update to version v0.3.5

Merge pull request #541 from fudiwei/main
new providers & bugfix
2025-03-21 20:57:57 +08:00 · 2025-03-21 07:00:57 +08:00 · 2025-03-21 01:30:35 +08:00 · 2025-03-20 23:55:25 +08:00 · 2025-03-20 23:55:20 +08:00 · 2025-03-20 23:36:20 +08:00
836 changed files with 67825 additions and 16196 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -0,0 +1,14 @@
+# http://editorconfig.org
+root = true
+
+[*]
+charset = utf-8
+end_of_line = crlf
+indent_size = 2
+indent_style = space
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.go]
+indent_size = 2
+indent_style = tab
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,15 @@
+# These are supported funding model platforms
+
+github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: # Replace with a single Patreon username
+open_collective: # Replace with a single Open Collective username
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
+polar: # Replace with a single Polar username
+buy_me_a_coffee: # Replace with a single Buy Me a Coffee username
+thanks_dev: # Replace with a single thanks.dev username
+custom: ["https://profile.ikit.fun/sponsors/"]
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -3,15 +3,15 @@ name: Bug report
 about: 创建一个报告来帮助我们改进
 title: "[Bug] 标题简要描述问题"
 labels: bug
-assignees: ''
-
+assignees: ""
 ---

 **描述问题**
-简要描述问题是什么
+简要描述问题是什么，1 个 ISSUE 只描述一个问题。 

 **复现步骤**
 复现该问题的步骤：
+
 1. 去到 '...'
 2. 点击 '...'
 3. 滚动到 '...'
@@ -24,9 +24,10 @@ assignees: ''
 如有可能，请添加截图以帮助解释问题。

 **环境**
+
 - 操作系统: [e.g. Windows, macOS]
 - 浏览器: [e.g. Chrome, Safari]
 - 仓库版本: [e.g. v1.0.0]

 **其他信息**
-在此处添加关于该问题的任何其他信息。
+在此处添加关于该问题的任何其他信息。
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -3,12 +3,11 @@ name: Feature request
 about: 提出一个新功能请求
 title: "[Feature] 简要描述你希望实现的功能"
 labels: enhancement
-assignees: ''
-
+assignees: ""
 ---

 **功能描述**
-简要描述你希望添加的功能和相关问题。
+简要描述你希望添加的功能和相关问题，1 个 ISSUE 只描述一个功能。

 **动机**
 为什么这个功能对项目有帮助？
@@ -17,4 +16,4 @@ assignees: ''
 描述你已经考虑过的替代方案。

 **其他信息**
-在这里添加任何相关的附加信息或截图。
+在这里添加任何相关的附加信息或截图。
--- a/.github/workflows/push_image.yml
+++ b/.github/workflows/push_image.yml
@@ -1,15 +1,17 @@
-name: Docker Image CI
+name: Docker Image CI (stable versions)

 on:
  push:
    tags:
-      - "*"
+      - "v[0-9]*"
+      - "!v*alpha*"
+      - "!v*beta*"
  workflow_dispatch:
    inputs:
      tag:
        description: "Tag version to be used for Docker image"
        required: true
-        default: "v0.1.9"
+        default: "latest"

 jobs:
  build-and-push:
@@ -30,19 +32,22 @@ jobs:
        uses: docker/metadata-action@v5
        with:
          images: |
-            usual2970/certimate 
+            usual2970/certimate
            registry.cn-shanghai.aliyuncs.com/usual2970/certimate
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern=v{{version}}
+            type=semver,pattern=v{{major}}.{{minor}}

      - name: Log in to DOCKERHUB
        uses: docker/login-action@v3
-
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - name: Log in to ALIYUNCS
        uses: docker/login-action@v3
-
        with:
          registry: registry.cn-shanghai.aliyuncs.com
          username: ${{ secrets.DOCKER_USERNAME }}
@@ -52,7 +57,8 @@ jobs:
        uses: docker/build-push-action@v6
        with:
          context: .
-          file: ./Dockerfile_build
+          file: ./Dockerfile
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ${{ steps.meta.outputs.tags }}
+
--- a/.github/workflows/push_image_next.yml
+++ b/.github/workflows/push_image_next.yml
@@ -0,0 +1,61 @@
+name: Docker Image CI (preview versions)
+
+on:
+  push:
+    tags:
+      - "v[0-9]*-alpha*"
+      - "v[0-9]*-beta*"
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag version to be used for Docker image"
+        required: true
+        default: "next"
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            usual2970/certimate
+            registry.cn-shanghai.aliyuncs.com/usual2970/certimate
+          tags: |
+            type=ref,event=tag,pattern={{version}}
+          flavor: |
+            latest=false
+
+      - name: Log in to DOCKERHUB
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+      - name: Log in to ALIYUNCS
+        uses: docker/login-action@v3
+        with:
+          registry: registry.cn-shanghai.aliyuncs.com
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,9 +1,9 @@
-name: basebuild
+name: Base Build

 on:
  push:
    tags:
-      - "*"
+      - "v[0-9]*"

 jobs:
  goreleaser:
@@ -22,9 +22,9 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: ">=1.22.5"
+          go-version: ">=1.23.0"

-      - name: Build Admin dashboard UI
+      - name: Build WebUI
        run: npm --prefix=./ui ci && npm --prefix=./ui run build

      - name: Run GoReleaser
--- a/.gitignore
+++ b/.gitignore
@@ -1,14 +1,7 @@
-__debug_bin*
-vendor
-pb_data
-main
-./certimate
-build
-/docker/data
-
-# Editor directories and files
 .vscode/*
 !.vscode/extensions.json
+!.vscode/settings.json
+!.vscode/settings.tailwind.json
 .idea
 .DS_Store
 *.suo
@@ -16,5 +9,12 @@ build
 *.njsproj
 *.sln
 *.sw?
+__debug_bin*

