InvalidKey",
  "message": "Invalid private key cipher. The private key must be encrypted with your API key and the timestamp. Check if the API key is correct and if the private key is properly encrypted."
}

Steps to reproduce / 复现步骤

配置网宿accesskey、secretkey、apikey
选择加速项目、加速域名、证书ID，运行工作流

Logs / 日志

#qEY2-0kj0zHFsAwMCps8h 部署
[2026-02-21 21:37:38]
ready to deploy certificate ...
config:
{"certificateOutputNodeId":"57Jf_tp7ez0VxrSNYFCU6","provider":"wangsu-cdnpro","providerAccessId":"提供商ID","providerConfig":{"certificateId":"","domain":"这是域名","domainMatchPattern":"exact","environment":"production"},"skipOnLastSucceeded":true}
[2026-02-21 21:37:45]
sdk request 'cdnpro.GetHostnameDetail'
hostname:
"这是hostname"
response:
{"hostname":"这是hostname","propertyInProduction":{"propertyId":"加速项目ID","version":8,"certificateId":"证书ID"}}
[2026-02-21 21:37:54]
sdk request 'cdnpro.CreateCertificate'
request:
{"name":"certimate_1771681065418","autoRenew":"Off","newVersion":{"privateKey":"加密的私钥","certificate":"公钥","identificationInfo":{"commonName":"域名","subjectAlternativeNames":["域名","*.域名"]}}}
response:
{"code":"InvalidData","message":"The value of 'Certificate' is not 'GENERATE', but 'identificationInfo' is present."}
[2026-02-21 21:37:54]
could not deploy certificate
[2026-02-21 21:37:54]
failed to execute sdk request 'cdnpro.CreateCertificate': sdkerr: unexpected status code: 400 (resp: {"code":"InvalidData","message":"The value of 'Certificate' is not 'GENERATE', but 'identificationInfo' is present."})

Miscellaneous / 其他

No response

Contribution / 贡献代码

I am interested in contributing a PR for this! / 我乐意为此提交代码并发起 PR！

Originally created by @VupHub on GitHub (Feb 21, 2026). Original GitHub issue: https://github.com/certimate-go/certimate/issues/1199 Originally assigned to: @VupHub on GitHub. ### Release Version / 软件版本 v0.4.17 ### Description / 缺陷描述 ## 网宿文档网宿[CDN Pro文档](https://www.wangsu.com/document/api-doc/27590)中关于privateKey字段的说明为：用于指定证书私钥，必须是PEM格式的私钥。如果您选择生成自签名证书，则此处的值应为'RSA2048'或'ECC256'。请使用您API账号的密钥和时间戳对私钥进行加密再上传。请使用AES-128-CBC加密算法，并用base64编码。当您将私钥上传到CDN Pro时，这种加密方式可以保护您的私钥。 <img width="1866" height="929" alt="Image" src="https://github.com/user-attachments/assets/d389eaa5-770d-49f1-8316-0b2b15adff62" /> ## 日志分析根据工作流的错误日志与 [网宿CDN Pro的OpenAPI](https://apiexplorer.wangsu.com/apiexplorer/debug?productType=all_product&language=ZH_CN&apiId=5971&rsr=ws) 调用复现，可知： 1. privateKey为直接明文上传 2. 未按照网宿文档要求加密再上传（加密方式不对） 3. 联系网宿侧工程师排查，后台可见上传证书鉴权传参异常，但是读取加速项目配置时传参正常，不知原因。 ## 报错示例 ```json { "code": "InvalidKey", "message": "Invalid private key cipher. The private key must be encrypted with your API key and the timestamp. Check if the API key is correct and if the private key is properly encrypted." } ``` ### Steps to reproduce / 复现步骤 1. 配置网宿accesskey、secretkey、apikey 2. 选择加速项目、加速域名、证书ID，运行工作流 ### Logs / 日志 <details> ```console #qEY2-0kj0zHFsAwMCps8h 部署 [2026-02-21 21:37:38] ready to deploy certificate ... config: {"certificateOutputNodeId":"57Jf_tp7ez0VxrSNYFCU6","provider":"wangsu-cdnpro","providerAccessId":"提供商ID","providerConfig":{"certificateId":"","domain":"这是域名","domainMatchPattern":"exact","environment":"production"},"skipOnLastSucceeded":true} [2026-02-21 21:37:45] sdk request 'cdnpro.GetHostnameDetail' hostname: "这是hostname" response: {"hostname":"这是hostname","propertyInProduction":{"propertyId":"加速项目ID","version":8,"certificateId":"证书ID"}} [2026-02-21 21:37:54] sdk request 'cdnpro.CreateCertificate' request: {"name":"certimate_1771681065418","autoRenew":"Off","newVersion":{"privateKey":"加密的私钥","certificate":"公钥","identificationInfo":{"commonName":"域名","subjectAlternativeNames":["域名","*.域名"]}}} response: {"code":"InvalidData","message":"The value of 'Certificate' is not 'GENERATE', but 'identificationInfo' is present."} [2026-02-21 21:37:54] could not deploy certificate [2026-02-21 21:37:54] failed to execute sdk request 'cdnpro.CreateCertificate': sdkerr: unexpected status code: 400 (resp: {"code":"InvalidData","message":"The value of 'Certificate' is not 'GENERATE', but 'identificationInfo' is present."}) ``` </details> ### Miscellaneous / 其他 _No response_ ### Contribution / 贡献代码 - [x] I am interested in contributing a PR for this! / 我乐意为此提交代码并发起 PR！

