有大佬对腾讯云 API 的签名有研究嘛，可以帮看看问题嘛

试着写了一下 ACME dnsapi 的腾讯云 API3.0 版本，但是执行的时候卡到了计算签名的过程 签名算法说明文档： https://cloud.tencent.com/document/api/1427/56189

++ _hmac sha256 de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa dnspod hex ++ alg=sha256 ++ secret_hex=de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa ++ outputhex=dnspod ++ '[' -z de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa ']' ++ '[' sha256 = sha256 ']' ++ '[' dnspod ']' ++ tr -d ' ' ++ openssl dgst -sha256 -mac HMAC -macopt hexkey:de617232c0b22cc03d2ccf2e21b4fae3f1cb9d621700979bb37938a53e2172aa 卡这不动了 

代码如下

#!/usr/bin/env sh set -x Tencent_API="https://dnspod.tencentcloudapi.com" #Tencent_SecretId="AKIDz8krbsJ5yKBZQpn74WFkmLPx3gnPhESA" #Tencent_SecretKey="Gu5t9xGARNpq86cd98joQYCN3Cozk1qA" #Usage: dns_tencent_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs" dns_tencent_add() { fulldomain=$1 txtvalue=$2 Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}" Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}" if [ -z "$Tencent_SecretId" ] || [ -z "$Tencent_SecretKey" ]; then Tencent_SecretId="" Tencent_SecretKey="" _err "You don't specify tencent api SecretId and SecretKey yet." return 1 fi #save the api SecretId and SecretKey to the account conf file. _saveaccountconf_mutable Tencent_SecretId "$Tencent_SecretId" _saveaccountconf_mutable Tencent_SecretKey "$Tencent_SecretKey" _debug "First detect the root zone" if ! _get_root "$fulldomain"; then return 1 fi _debug "Add record" _add_record_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "CreateRecord" } dns_tencent_rm() { fulldomain=$1 txtvalue=$2 Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}" Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}" _debug "First detect the root zone" if ! _get_root "$fulldomain"; then return 1 fi _debug "Get record list" _describe_records_query "$_domain" "$_sub_domain" && _tencent_rest "DescribeRecordList" record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")" _debug2 record_id "$record_id" if [ -z "$record_id" ]; then _debug "record not found, skip" else _debug "Delete record" _delete_record_query "$record_id" && _tencent_rest "DeleteRecord" fi } #################### Private functions below ################################## _get_root() { domain=$1 i=2 p=1 while true; do h=$(printf "%s" "$domain" | cut -d . -f $i-100) if [ -z "$h" ]; then #not valid return 1 fi _describe_records_query "$h" "@" if ! _tencent_rest "DescribeRecordList" "ignore"; then return 1 fi if _contains "$response" "\"TotalCount\":"; then _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p) _debug _sub_domain "$_sub_domain" _domain="$h" _debug _domain "$_domain" return 0 fi p="$i" i=$(_math "$i" + 1) done return 1 } _tencent_rest() { action=$1 timestamp=$(date -u +%s) date=$(date -u +"%Y-%m-%d") service="dnspod" algorithm="TC3-HMAC-SHA256" signedHeaders="content-type;host;x-tc-action;x-tc-timestamp;x-tc-version;x-tc-region" payloadHash=$(printf "%s" "$query" | _digest "sha256" hex) canOnicalRequest="POST\n/\n\ncontent-type:application/json;charset=\nhost:dnspod.tencentcloudapi.com\nx-tc-action:$action\nx-tc-timestamp:$timestamp\nx-tc-version:2018-08-13\nx-tc-region:ap-guangzhou\n\n$signedHeaders\n$payloadHash" hashedCanOnicalRequest=$(printf "%s" "$canonicalRequest" | _digest "sha256" hex) credentialScope="$date/$service/tc3_request" stringToSign="$algorithm\n$timestamp\n$credentialScope\n$hashedCanonicalRequest" secretDate=$(printf "%s" "TC3$Tencent_SecretKey" | _hmac "sha256" "$date" hex) secretService=$(_hmac "sha256" "$secretDate" "$service" hex) secretSigning=$(_hmac "sha256" "$secretService" "tc3_request" hex) signature=$(_hmac "sha256" "$secretSigning" "$stringToSign" hex) authorization="$algorithm Credential=$Tencent_SecretId/$credentialScope, SignedHeaders=$signedHeaders, Signature=$signature" header="Authorization: $authorization" header="$header"$'\n'"Content-Type: application/json;charset=" header="$header"$'\n'"Host: dnspod.tencentcloudapi.com" header="$header"$'\n'"X-TC-Action: $action" header="$header"$'\n'"X-TC-Timestamp: $timestamp" header="$header"$'\n'"X-TC-Version: 2018-08-13" header="$header"$'\n'"X-TC-Region: ap-guangzhou" if ! respOnse="$(_post "$query" "$Tencent_API" "" "POST" "application/json" "$header")"; then _err "Error <$1>" return 1 i _debug2 response "$response" if [ -z "$2" ]; then message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")" if [ "$message" ]; then _err "$message" return 1 fi fi } _add_record_query() { query=$(cat <<EOF { "Domain": "$1", "SubDomain": "$2", "RecordType": "TXT", "RecordLine": "默认", "Value": "$3", "TTL": 600 } EOF ) } _describe_records_query() { query=$(cat <<EOF { "Offset": 0, "Limit": 3000, "Domain": "$1", "Subdomain": "$2", "RecordType": "TXT", "RecordLine": "默认" } EOF ) } _delete_record_query() { query=$(cat <<EOF { "Domain": "$_domain", "RecordId": $1 } EOF ) } _clean() { _describe_records_query "$_domain" "$_sub_domain" && _tencent_rest "DescribeRecordList" record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")" _debug2 record_id "$record_id" if [ -z "$record_id" ]; then _debug "record not found, skip" else _delete_record_query "$record_id" && _tencent_rest "DeleteRecord" fi } 

加了个 set -x 便于调试