-./dist
+vendor
+pb_data
+build
+main
+/dist
+/docker/data
+/certimate
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -0,0 +1,6 @@
+{
+  "recommendations": [
+    "bradlc.vscode-tailwindcss",
+    "esbenp.prettier-vscode"
+  ]
+}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -0,0 +1,21 @@
+{
+  "css.customData": [
+    ".vscode/settings.tailwind.json"
+  ],
+  "editor.codeActionsOnSave": {
+    "source.fixAll.eslint": "explicit"
+  },
+  "editor.defaultFormatter": "esbenp.prettier-vscode",
+  "editor.formatOnSave": true,
+  "go.useLanguageServer": true,
+  "gopls": {
+    "formatting.gofumpt": true,
+  },
+  "typescript.tsdk": "ui/node_modules/typescript/lib",
+  "[go]": {
+    "editor.defaultFormatter": "golang.go"
+  },
+  "[typescript]": {
+    "editor.defaultFormatter": "esbenp.prettier-vscode"
+  }
+}
--- a/.vscode/settings.tailwind.json
+++ b/.vscode/settings.tailwind.json
@@ -0,0 +1,55 @@
+{
+  "version": 1.1,
+  "atDirectives": [
+    {
+      "name": "@tailwind",
+      "description": "Use the `@tailwind` directive to insert Tailwind's `base`, `components`, `utilities` and `screens` styles into your CSS.",
+      "references": [
+        {
+          "name": "Tailwind Documentation",
+          "url": "https://tailwindcss.com/docs/functions-and-directives#tailwind"
+        }
+      ]
+    },
+    {
+      "name": "@apply",
+      "description": "Use the `@apply` directive to inline any existing utility classes into your own custom CSS. This is useful when you find a common utility pattern in your HTML that you’d like to extract to a new component.",
+      "references": [
+        {
+          "name": "Tailwind Documentation",
+          "url": "https://tailwindcss.com/docs/functions-and-directives#apply"
+        }
+      ]
+    },
+    {
+      "name": "@responsive",
+      "description": "You can generate responsive variants of your own classes by wrapping their definitions in the `@responsive` directive:\n```css\n@responsive {\n  .alert {\n    background-color: #E53E3E;\n  }\n}\n```\n",
+      "references": [
+        {
+          "name": "Tailwind Documentation",
+          "url": "https://tailwindcss.com/docs/functions-and-directives#responsive"
+        }
+      ]
+    },
+    {
+      "name": "@screen",
+      "description": "The `@screen` directive allows you to create media queries that reference your breakpoints by **name** instead of duplicating their values in your own CSS:\n```css\n@screen sm {\n  /* ... */\n}\n```\n…gets transformed into this:\n```css\n@media (min-width: 640px) {\n  /* ... */\n}\n```\n",
+      "references": [
+        {
+          "name": "Tailwind Documentation",
+          "url": "https://tailwindcss.com/docs/functions-and-directives#screen"
+        }
+      ]
+    },
+    {
+      "name": "@variants",
+      "description": "Generate `hover`, `focus`, `active` and other **variants** of your own utilities by wrapping their definitions in the `@variants` directive:\n```css\n@variants hover, focus {\n   .btn-brand {\n    background-color: #3182CE;\n  }\n}\n```\n",
+      "references": [
+        {
+          "name": "Tailwind Documentation",
+          "url": "https://tailwindcss.com/docs/functions-and-directives#variants"
+        }
+      ]
+    }
+  ]
+}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1 @@
-## v0.0.3
-
- 解决一些 bug
- 添加 README.md
-
-## v0.0.1
-
- Initial release
+A full changelog of past releases is available on [GitHub Releases](https://github.com/usual2970/certimate/releases) page.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,76 @@
+# 向 Certimate 贡献代码
+
+感谢你抽出时间来改进 Certimate！以下是向 Certimate 主仓库提交 PR（Pull Request）时的操作指南。
+
+- [向 Certimate 贡献代码](#向-certimate-贡献代码)
+  - [前提条件](#前提条件)
+  - [修改 Go 代码](#修改-go-代码)
+  - [修改管理页面 (Admin UI)](#修改管理页面-admin-ui)
+
+## 前提条件
+
+- Go 1.22+ (用于修改 Go 代码)
+- Node 20+ (用于修改 UI)
+
+如果还没有这样做，你可以 fork Certimate 的主仓库，并克隆到本地以便进行修改：
+
+```bash
+git clone https://github.com/your_username/certimate.git
+```
+
+> **重要提示：**
+> 建议为每个 Bug 修复或新功能创建一个从 `main` 分支派生的新分支。如果你计划提交多个 PR，请保持不同的改动在独立分支中，以便更容易进行代码审查并最终合并。
+> 保持一个 PR 只实现一个功能。
+
+## 修改 Go 代码
+
+假设你已经对 Certimate 的 Go 代码做了一些修改，现在你想要运行它：
+
+1. 进入根目录
+2. 运行以下命令启动服务：
+
+   ```bash
+   go run main.go serve
+   ```
+
+这将启动一个 Web 服务器，默认运行在 `http://localhost:8090`，并使用来自 `ui/dist` 的预构建管理页面。
+
+**在向主仓库提交 PR 之前，建议你：**
+
+- 使用 [gofumpt](https://github.com/mvdan/gofumpt) 对你的代码进行格式化。
+
+- 为你的改动添加单元测试或集成测试（Certimate 使用 Go 的标准 `testing` 包）。你可以通过以下命令运行测试（在项目根目录下）：
+
+  ```bash
+  go test ./...
+  ```
+
+## 修改管理页面 (Admin UI)
+
+Certimate 的管理页面是一个基于 React 和 Vite 构建的单页应用（SPA）。
+
+要启动 Admin UI：
+
+1. 进入 `ui` 项目目录。
+
+2. 运行 `npm install` 安装依赖。
+
+3. 启动 Vite 开发服务器：
+
+   ```bash
+   npm run dev
+   ```
+
+你可以通过浏览器访问 `http://localhost:5173` 来查看运行中的管理页面。
+
+由于 Admin UI 只是一个客户端应用，运行时需要 Certimate 的后端服务作为支撑。你可以手动运行 Certimate，或者使用预构建的可执行文件。
+
+所有对 Admin UI 的修改将会自动反映在浏览器中，无需手动刷新页面。
+
+完成修改后，运行以下命令来构建 Admin UI，以便它能被嵌入到 Go 包中：
+
+```bash
+npm run build
+```
+
+完成所有步骤后，你可以将改动提交 PR 到 Certimate 主仓库。
--- a/CONTRIBUTING_EN.md
+++ b/CONTRIBUTING_EN.md
@@ -0,0 +1,81 @@
+# Contributing to Certimate
+
+Thank you for taking the time to improve Certimate! Below is a guide for submitting a PR (Pull Request) to the main Certimate repository.
+
+- [Contributing to Certimate](#contributing-to-certimate)
+  - [Prerequisites](#prerequisites)
+  - [Making Changes in the Go Code](#making-changes-in-the-go-code)
+  - [Making Changes in the Admin UI](#making-changes-in-the-admin-ui)
+
+## Prerequisites
+
+- Go 1.22+ (for Go code changes)
+- Node 20+ (for Admin UI changes)
+
+If you haven't done so already, you can fork the Certimate repository and clone your fork to work locally:
+
+```bash
+git clone https://github.com/your_username/certimate.git
+```
+
+> **Important:**
+> It is recommended to create a new branch from `main` for each bug fix or feature. If you plan to submit multiple PRs, ensure the changes are in separate branches for easier review and eventual merge.
+> Keep each PR focused on a single feature or fix.
+
+## Making Changes in the Go Code
+
+Once you have made changes to the Go code in Certimate, follow these steps to run the project:
+
+1. Navigate to the root directory.
+
+2. Start the service by running:
+
+   ```bash
+   go run main.go serve
+   ```
+
+This will start a web server at `http://localhost:8090` using the prebuilt Admin UI located in `ui/dist`.
+
+**Before submitting a PR to the main repository, consider:**
+
+- Format your source code by using [gofumpt](https://github.com/mvdan/gofumpt).
+
+- Adding unit or integration tests for your changes. Certimate uses Go’s standard `testing` package. You can run tests using the following command (while in the root project directory):
+
+  ```bash
+  go test ./...
+  ```
+
+## Making Changes in the Admin UI
+
+Certimate’s Admin UI is a single-page application (SPA) built using React and Vite.
+
+To start the Admin UI:
+
+1. Navigate to the `ui` project directory.
+
+2. Install the necessary dependencies by running:
+
+   ```bash
+   npm install
+   ```
+
+3. Start the Vite development server:
+
+   ```bash
+   npm run dev
+   ```
+
+You can now access the running Admin UI at `http://localhost:5173` in your browser.
+
+Since the Admin UI is a client-side application, you will also need to have the Certimate backend running. You can either manually run Certimate or use a prebuilt executable.
+
+Any changes you make in the Admin UI will be automatically reflected in the browser without requiring a page reload.
+
+After completing your changes, build the Admin UI so it can be embedded into the Go package:
+
+```bash
+npm run build
+```
+
+Once all steps are completed, you are ready to submit a PR to the main Certimate repository.
--- a/33
+++ b/33
@@ -0,0 +1,33 @@
+FROM node:20-alpine3.19 AS front-builder
+
+WORKDIR /app
+
+COPY . /app/
+
+RUN \
+  cd /app/ui && \
+  npm install && \
+  npm run build
+
+
+FROM golang:1.23-alpine AS builder
+
+WORKDIR /app
+
+COPY ../. /app/
+
+RUN rm -rf /app/ui/dist
+
+COPY --from=front-builder /app/ui/dist /app/ui/dist
+
+RUN go build -o certimate
+
+
+
+FROM alpine:latest
+
+WORKDIR /app
+
+COPY --from=builder /app/certimate .
+
+ENTRYPOINT ["./certimate", "serve", "--http", "0.0.0.0:8090"]
--- a/16
+++ b/16
@@ -1,16 +0,0 @@
-FROM golang:1.22-alpine as builder
-
-WORKDIR /app
-
-COPY ../. /app/
-
-RUN go build -o certimate
-
-
-FROM alpine:latest
-
-WORKDIR /app
-
-COPY --from=builder /app/certimate .
-
-ENTRYPOINT ["./certimate", "serve", "--http", "0.0.0.0:8090"]
--- a/5
+++ b/5
@@ -34,4 +34,7 @@ help:
 	@echo "  make clean  - 清理构建文件"
 	@echo "  make help   - 显示此帮助信息"

-.PHONY: all build clean help
+.PHONY: all build clean help
+
+local.run:
+	go mod vendor&& npm --prefix=./ui install && npm --prefix=./ui run build && go run main.go serve --http 127.0.0.1:8090
--- a/README.md
+++ b/README.md
@@ -1,188 +1,111 @@
+<h1 align="center">🔒 Certimate</h1>

+<div align="center">

-# 🔒Certimate
+[![Stars](https://img.shields.io/github/stars/usual2970/certimate?style=flat)](https://github.com/usual2970/certimate)
+[![Forks](https://img.shields.io/github/forks/usual2970/certimate?style=flat)](https://github.com/usual2970/certimate)
+[![Docker Pulls](https://img.shields.io/docker/pulls/usual2970/certimate?style=flat)](https://hub.docker.com/r/usual2970/certimate)
+[![Release](https://img.shields.io/github/v/release/usual2970/certimate?sort=semver)](https://github.com/usual2970/certimate/releases)
+[![License](https://img.shields.io/github/license/usual2970/certimate)](https://mit-license.org/)

-做个人产品或在小企业负责运维的同学，需要管理多个域名，要给域名申请证书。但手动申请证书有以下缺点：
+</div>

-1. 😱麻烦：申请、部署证书虽不困难，但也挺麻烦的，尤其是维护多个域名的时候。
-2. 😭易忘：当前免费证书有效期仅90天，这就要求定期操作，增加工作量的同时，也很容易忘掉，导致网站无法访问。
+<div align="center">

-Certimate 就是为了解决上述问题而产生的，它具有以下特点：
+中文 ｜ [English](README_EN.md)

-1. 操作简单：自动申请、部署、续期 SSL 证书，全程无需人工干预。
-2. 支持私有部署：部署方法简单，只需下载二进制文件执行即可。二进制文件、docker 镜像全部用 github actions 生成，过程透明，可自行审计。
-3. 数据安全：由于是私有部署，所有数据均存储在本地，不会保存在服务商的服务器，确保数据的安全性。
+</div>

-相关文章：
+---

-* [Why Certimate?](https://docs.certimate.me/blog/why-certimate)
-* [域名变量及部署授权组介绍](https://docs.certimate.me/blog/multi-deployer)
+## 🚩 项目简介

+做个人产品或者在中小企业里负责运维的同学，会遇到要管理多个域名的情况，需要给域名申请证书。但是手动申请证书有以下缺点：

-Certimate 旨在为用户提供一个安全、简便的 SSL 证书管理解决方案。使用文档请访问[https://docs.certimate.me](https://docs.certimate.me)
+- 😱 麻烦：申请证书并部署到服务的流程虽不复杂，但也挺麻烦的，犹其是你有多个域名需要维护的时候。
+- 😭 易忘：另外当前免费证书的有效期只有 90 天，这就要求你定期的操作，增加了工作量的同时，你也很容易忘掉续期，从而导致网站访问不了。