kerem added the

bug

label

2026-03-03 01:06:11 +03:00

kerem commented

2026-03-03 01:06:12 +03:00

Author

Owner

@VupHub commented on GitHub (Feb 27, 2026):

正在等待网宿侧提供请求日志。
根据网宿文档，在网宿CDN Pro的OpenAPI 未能跑通逻辑。

@VupHub commented on GitHub (Feb 27, 2026): 正在等待网宿侧提供请求日志。根据网宿文档，在 [网宿CDN Pro的OpenAPI](https://apiexplorer.wangsu.com/apiexplorer/debug?productType=all_product&language=ZH_CN&apiId=5971&rsr=ws) 未能跑通逻辑。

kerem commented

2026-03-03 01:06:12 +03:00

Author

Owner

@fudiwei commented on GitHub (Feb 28, 2026):

failed to execute sdk request 'cdnpro.CreateCertificate': sdkerr: unexpected status code: 400 (resp: {"code":"InvalidData","message":"The value of 'Certificate' is not 'GENERATE', but 'identificationInfo' is present."})

从你的 Certimate 日志来看，并不能体现出私钥加密错误的问题。错误显示的是 identificationInfo 这个字段不该传。

但该提供商自 #617 实现以来这里是没有改动过的，你可以咨询下网宿他们的接口对这里的处理逻辑是不是有了变化。

我没有测试条件，你可以尝试在代码里删掉 identificationInfo 字段的赋值后再试试看，如果是这样的话就发个 PR。

@fudiwei commented on GitHub (Feb 28, 2026): > failed to execute sdk request 'cdnpro.CreateCertificate': sdkerr: unexpected status code: 400 (resp: {"code":"InvalidData","message":"The value of 'Certificate' is not 'GENERATE', but 'identificationInfo' is present."}) 从你的 Certimate 日志来看，并不能体现出私钥加密错误的问题。错误显示的是 `identificationInfo` 这个字段不该传。但该提供商自 #617 实现以来这里是没有改动过的，你可以咨询下网宿他们的接口对这里的处理逻辑是不是有了变化。我没有测试条件，你可以尝试在代码里删掉 `identificationInfo` 字段的赋值后再试试看，如果是这样的话就发个 PR。