- [🔒Certimate](#certimate)
-  - [一、安装](#一安装)
-    - [1. 二进制文件](#1-二进制文件)
-    - [2. Docker 安装](#2-docker-安装)
-    - [3. 源代码安装](#3-源代码安装)
-  - [二、使用](#二使用)
-  - [三、支持的服务商列表](#三支持的服务商列表)
-  - [四、系统截图](#四系统截图)
-  - [五、概念](#五概念)
-    - [1. 域名](#1-域名)
-    - [2. dns 服务商授权信息](#2-dns-服务商授权信息)
-    - [3. 部署服务商授权信息](#3-部署服务商授权信息)
-  - [六、常见问题](#六常见问题)
-  - [七、贡献](#七贡献)
-  - [八、加入社区](#八加入社区)
+Certimate 就是为了解决上述问题而产生的，它具有以下优势：

+- **本地部署**：一键安装，只需要下载二进制文件，然后直接运行即可。同时也支持 Docker 部署、源代码部署等方式。
+- **数据安全**：由于是私有部署，所有数据均存储在自己的服务器上，不会经过第三方，确保数据的隐私和安全。
+- **操作简单**：简单配置即可轻松申请 SSL 证书并部署到指定的目标上，在证书即将过期前自动续期，从申请证书到使用证书完全自动化，无需人工操作。

+Certimate 旨在为用户提供一个安全、简便的 SSL 证书管理解决方案。

-## 一、安装
+## 💡 功能特性

-安装 Certimate 非常简单，你可以选择以下方式之一进行安装：
+- 灵活的工作流编排方式，证书从申请到部署完全自动化；
+- 支持单域名、多域名、泛域名证书，可选 RSA、ECC 签名算法；
+- 支持 PEM、PFX、JKS 等多种格式输出证书；
+- 支持 20+ 域名托管商（如阿里云、腾讯云、Cloudflare 等，[点此查看](https://docs.certimate.me/docs/reference/providers#supported-dns-providers)完整提供商清单）；
+- 支持 60+ 部署目标（如 Kubernetes、CDN、WAF、负载均衡等，[点此查看](https://docs.certimate.me/docs/reference/providers#supported-host-providers)完整提供商清单）；
+- 支持邮件、钉钉、飞书、企业微信、Webhook 等多种通知渠道；
+- 支持 Let's Encrypt、ZeroSSL、Google Trust Services 等多种 ACME 证书颁发机构；
+- 更多特性等待探索。

-### 1. 二进制文件
+## ⏱️ 快速启动

-你可以直接从[Releases 页](https://github.com/usual2970/certimate/releases)下载预先编译好的二进制文件，解压后执行:
+**5 分钟部署 Certimate！**
+
+以二进制部署为例，从 [GitHub Releases](https://github.com/usual2970/certimate/releases) 页面下载预先编译好的二进制可执行文件压缩包，解压缩后在终端中执行：

 ```bash
 ./certimate serve
 ```

-> [!NOTE]
-> MacOS 在执行二进制文件时会提示：无法打开“certimate”，因为Apple无法检查其是否包含恶意软件。可在系统设置> 隐私与安全性> 安全性 中点击 "仍然允许"，然后再次尝试执行二进制文件。
+浏览器中访问 `http://127.0.0.1:8090`。

+初始的管理员账号及密码：

-### 2. Docker 安装
+- 账号：`admin@certimate.fun`
+- 密码：`1234567890`

-```bash
+即刻使用 Certimate。

-git clone git@github.com:usual2970/certimate.git && cd certimate/docker && docker compose up -d
+如何使用 Docker 或其他部署方式请参考文档。

-```
+## 📄 使用手册

-### 3. 源代码安装
+请访问文档站 [docs.certimate.me](https://docs.certimate.me/) 以阅读使用手册。

-```bash
-git clone EMAIL:usual2970/certimate.git
-cd certimate
-go run main.go serve
-```
+相关文章：

+- [使用 CNAME 实现 DNS-01 challenge](https://docs.certimate.me/blog/cname)
+- [v0.3.0：第二个不向后兼容的大版本](https://docs.certimate.me/blog/v0.3.0)
+- [v0.2.0：第一个不向后兼容的大版本](https://docs.certimate.me/blog/v0.2.0)
+- [Why Certimate?](https://docs.certimate.me/blog/why-certimate)

-## 二、使用
+## ⭐ 运行界面

-执行完上述安装操作后，在浏览器中访问 `http://127.0.0.1:8090` 即可访问 Certimate 管理页面。
+[![Screenshot](https://i.imgur.com/4DAUKEE.gif)](https://www.bilibili.com/video/BV1xockeZEm2)

-```bash
-用户名：admin@certimate.fun
-密码：1234567890
-```
+## 🤝 参与贡献

-![usage.gif](https://i.imgur.com/zpCoLVM.gif)
-
-## 三、支持的服务商列表
-
-| 服务商 | 是否域名服务商 | 是否部署服务 | 备注 |
-|------|------|-----|------|
-| 阿里云| 是 | 是 | 支持阿里云注册的域名，支持部署到阿里云 CDN,OSS |
-| 腾讯云| 是 | 是 | 支持腾讯云注册的域名，支持部署到腾讯云 CDN |
-| 七牛云| 否 | 是 | 七牛云没有注册域名服务，支持部署到七牛云 CDN |
-|CloudFlare| 是 | 否 | 支持 CloudFlare 注册的域名，CloudFlare 服务自带SSL证书 |
-|SSH| 否 | 是 | 支持部署到 SSH 服务器 |
-|WEBHOOK| 否 | 是 | 支持回调到 WEBHOOK |
-
-
-
-
-## 四、系统截图
-
-![login](https://i.imgur.com/SYjjbql.jpeg)
-
-![dashboard](https://i.imgur.com/WMVbBId.jpeg)
-
-![domains](https://i.imgur.com/8wit3ZA.jpeg)
-
-![accesses](https://i.imgur.com/EWtOoJ0.jpeg)
-
-![history](https://i.imgur.com/aaPtSW7.jpeg)
-
-
-## 五、概念
-
-Certimate 的工作流程如下：
-
-* 用户通过 Certimate 管理页面填写申请证书的信息，包括域名、dns 服务商的授权信息、以及要部署到的服务商的授权信息。
-* Certimate 向证书厂商的 API 发起申请请求，获取 SSL 证书。
-* Certimate 存储证书信息，包括证书内容、私钥、证书有效期等，并在证书即将过期时自动续期。
-* Certimate 向服务商的 API 发起部署请求，将证书部署到服务商的服务器上。
-
-这就涉及域名、dns 服务商的授权信息、部署服务商的授权信息等。
-
-### 1. 域名
-
-就是要申请证书的域名。
-
-### 2. dns 服务商授权信息
-
-给域名申请证书需要证明域名是你的，所以我们手动申请证书的时候一般需要在域名服务商的控制台解析记录中添加一个 TXT 记录。
-
-Certimate 会自动添加一个 TXT 记录，你只需要在 Certimate 后台中填写你的域名服务商的授权信息即可。
-
-比如你在阿里云购买的域名，授权信息如下：
-
-```bash
-accessKeyId: xxx
-accessKeySecret: TOKEN
-```
-
-在腾讯云购买的域名，授权信息如下：
-
-```bash
-secretId: xxx
-secretKey: TOKEN
-```
-
-### 3. 部署服务商授权信息
-
-Certimate 申请证书后，会自动将证书部署到你指定的目标上，比如阿里云 CDN 这时你需要填写阿里云的授权信息。Certimate 会根据你填写的授权信息及域名找到对应的 CDN 服务,并将证书部署到对应的 CDN 服务上。
-
-部署服务商授权信息和 dns 服务商授权信息一致，区别在于 dns 服务商授权信息用于证明域名是你的，部署服务商授权信息用于提供证书部署的授权信息。
-
-## 六、常见问题
-
-
-Q: 提供saas服务吗？
-
-> A: 不提供，目前仅支持self-hosted（私有部署）。
-
-Q: 数据安全？
-
-> A: 由于仅支持私有部署，各种数据都保存在用户的服务器上。另外Certimate源码也开源，二进制包及Docker镜像打包过程全部使用Github actions进行，过程透明可见，可自行审计。
-
-Q: 自动续期证书？
-
-> A: 已经申请的证书会在过期前10天自动续期。每天会检查一次证书是否快要过期，快要过期时会自动重新申请证书并部署到目标服务上。
-
-
-
-## 七、贡献
-
-Certimate 是一个免费且开源的项目，采用 [MIT 开源协议](LICENSE.md)。你可以使用它做任何你想做的事，甚至把它当作一个付费服务提供给用户。
+Certimate 是一个免费且开源的项目，采用 [MIT License](./LICENSE.md)。你可以使用它做任何你想做的事，甚至把它当作一个付费服务提供给用户。

 你可以通过以下方式来支持 Certimate 的开发：

-* 提交代码：如果你发现了 bug 或有新的功能需求，而你又有相关经验，可以提交代码给我们。
-* 提交 issue：功能建议或者 bug 可以[提交 issue](https://github.com/usual2970/certimate/issues) 给我们。
+- 提交代码：如果你发现了 Bug 或有新的功能需求，而你又有相关经验，可以[提交代码](CONTRIBUTING.md)给我们。
+- 提交 Issue：功能建议或者 Bug 可以[提交 Issue](https://github.com/usual2970/certimate/issues) 给我们。

-支持更多服务商、UI 的优化改进、BUG 修复、文档完善等，欢迎大家提交 PR。
+支持更多提供商、UI 的优化改进、Bug 修复、文档完善等，欢迎大家参与贡献。

-## 八、加入社区
+## ⛔ 免责声明

-* [Telegram-a new era of messaging](https://t.me/+ZXphsppxUg41YmVl) 
+Certimate 基于 [MIT License](https://opensource.org/licenses/MIT) 发布，完全免费提供，旨在“按现状”供用户使用。作者及贡献者不对使用本软件所产生的任何直接或间接后果承担责任，包括但不限于性能下降、数据丢失、服务中断、或任何其他类型的损害。

-* 微信群聊
+**无任何保证**：本软件不提供任何明示或暗示的保证，包括但不限于对特定用途的适用性、无侵权性、商用性及可靠性的保证。

-<img src="https://i.imgur.com/lJUfTeD.png" width="400"/>
+**用户责任**：使用本软件即表示您理解并同意承担由此产生的一切风险及责任。
+
+## 🌐 加入社群
+
+- [Telegram](https://t.me/+ZXphsppxUg41YmVl)
+- 微信群聊（超 200 人需邀请入群，可先加作者好友）
+
+  <img src="https://i.imgur.com/8xwsLTA.png" width="240"/>
+
+## 🚀 Star 趋势图
+
+[![Stargazers over time](https://starchart.cc/usual2970/certimate.svg?variant=adaptive)](https://starchart.cc/usual2970/certimate)
--- a/README_EN.md
+++ b/README_EN.md
@@ -0,0 +1,109 @@
+<h1 align="center">🔒 Certimate</h1>
+
+<div align="center">
+
+[![Stars](https://img.shields.io/github/stars/usual2970/certimate?style=flat)](https://github.com/usual2970/certimate)
+[![Forks](https://img.shields.io/github/forks/usual2970/certimate?style=flat)](https://github.com/usual2970/certimate)
+[![Docker Pulls](https://img.shields.io/docker/pulls/usual2970/certimate?style=flat)](https://hub.docker.com/r/usual2970/certimate)
+[![Release](https://img.shields.io/github/v/release/usual2970/certimate?style=flat&sort=semver)](https://github.com/usual2970/certimate/releases)
+[![License](https://img.shields.io/github/license/usual2970/certimate?style=flat)](https://mit-license.org/)
+
+</div>
+
+<div align="center">
+
+[中文](README.md) ｜ English
+
+</div>
+
+---
+
+## 🚩 Introduction
+
+For individuals managing personal projects or those responsible for IT operations in small businesses who need to manage multiple domain names, applying for certificates manually comes with several drawbacks:
+
+- 😱 Troublesome: Applying for and deploying certificates isn’t difficult, but it can be quite a hassle, especially when managing multiple domains.
+- 😭 Easily forgotten: The current free certificate has a validity period of only 90 days, requiring regular renewal operations. This increases the workload and makes it easy to forget, which can result in the website becoming inaccessible.
+
+Certimate was created to solve the above-mentioned issues and has the following advantages:
+
+- **Local Deployment**: Simply to install, download the binary and run it directly. Supports Docker deployment and source code deployment for added flexibility.
+- **Data Security**: With private deployment, all data is stored on your own servers, ensuring it never resides on third-party systems and maintaining full control over your data.
+- **Easy Operation**: Effortlessly apply and deploy SSL certificates with minimal configuration. The system automatically renews certificates before expiration, providing a fully automated workflow, no manual intervention required.
+
+Certimate aims to provide users with a secure and user-friendly SSL certificate management solution.
+
+## 💡 Features
+
+- Flexible workflow orchestration, fully automation from certificate application to deployment;
+- Supports single-domain, multi-domain, wildcard certificates, with options for RSA or ECC.
+- Supports various certificate formats such as PEM, PFX, JKS.
+- Supports more than 20+ domain registrars (e.g., Alibaba Cloud, Tencent Cloud, Cloudflare, etc. [Check out this link](https://docs.certimate.me/en/docs/reference/providers#supported-dns-providers));
+- Supports more than 60+ deployment targets (e.g., Kubernetes, CDN, WAF, load balancers, etc. [Check out this link](https://docs.certimate.me/en/docs/reference/providers#supported-host-providers));
+- Supports multiple notification channels including email, DingTalk, Feishu, WeCom, Webhook, and more;
+- Supports multiple ACME CAs including Let's Encrypt, ZeroSSL, Google Trust Services, and more;
+- More features waiting to be discovered.
+
+## ⏱️ Fast Track
+
+**Deploy Certimate in 5 minutes!**
+
+Download the archived package of precompiled binary files directly from [GitHub Releases](https://github.com/usual2970/certimate/releases), extract and then execute:
+
+```bash
+./certimate serve
+```
+
+Visit `http://127.0.0.1:8090` in your browser.
+
+Default administrator account:
+
+- Username: `admin@certimate.fun`
+- Password: `1234567890`
+
+Work with Certimate right now. Or read other content in the documentation to learn more.
+
+## 📄 Documentation
+
+Please visit the documentation site [docs.certimate.me](https://docs.certimate.me/en/).
+
+Related articles:
+
+- [使用 CNAME 实现 DNS-01 challenge](https://docs.certimate.me/blog/cname)
+- [v0.3.0：第二个不向后兼容的大版本](https://docs.certimate.me/blog/v0.3.0)
+- [v0.2.0：第一个不向后兼容的大版本](https://docs.certimate.me/blog/v0.2.0)
+- [Why Certimate?](https://docs.certimate.me/blog/why-certimate)
+
+## ⭐ Screenshot
+
+[![Screenshot](https://i.imgur.com/4DAUKEE.gif)](https://www.youtube.com/watch?v=am_yzdfyNOE)
+
+## 🤝 Contributing
+
+Certimate is a free and open-source project, licensed under the [MIT License](./LICENSE.md). You can use it for anything you want, even offering it as a paid service to users.
+
+You can support the development of Certimate in the following ways:
+
+- **Submit Code**: If you find a bug or have new feature requests, and you have relevant experience, [you can submit code to us](CONTRIBUTING_EN.md).
+- **Submit an Issue**: For feature suggestions or bugs, you can [submit an issue](https://github.com/usual2970/certimate/issues) to us.
+
+Support for more service providers, UI enhancements, bug fixes, and documentation improvements are all welcome. We encourage everyone to contribute.
+
+## ⛔ Disclaimer
+
+This software is provided under the [MIT License](https://opensource.org/licenses/MIT) and distributed “as-is” without any warranty of any kind. The authors and contributors are not responsible for any damages or losses resulting from the use or inability to use this software, including but not limited to data loss, business interruption, or any other potential harm.
+
+**No Warranties**: This software comes without any express or implied warranties, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement.
+
+**User Responsibilities**: By using this software, you agree to take full responsibility for any outcomes resulting from its use.
+
+## 🌐 Join the Community
+
+- [Telegram](https://t.me/+ZXphsppxUg41YmVl)
+- Wechat Group
+
+  <img src="https://i.imgur.com/zSHEoIm.png" width="240"/>
+
+## 🚀 Star History
+
+[![Stargazers over time](https://starchart.cc/usual2970/certimate.svg?variant=adaptive)](https://starchart.cc/usual2970/certimate)
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -1,10 +1,12 @@
-version: '3.0'
+version: "3.0"
 services:
-    certimate:
-      image: registry.cn-shanghai.aliyuncs.com/usual2970/certimate:latest
-      container_name: certimate_server
-      ports:
+  certimate:
+    image: registry.cn-shanghai.aliyuncs.com/usual2970/certimate:latest
+    container_name: certimate_server
+    ports:
      - 8090:8090
-      volumes:
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
      - ./data:/app/pb_data
-      restart: unless-stopped
+    restart: unless-stopped
--- a/go.mod
+++ b/go.mod
@@ -1,141 +1,211 @@
-module certimate
+module github.com/usual2970/certimate

-go 1.22
+go 1.23.0

-toolchain go1.22.5
+toolchain go1.23.2

 require (
-	github.com/alibabacloud-go/cas-20200407/v2 v2.3.0
-	github.com/alibabacloud-go/cdn-20180510/v5 v5.0.0
-	github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.9
-	github.com/alibabacloud-go/tea v1.2.2
-	github.com/alibabacloud-go/tea-utils/v2 v2.0.6
-	github.com/go-acme/lego/v4 v4.17.4
-	github.com/gojek/heimdall/v7 v7.0.3
-	github.com/labstack/echo/v5 v5.0.0-20230722203903-ec5b858dab61
-	github.com/pkg/sftp v1.13.6
-	github.com/pocketbase/dbx v1.10.1
-	github.com/pocketbase/pocketbase v0.22.18
-	github.com/qiniu/go-sdk/v7 v7.22.0
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.992
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl v1.0.992
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tag v1.0.992
-	golang.org/x/crypto v0.26.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2
+	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azcertificates v0.9.0
+	github.com/G-Core/gcorelabscdn-go v1.0.28
+	github.com/alibabacloud-go/alb-20200616/v2 v2.2.8
+	github.com/alibabacloud-go/cas-20200407/v3 v3.0.4
+	github.com/alibabacloud-go/cdn-20180510/v5 v5.2.2
+	github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.4
+	github.com/alibabacloud-go/esa-20240910/v2 v2.23.0
+	github.com/alibabacloud-go/fc-20230330/v4 v4.1.7
+	github.com/alibabacloud-go/fc-open-20210406/v2 v2.0.12
+	github.com/alibabacloud-go/live-20161101 v1.1.1
+	github.com/alibabacloud-go/nlb-20220430/v2 v2.0.3
+	github.com/alibabacloud-go/slb-20140515/v4 v4.0.10
+	github.com/alibabacloud-go/tea v1.3.4
+	github.com/alibabacloud-go/vod-20170321/v4 v4.7.0
+	github.com/alibabacloud-go/waf-openapi-20211001/v5 v5.0.5
+	github.com/aliyun/aliyun-oss-go-sdk v3.0.2+incompatible
+	github.com/aws/aws-sdk-go-v2/service/acm v1.31.1
+	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.45.2
+	github.com/baidubce/bce-sdk-go v0.9.221
+	github.com/byteplus-sdk/byteplus-sdk-golang v1.0.42
+	github.com/go-acme/lego/v4 v4.22.2
+	github.com/go-resty/resty/v2 v2.16.5
+	github.com/go-viper/mapstructure/v2 v2.2.1
+	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.141
+	github.com/jdcloud-api/jdcloud-sdk-go v1.64.0
+	github.com/libdns/dynv6 v1.0.0
+	github.com/libdns/libdns v0.2.3
+	github.com/nikoksr/notify v1.3.0
+	github.com/pavlo-v-chernykh/keystore-go/v4 v4.5.0
+	github.com/pkg/sftp v1.13.8
+	github.com/pocketbase/dbx v1.11.0
+	github.com/pocketbase/pocketbase v0.26.1
+	github.com/povsister/scp v0.0.0-20240802064259-28781e87b246
+	github.com/qiniu/go-sdk/v7 v7.25.2
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cdn v1.0.1115
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/clb v1.0.1127
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1127
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/live v1.0.1117
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/scf v1.0.1115
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl v1.0.1124
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1126
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vod v1.0.1115
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.1125
+	github.com/ucloud/ucloud-sdk-go v0.22.31
+	github.com/volcengine/ve-tos-golang-sdk/v2 v2.7.9
+	github.com/volcengine/volc-sdk-golang v1.0.199
+	github.com/volcengine/volcengine-go-sdk v1.0.187
+	gitlab.ecloud.com/ecloud/ecloudsdkclouddns v1.0.1
+	gitlab.ecloud.com/ecloud/ecloudsdkcore v1.0.0
+	golang.org/x/crypto v0.36.0
+	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394
+	k8s.io/api v0.32.3
+	k8s.io/apimachinery v0.32.3
+	k8s.io/client-go v0.32.3
+	software.sslmate.com/src/go-pkcs12 v0.5.0
 )

 require (
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
+	github.com/alibabacloud-go/alibabacloud-gateway-fc-util v0.0.7 // indirect
 	github.com/alibabacloud-go/openplatform-20191219/v2 v2.0.1 // indirect
 	github.com/alibabacloud-go/tea-fileform v1.1.1 // indirect
 	github.com/alibabacloud-go/tea-oss-sdk v1.1.3 // indirect
 	github.com/alibabacloud-go/tea-oss-utils v1.1.0 // indirect
+	github.com/alibabacloud-go/tea-utils/v2 v2.0.7 // indirect
+	github.com/avast/retry-go v3.0.0+incompatible // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.48.1 // indirect
+	github.com/blinkbean/dingtalk v1.1.3 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-lark/lark v1.15.1 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.16.0 // indirect
+	github.com/go-sql-driver/mysql v1.8.1 // indirect
+	github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible // indirect
+	github.com/gofrs/uuid v4.4.0+incompatible // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/gnostic-models v0.6.9 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
+	github.com/nrdcg/mailinabox v0.2.0 // indirect
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
+	github.com/qiniu/dyn v1.3.0 // indirect
+	github.com/qiniu/x v1.10.5 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/technoweenie/multipartstreamer v1.0.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	go.mongodb.org/mongo-driver v1.17.2 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/ns1/ns1-go.v2 v2.13.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 // indirect
+	k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.5.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )

 require (
-	github.com/AlecAivazis/survey/v2 v2.3.7 // indirect
 	github.com/BurntSushi/toml v1.4.0 // indirect
-	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
-	github.com/alibabacloud-go/darabonba-openapi v0.1.18 // indirect
-    github.com/alibabacloud-go/dcdn-20180115/v3 v3.4.2
-	github.com/alibabacloud-go/debug v1.0.0 // indirect
-	github.com/alibabacloud-go/endpoint-util v1.1.0 // indirect
-	github.com/alibabacloud-go/openapi-util v0.1.0 // indirect
+	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
+	github.com/alibabacloud-go/dcdn-20180115/v3 v3.5.0
+	github.com/alibabacloud-go/debug v1.0.1 // indirect
+	github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
+	github.com/alibabacloud-go/openapi-util v0.1.1 // indirect
 	github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
 	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
-	github.com/aliyun/alibaba-cloud-sdk-go v1.62.712 // indirect
-	github.com/aliyun/credentials-go v1.3.1 // indirect
+	github.com/aliyun/alibaba-cloud-sdk-go v1.63.83 // indirect
+	github.com/aliyun/credentials-go v1.4.3 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.3 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.27.27 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.27 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.8 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.58.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect
-	github.com/aws/smithy-go v1.20.3 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.3
+	github.com/aws/aws-sdk-go-v2/config v1.29.5
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.58
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.28 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.13 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.24.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.14 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.14 // indirect
+	github.com/aws/smithy-go v1.22.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/clbanning/mxj/v2 v2.5.6 // indirect
-	github.com/cloudflare/cloudflare-go v0.97.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/clbanning/mxj/v2 v2.7.0 // indirect
+	github.com/cloudflare/cloudflare-go v0.114.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/disintegration/imaging v1.6.2 // indirect
-	github.com/domodwyer/mailyak/v3 v3.6.2 // indirect
+	github.com/domodwyer/mailyak/v3 v3.6.2
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/fatih/color v1.17.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.4 // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
 	github.com/ganigeorgiev/fexpr v0.4.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/go-ozzo/ozzo-validation/v4 v4.3.0 // indirect
-	github.com/goccy/go-json v0.10.3 // indirect
-	github.com/gojek/valkyrie v0.0.0-20180215180059-6aee720afcdf // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/goccy/go-json v0.10.4 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/gax-go/v2 v2.13.0 // indirect
-	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
-	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/google/uuid v1.6.0
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kr/fs v0.1.0 // indirect
-	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-sqlite3 v1.14.22 // indirect
-	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
-	github.com/miekg/dns v1.1.59 // indirect
+	github.com/miekg/dns v1.1.62 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/nrdcg/namesilo v0.2.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/spf13/cast v1.6.0 // indirect
-	github.com/spf13/cobra v1.8.1 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/pkg/errors v0.9.1
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/stretchr/testify v1.9.0 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.898 // indirect
-	github.com/tjfoc/gmsm v1.3.2 // indirect
-	github.com/valyala/bytebufferpool v1.0.0 // indirect
-	github.com/valyala/fasttemplate v1.2.2 // indirect
-	go.opencensus.io v0.24.0 // indirect
-	gocloud.dev v0.37.0 // indirect
-	golang.org/x/image v0.18.0 // indirect
-	golang.org/x/mod v0.18.0 // indirect
-	golang.org/x/net v0.27.0 // indirect
-	golang.org/x/oauth2 v0.21.0 // indirect
-	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/sys v0.24.0 // indirect
-	golang.org/x/term v0.23.0 // indirect
-	golang.org/x/text v0.17.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.22.0 // indirect
-	golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect
-	google.golang.org/api v0.189.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240723171418-e6d459c13d2a // indirect
-	google.golang.org/grpc v1.65.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	github.com/stretchr/testify v1.10.0 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1084 // indirect
+	github.com/tjfoc/gmsm v1.4.1 // indirect
+	golang.org/x/image v0.25.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.37.0 // indirect
+	golang.org/x/oauth2 v0.28.0 // indirect
+	golang.org/x/sync v0.12.0
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/time v0.9.0
+	golang.org/x/tools v0.31.0 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	modernc.org/gc/v3 v3.0.0-20240722195230-4a140ff9c08e // indirect
-	modernc.org/libc v1.55.3 // indirect
-	modernc.org/mathutil v1.6.0 // indirect
-	modernc.org/memory v1.8.0 // indirect
-	modernc.org/sqlite v1.31.1 // indirect
-	modernc.org/strutil v1.2.0 // indirect
-	modernc.org/token v1.1.0 // indirect
+	modernc.org/libc v1.61.13 // indirect
+	modernc.org/mathutil v1.7.1 // indirect
+	modernc.org/memory v1.8.2 // indirect
+	modernc.org/sqlite v1.36.1 // indirect
 )
+
+replace gitlab.ecloud.com/ecloud/ecloudsdkcore v1.0.0 => ./internal/pkg/vendors/cmcc-sdk/ecloudsdkcore@v1.0.0
+
+replace gitlab.ecloud.com/ecloud/ecloudsdkclouddns v1.0.1 => ./internal/pkg/vendors/cmcc-sdk/ecloudsdkclouddns@v1.0.1
--- a/go.sum
+++ b/go.sum
--- a/internal/app/app.go
+++ b/internal/app/app.go
@@ -0,0 +1,32 @@
+package app
+
+import (
+	"log/slog"
+	"sync"
+
+	"github.com/pocketbase/dbx"
+	"github.com/pocketbase/pocketbase"
+	"github.com/pocketbase/pocketbase/core"
+)
+
+var instance core.App
+
+var intanceOnce sync.Once
+
+func GetApp() core.App {
+	intanceOnce.Do(func() {
+		instance = pocketbase.NewWithConfig(pocketbase.Config{
+			HideStartBanner: true,
+		})
+	})
+
+	return instance
+}
+
+func GetDB() dbx.Builder {
+	return GetApp().DB()
+}
+
+func GetLogger() *slog.Logger {
+	return GetApp().Logger()
+}
--- a/internal/utils/app/schedule.go
+++ b/internal/utils/app/schedule.go
@@ -2,17 +2,25 @@ package app

 import (
 	"sync"
+	"time"
+	_ "time/tzdata"

 	"github.com/pocketbase/pocketbase/tools/cron"
 )

-var schedulerOnce sync.Once
-
 var scheduler *cron.Cron

+var schedulerOnce sync.Once
+
 func GetScheduler() *cron.Cron {
+	scheduler = GetApp().Cron()
 	schedulerOnce.Do(func() {
-		scheduler = cron.New()
+		location, err := time.LoadLocation("Local")
+		if err == nil {
+			scheduler.Stop()
+			scheduler.SetTimezone(location)
+			scheduler.Start()
+		}
 	})

 	return scheduler
--- a/internal/applicant/acme_ca.go
+++ b/internal/applicant/acme_ca.go
@@ -0,0 +1,38 @@
+package applicant
+
+const (
+	sslProviderLetsEncrypt         = "letsencrypt"
+	sslProviderLetsEncryptStaging  = "letsencrypt_staging"
+	sslProviderZeroSSL             = "zerossl"
+	sslProviderGoogleTrustServices = "gts"
+)
+const defaultSSLProvider = sslProviderLetsEncrypt
+
+const (
+	letsencryptUrl        = "https://acme-v02.api.letsencrypt.org/directory"
+	letsencryptStagingUrl = "https://acme-staging-v02.api.letsencrypt.org/directory"
+	zerosslUrl            = "https://acme.zerossl.com/v2/DV90"
+	gtsUrl                = "https://dv.acme-v02.api.pki.goog/directory"
+)
+
+var sslProviderUrls = map[string]string{
+	sslProviderLetsEncrypt:         letsencryptUrl,
+	sslProviderLetsEncryptStaging:  letsencryptStagingUrl,
+	sslProviderZeroSSL:             zerosslUrl,
+	sslProviderGoogleTrustServices: gtsUrl,
+}
+
+type acmeSSLProviderConfig struct {
+	Config   acmeSSLProviderConfigContent `json:"config"`
+	Provider string                       `json:"provider"`
+}
+
+type acmeSSLProviderConfigContent struct {
+	ZeroSSL             acmeSSLProviderEabConfig `json:"zerossl"`
+	GoogleTrustServices acmeSSLProviderEabConfig `json:"gts"`
+}
+
+type acmeSSLProviderEabConfig struct {
+	EabHmacKey string `json:"eabHmacKey"`
+	EabKid     string `json:"eabKid"`
+}
--- a/internal/applicant/acme_user.go
+++ b/internal/applicant/acme_user.go
@@ -0,0 +1,140 @@
+package applicant
+
+import (
+	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"fmt"
+
+	"github.com/go-acme/lego/v4/lego"
+	"github.com/go-acme/lego/v4/registration"
+	"golang.org/x/sync/singleflight"
+
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/utils/certutil"
+	"github.com/usual2970/certimate/internal/repository"
+)
+
+type acmeUser struct {
+	CA           string
+	Email        string
+	Registration *registration.Resource
+
+	privkey string
+}
+
+func newAcmeUser(ca, email string) (*acmeUser, error) {
+	repo := repository.NewAcmeAccountRepository()
+
+	applyUser := &acmeUser{
+		CA:    ca,
+		Email: email,
+	}
+
+	acmeAccount, err := repo.GetByCAAndEmail(ca, email)
+	if err != nil {
+		key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		if err != nil {
+			return nil, err
+		}
+
+		keyPEM, err := certutil.ConvertECPrivateKeyToPEM(key)
+		if err != nil {
+			return nil, err
+		}
+
+		applyUser.privkey = keyPEM
+		return applyUser, nil
+	}
+
+	applyUser.Registration = acmeAccount.Resource
+	applyUser.privkey = acmeAccount.Key
+
+	return applyUser, nil
+}
+
+func (u *acmeUser) GetEmail() string {
+	return u.Email
+}
+
+func (u acmeUser) GetRegistration() *registration.Resource {
+	return u.Registration
+}
+
+func (u *acmeUser) GetPrivateKey() crypto.PrivateKey {
+	rs, _ := certutil.ParseECPrivateKeyFromPEM(u.privkey)
+	return rs
+}
+
+func (u *acmeUser) hasRegistration() bool {
+	return u.Registration != nil
+}
+
+func (u *acmeUser) getPrivateKeyPEM() string {
+	return u.privkey
+}
+
+type acmeAccountRepository interface {
+	GetByCAAndEmail(ca, email string) (*domain.AcmeAccount, error)
+	Save(ca, email, key string, resource *registration.Resource) error
+}
+
+var registerGroup singleflight.Group
+
+func registerAcmeUserWithSingleFlight(client *lego.Client, sslProviderConfig *acmeSSLProviderConfig, user *acmeUser) (*registration.Resource, error) {
+	resp, err, _ := registerGroup.Do(fmt.Sprintf("register_acme_user_%s_%s", sslProviderConfig.Provider, user.GetEmail()), func() (interface{}, error) {
+		return registerAcmeUser(client, sslProviderConfig, user)
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return resp.(*registration.Resource), nil
+}
+
+func registerAcmeUser(client *lego.Client, sslProviderConfig *acmeSSLProviderConfig, user *acmeUser) (*registration.Resource, error) {
+	var reg *registration.Resource
+	var err error
+	switch sslProviderConfig.Provider {
+	case sslProviderZeroSSL:
+		reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+			TermsOfServiceAgreed: true,
+			Kid:                  sslProviderConfig.Config.ZeroSSL.EabKid,
+			HmacEncoded:          sslProviderConfig.Config.ZeroSSL.EabHmacKey,
+		})
+	case sslProviderGoogleTrustServices:
+		reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+			TermsOfServiceAgreed: true,
+			Kid:                  sslProviderConfig.Config.GoogleTrustServices.EabKid,
+			HmacEncoded:          sslProviderConfig.Config.GoogleTrustServices.EabHmacKey,
+		})
+	case sslProviderLetsEncrypt, sslProviderLetsEncryptStaging:
+		reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+	default:
+		err = fmt.Errorf("unsupported ssl provider: %s", sslProviderConfig.Provider)
+	}
+	if err != nil {
+		return nil, err
+	}
+
+	repo := repository.NewAcmeAccountRepository()
+	resp, err := repo.GetByCAAndEmail(sslProviderConfig.Provider, user.GetEmail())
+	if err == nil {
+		user.privkey = resp.Key
+		return resp.Resource, nil
+	}
+
+	if _, err := repo.Save(context.Background(), &domain.AcmeAccount{
+		CA:       sslProviderConfig.Provider,
+		Email:    user.GetEmail(),
+		Key:      user.getPrivateKeyPEM(),
+		Resource: reg,
+	}); err != nil {
+		return nil, fmt.Errorf("failed to save registration: %w", err)
+	}
+
+	return reg, nil
+}
--- a/internal/applicant/aliyun.go
+++ b/internal/applicant/aliyun.go
@@ -1,34 +0,0 @@
-package applicant
-
-import (
-	"certimate/internal/domain"
-	"encoding/json"
-	"os"
-
-	"github.com/go-acme/lego/v4/providers/dns/alidns"
-)
-
-type aliyun struct {
-	option *ApplyOption
-}
-
-func NewAliyun(option *ApplyOption) Applicant {
-	return &aliyun{
-		option: option,
-	}
-}
-
-func (a *aliyun) Apply() (*Certificate, error) {
-
-	access := &domain.AliyunAccess{}
-	json.Unmarshal([]byte(a.option.Access), access)
-
-	os.Setenv("ALICLOUD_ACCESS_KEY", access.AccessKeyId)
-	os.Setenv("ALICLOUD_SECRET_KEY", access.AccessKeySecret)
-	dnsProvider, err := alidns.NewDNSProvider()
-	if err != nil {
-		return nil, err
-	}
-
-	return apply(a.option, dnsProvider)
-}
--- a/internal/applicant/applicant.go
+++ b/internal/applicant/applicant.go
@@ -1,177 +1,233 @@
 package applicant

 import (
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"errors"
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"strconv"
 	"strings"
+	"sync"

 	"github.com/go-acme/lego/v4/certcrypto"
 	"github.com/go-acme/lego/v4/certificate"
 	"github.com/go-acme/lego/v4/challenge"
 	"github.com/go-acme/lego/v4/challenge/dns01"
 	"github.com/go-acme/lego/v4/lego"
-	"github.com/go-acme/lego/v4/registration"
-	"github.com/pocketbase/pocketbase/models"
+	"golang.org/x/exp/slices"
+	"golang.org/x/time/rate"
+
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/utils/sliceutil"
+	"github.com/usual2970/certimate/internal/repository"
 )

-const (
-	configTypeTencent    = "tencent"
-	configTypeAliyun     = "aliyun"
-	configTypeCloudflare = "cloudflare"
-	configTypeNamesilo   = "namesilo"
-	configTypeGodaddy    = "godaddy"
-)
-
-const defaultEmail = "536464346@qq.com"
-
-type Certificate struct {
-	CertUrl           string `json:"certUrl"`
-	CertStableUrl     string `json:"certStableUrl"`
-	PrivateKey        string `json:"privateKey"`
-	Certificate       string `json:"certificate"`
-	IssuerCertificate string `json:"issuerCertificate"`
-	Csr               string `json:"csr"`
-}
-
-type ApplyOption struct {
-	Email       string `json:"email"`
-	Domain      string `json:"domain"`
-	Access      string `json:"access"`
-	Nameservers string `json:"nameservers"`
-}
-
-type MyUser struct {
-	Email        string
-	Registration *registration.Resource
-	key          crypto.PrivateKey
-}
-
-func (u *MyUser) GetEmail() string {
-	return u.Email
-}
-func (u MyUser) GetRegistration() *registration.Resource {
-	return u.Registration
-}
-func (u *MyUser) GetPrivateKey() crypto.PrivateKey {
-	return u.key
+type ApplyCertResult struct {
+	CertificateFullChain string
+	IssuerCertificate    string
+	PrivateKey           string
+	ACMEAccountUrl       string
+	ACMECertUrl          string
+	ACMECertStableUrl    string
+	CSR                  string
 }

 type Applicant interface {
-	Apply() (*Certificate, error)
+	Apply() (*ApplyCertResult, error)
 }

-func Get(record *models.Record) (Applicant, error) {
-	access := record.ExpandedOne("access")
-	email := record.GetString("email")
-	if email == "" {
-		email = defaultEmail
-	}
-	option := &ApplyOption{
-		Email:       email,
-		Domain:      record.GetString("domain"),
-		Access:      access.GetString("config"),
-		Nameservers: record.GetString("nameservers"),
-	}
-	switch access.GetString("configType") {
-	case configTypeTencent:
-		return NewTencent(option), nil
-	case configTypeAliyun:
-		return NewAliyun(option), nil
-	case configTypeCloudflare:
-		return NewCloudflare(option), nil
-	case configTypeNamesilo:
-		return NewNamesilo(option), nil
-	case configTypeGodaddy:
-		return NewGodaddy(option), nil
-	default:
-		return nil, errors.New("unknown config type")
-	}
-
+type applicantOptions struct {
+	Domains               []string
+	ContactEmail          string
+	Provider              domain.ApplyDNSProviderType
+	ProviderAccessConfig  map[string]any
+	ProviderApplyConfig   map[string]any
+	KeyAlgorithm          string
+	Nameservers           []string
+	DnsPropagationTimeout int32
+	DnsTTL                int32
+	DisableFollowCNAME    bool
+	ReplacedARIAcctId     string
+	ReplacedARICertId     string
 }

-func apply(option *ApplyOption, provider challenge.Provider) (*Certificate, error) {
-	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+func NewWithApplyNode(node *domain.WorkflowNode) (Applicant, error) {
+	if node.Type != domain.WorkflowNodeTypeApply {
+		return nil, fmt.Errorf("node type is not apply")
+	}
+
+	nodeConfig := node.GetConfigForApply()
+	options := &applicantOptions{
+		Domains:               sliceutil.Filter(strings.Split(nodeConfig.Domains, ";"), func(s string) bool { return s != "" }),
+		ContactEmail:          nodeConfig.ContactEmail,
+		Provider:              domain.ApplyDNSProviderType(nodeConfig.Provider),
+		ProviderApplyConfig:   nodeConfig.ProviderConfig,
+		KeyAlgorithm:          nodeConfig.KeyAlgorithm,
+		Nameservers:           sliceutil.Filter(strings.Split(nodeConfig.Nameservers, ";"), func(s string) bool { return s != "" }),
+		DnsPropagationTimeout: nodeConfig.DnsPropagationTimeout,
+		DnsTTL:                nodeConfig.DnsTTL,
+		DisableFollowCNAME:    nodeConfig.DisableFollowCNAME,
+	}
+
+	accessRepo := repository.NewAccessRepository()
+	if access, err := accessRepo.GetById(context.Background(), nodeConfig.ProviderAccessId); err != nil {
+		return nil, fmt.Errorf("failed to get access #%s record: %w", nodeConfig.ProviderAccessId, err)
+	} else {
+		accessConfig, err := access.UnmarshalConfigToMap()
+		if err != nil {
+			return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
+		}
+
+		options.ProviderAccessConfig = accessConfig
+	}
+
+	certRepo := repository.NewCertificateRepository()
+	lastCertificate, _ := certRepo.GetByWorkflowNodeId(context.Background(), node.Id)
+	if lastCertificate != nil {
+		newCertSan := slices.Clone(options.Domains)
+		oldCertSan := strings.Split(lastCertificate.SubjectAltNames, ";")
+		slices.Sort(newCertSan)
+		slices.Sort(oldCertSan)
+
+		if slices.Equal(newCertSan, oldCertSan) {
+			lastCertX509, _ := certcrypto.ParsePEMCertificate([]byte(lastCertificate.Certificate))
+			if lastCertX509 != nil {
+				replacedARICertId, _ := certificate.MakeARICertID(lastCertX509)
+				options.ReplacedARIAcctId = lastCertificate.ACMEAccountUrl
+				options.ReplacedARICertId = replacedARICertId
+			}
+		}
+	}
+
+	applicant, err := createApplicant(options)
 	if err != nil {
 		return nil, err
 	}

-	myUser := MyUser{
-		Email: option.Email,
-		key:   privateKey,
+	return &proxyApplicant{
+		applicant: applicant,
+		options:   options,
+	}, nil
+}
+
+func apply(challengeProvider challenge.Provider, options *applicantOptions) (*ApplyCertResult, error) {
+	settingsRepo := repository.NewSettingsRepository()
+	settings, _ := settingsRepo.GetByName(context.Background(), "sslProvider")
+
+	sslProviderConfig := &acmeSSLProviderConfig{
+		Config:   acmeSSLProviderConfigContent{},
+		Provider: defaultSSLProvider,
+	}
+	if settings != nil {
+		if err := json.Unmarshal([]byte(settings.Content), sslProviderConfig); err != nil {
+			return nil, err
+		}
 	}

-	config := lego.NewConfig(&myUser)
+	if sslProviderConfig.Provider == "" {
+		sslProviderConfig.Provider = defaultSSLProvider
+	}

-	// This CA URL is configured for a local dev instance of Boulder running in Docker in a VM.
-	config.CADirURL = "https://acme-v02.api.letsencrypt.org/directory"
-	config.Certificate.KeyType = certcrypto.RSA2048
+	acmeUser, err := newAcmeUser(sslProviderConfig.Provider, options.ContactEmail)
+	if err != nil {
+		return nil, err
+	}

-	// A client facilitates communication with the CA server.
+	// Some unified lego environment variables are configured here.
+	// link: https://github.com/go-acme/lego/issues/1867
+	os.Setenv("LEGO_DISABLE_CNAME_SUPPORT", strconv.FormatBool(options.DisableFollowCNAME))
+
+	// Create an ACME client config
+	config := lego.NewConfig(acmeUser)
+	config.CADirURL = sslProviderUrls[sslProviderConfig.Provider]
+	config.Certificate.KeyType = parseKeyAlgorithm(domain.CertificateKeyAlgorithmType(options.KeyAlgorithm))
+
+	// Create an ACME client
 	client, err := lego.NewClient(config)
 	if err != nil {
 		return nil, err
 	}

+	// Set the DNS01 challenge provider
 	challengeOptions := make([]dns01.ChallengeOption, 0)
-	nameservers := ParseNameservers(option.Nameservers)
-	if len(nameservers) > 0 {
-		challengeOptions = append(challengeOptions, dns01.AddRecursiveNameservers(nameservers))
+	if len(options.Nameservers) > 0 {
+		challengeOptions = append(challengeOptions, dns01.AddRecursiveNameservers(dns01.ParseNameservers(options.Nameservers)))
+		challengeOptions = append(challengeOptions, dns01.DisableAuthoritativeNssPropagationRequirement())
+	}
+	client.Challenge.SetDNS01Provider(challengeProvider, challengeOptions...)
+
+	// New users need to register first
+	if !acmeUser.hasRegistration() {
+		reg, err := registerAcmeUserWithSingleFlight(client, sslProviderConfig, acmeUser)
+		if err != nil {
+			return nil, fmt.Errorf("failed to register: %w", err)
+		}
+		acmeUser.Registration = reg
 	}

-	client.Challenge.SetDNS01Provider(provider, challengeOptions...)
-
-	// New users will need to register
-	reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
-	if err != nil {
-		return nil, err
-	}
-	myUser.Registration = reg
-
-	domains := []string{option.Domain}
-
-	// 如果是通配置符域名，把根域名也加入
-	if strings.HasPrefix(option.Domain, "*.") && len(strings.Split(option.Domain, ".")) == 3 {
-		rootDomain := strings.TrimPrefix(option.Domain, "*.")
-		domains = append(domains, rootDomain)
-	}
-
-	request := certificate.ObtainRequest{
-		Domains: domains,
+	// Obtain a certificate
+	certRequest := certificate.ObtainRequest{
+		Domains: options.Domains,
 		Bundle:  true,
 	}
-	certificates, err := client.Certificate.Obtain(request)
+	if options.ReplacedARICertId != "" && options.ReplacedARIAcctId != acmeUser.Registration.URI {
+		certRequest.ReplacesCertID = options.ReplacedARICertId
+	}
+	certResource, err := client.Certificate.Obtain(certRequest)
 	if err != nil {
 		return nil, err
 	}

-	return &Certificate{
-		CertUrl:           certificates.CertURL,
-		CertStableUrl:     certificates.CertStableURL,
-		PrivateKey:        string(certificates.PrivateKey),
-		Certificate:       string(certificates.Certificate),
-		IssuerCertificate: string(certificates.IssuerCertificate),
-		Csr:               string(certificates.CSR),
+	return &ApplyCertResult{
+		CertificateFullChain: strings.TrimSpace(string(certResource.Certificate)),
+		IssuerCertificate:    strings.TrimSpace(string(certResource.IssuerCertificate)),
+		PrivateKey:           strings.TrimSpace(string(certResource.PrivateKey)),
+		ACMEAccountUrl:       acmeUser.Registration.URI,
+		ACMECertUrl:          certResource.CertURL,
+		ACMECertStableUrl:    certResource.CertStableURL,
+		CSR:                  strings.TrimSpace(string(certResource.CSR)),
 	}, nil
 }

-func ParseNameservers(ns string) []string {
-	nameservers := make([]string, 0)
-
-	lines := strings.Split(ns, ";")
-
-	for _, line := range lines {
-
-		line = strings.TrimSpace(line)
-
-		if line == "" {
-			continue
-		}
-
-		nameservers = append(nameservers, line)
+func parseKeyAlgorithm(algo domain.CertificateKeyAlgorithmType) certcrypto.KeyType {
+	switch algo {
+	case domain.CertificateKeyAlgorithmTypeRSA2048:
+		return certcrypto.RSA2048
+	case domain.CertificateKeyAlgorithmTypeRSA3072:
+		return certcrypto.RSA3072
+	case domain.CertificateKeyAlgorithmTypeRSA4096:
+		return certcrypto.RSA4096
+	case domain.CertificateKeyAlgorithmTypeRSA8192:
+		return certcrypto.RSA8192
+	case domain.CertificateKeyAlgorithmTypeEC256:
+		return certcrypto.EC256
+	case domain.CertificateKeyAlgorithmTypeEC384:
+		return certcrypto.EC384
 	}

-	return nameservers
+	return certcrypto.RSA2048
+}
+
+// TODO: 暂时使用代理模式以兼容之前版本代码，后续重新实现此处逻辑
+type proxyApplicant struct {
+	applicant challenge.Provider
+	options   *applicantOptions
+}
+
+var limiters sync.Map
+
+const (
+	limitBurst         = 300
+	limitRate  float64 = float64(1) / float64(36)
+)
+
+func getLimiter(key string) *rate.Limiter {
+	limiter, _ := limiters.LoadOrStore(key, rate.NewLimiter(rate.Limit(limitRate), 300))
+	return limiter.(*rate.Limiter)
+}
+
+func (d *proxyApplicant) Apply() (*ApplyCertResult, error) {
+	limiter := getLimiter(fmt.Sprintf("apply_%s", d.options.ContactEmail))
+	limiter.Wait(context.Background())
+	return apply(d.applicant, d.options)
 }
--- a/internal/applicant/applicant_test.go
+++ b/internal/applicant/applicant_test.go
@@ -0,0 +1,44 @@
+package applicant_test
+
+import (
+	"testing"
+	"time"
+
+	"golang.org/x/time/rate"
+)
+
+func TestRateLimit(t *testing.T) {
+	tests := []struct {
+		name  string
+		burst int
+		rate  rate.Limit
+	}{
+		{
+			name:  "test1",
+			burst: 300,
+			rate:  rate.Limit(float64(1) / float64(20)),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			rl := rate.NewLimiter(tt.rate, tt.burst)
+			if rl.Burst() != tt.burst {
+				t.Errorf("Burst() = %v, want %v", rl.Burst(), tt.burst)
+			}
+			if rl.Limit() != tt.rate {
+				t.Errorf("Limit() = %v, want %v", rl.Limit(), tt.rate)
+			}
+
+			t.Log("consume all tokens at once", rl.AllowN(time.Now(), tt.burst))
+
+			t.Log("consume more", rl.Allow())
+
+			time.Sleep(time.Second * 5)
+			t.Log("consume after 5 seconds", rl.Allow())
+
+			time.Sleep(time.Second * 20)
+			t.Log("consume after 20 seconds", rl.Allow())
+		})
+	}
+}
--- a/internal/applicant/cloudflare.go
+++ b/internal/applicant/cloudflare.go
@@ -1,33 +0,0 @@
-package applicant
-
-import (
-	"certimate/internal/domain"
-	"encoding/json"
-	"os"
-
-	cf "github.com/go-acme/lego/v4/providers/dns/cloudflare"
-)
-
-type cloudflare struct {
-	option *ApplyOption
-}
-
-func NewCloudflare(option *ApplyOption) Applicant {
-	return &cloudflare{
-		option: option,
-	}
-}
-
-func (c *cloudflare) Apply() (*Certificate, error) {
-	access := &domain.CloudflareAccess{}
-	json.Unmarshal([]byte(c.option.Access), access)
-
-	os.Setenv("CLOUDFLARE_DNS_API_TOKEN", access.DnsApiToken)
-
-	provider, err := cf.NewDNSProvider()
-	if err != nil {
-		return nil, err
-	}
-
-	return apply(c.option, provider)
-}
--- a/internal/applicant/godaddy.go
+++ b/internal/applicant/godaddy.go
@@ -1,35 +0,0 @@
-package applicant
-
-import (
-	"certimate/internal/domain"
-	"encoding/json"
-	"os"
-
-	godaddyProvider "github.com/go-acme/lego/v4/providers/dns/godaddy"
-)
-
-type godaddy struct {
-	option *ApplyOption
-}
-
-func NewGodaddy(option *ApplyOption) Applicant {
-	return &godaddy{
-		option: option,
-	}
-}
-
-func (a *godaddy) Apply() (*Certificate, error) {
-
-	access := &domain.GodaddyAccess{}
-	json.Unmarshal([]byte(a.option.Access), access)
-
-	os.Setenv("GODADDY_API_KEY", access.ApiKey)
-	os.Setenv("GODADDY_API_SECRET", access.ApiSecret)
-
-	dnsProvider, err := godaddyProvider.NewDNSProvider()
-	if err != nil {
-		return nil, err
-	}
-
-	return apply(a.option, dnsProvider)
-}
--- a/internal/applicant/namesilo.go
+++ b/internal/applicant/namesilo.go
@@ -1,34 +0,0 @@
-package applicant
-
-import (
-	"certimate/internal/domain"
-	"encoding/json"
-	"os"
-
-	namesiloProvider "github.com/go-acme/lego/v4/providers/dns/namesilo"
-)
-
-type namesilo struct {
-	option *ApplyOption
-}
-
-func NewNamesilo(option *ApplyOption) Applicant {
-	return &namesilo{
-		option: option,
-	}
-}
-
-func (a *namesilo) Apply() (*Certificate, error) {
-
-	access := &domain.NameSiloAccess{}
-	json.Unmarshal([]byte(a.option.Access), access)
-
-	os.Setenv("NAMESILO_API_KEY", access.ApiKey)
-
-	dnsProvider, err := namesiloProvider.NewDNSProvider()
-	if err != nil {
-		return nil, err
-	}
-
-	return apply(a.option, dnsProvider)
-}
--- a/internal/applicant/providers.go
+++ b/internal/applicant/providers.go
@@ -0,0 +1,429 @@
+package applicant
+
+import (
+	"fmt"
+
+	"github.com/go-acme/lego/v4/challenge"
+
+	"github.com/usual2970/certimate/internal/domain"
+	pACMEHttpReq "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/acmehttpreq"
+	pAliyun "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/aliyun"
+	pAWSRoute53 "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/aws-route53"
+	pAzureDNS "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/azure-dns"
+	pBaiduCloud "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/baiducloud"
+	pCloudflare "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/cloudflare"
+	pClouDNS "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/cloudns"
+	pCMCCCloud "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/cmcccloud"
+	pDNSLA "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/dnsla"
+	pDynv6 "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/dynv6"
+	pGcore "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/gcore"
+	pGname "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/gname"
+	pGoDaddy "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/godaddy"
+	pHuaweiCloud "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/huaweicloud"
+	pJDCloud "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/jdcloud"
+	pNamecheap "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/namecheap"
+	pNameDotCom "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/namedotcom"
+	pNameSilo "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/namesilo"
+	pNS1 "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/ns1"
+	pPowerDNS "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/powerdns"
+	pRainYun "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/rainyun"
+	pTencentCloud "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/tencentcloud"
+	pVolcEngine "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/volcengine"
+	pWestcn "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/westcn"
+	"github.com/usual2970/certimate/internal/pkg/utils/maputil"
+)
+
+func createApplicant(options *applicantOptions) (challenge.Provider, error) {
+	/*
+	  注意：如果追加新的常量值，请保持以 ASCII 排序。
+	  NOTICE: If you add new constant, please keep ASCII order.
+	*/
+	switch options.Provider {
+	case domain.ApplyDNSProviderTypeACMEHttpReq:
+		{
+			access := domain.AccessConfigForACMEHttpReq{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pACMEHttpReq.NewChallengeProvider(&pACMEHttpReq.ChallengeProviderConfig{
+				Endpoint:              access.Endpoint,
+				Mode:                  access.Mode,
+				Username:              access.Username,
+				Password:              access.Password,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeAliyun, domain.ApplyDNSProviderTypeAliyunDNS:
+		{
+			access := domain.AccessConfigForAliyun{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pAliyun.NewChallengeProvider(&pAliyun.ChallengeProviderConfig{
+				AccessKeyId:           access.AccessKeyId,
+				AccessKeySecret:       access.AccessKeySecret,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeAWS, domain.ApplyDNSProviderTypeAWSRoute53:
+		{
+			access := domain.AccessConfigForAWS{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pAWSRoute53.NewChallengeProvider(&pAWSRoute53.ChallengeProviderConfig{
+				AccessKeyId:           access.AccessKeyId,
+				SecretAccessKey:       access.SecretAccessKey,
+				Region:                maputil.GetString(options.ProviderApplyConfig, "region"),
+				HostedZoneId:          maputil.GetString(options.ProviderApplyConfig, "hostedZoneId"),
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeAzure, domain.ApplyDNSProviderTypeAzureDNS:
+		{
+			access := domain.AccessConfigForAzure{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pAzureDNS.NewChallengeProvider(&pAzureDNS.ChallengeProviderConfig{
+				TenantId:              access.TenantId,
+				ClientId:              access.ClientId,
+				ClientSecret:          access.ClientSecret,
+				CloudName:             access.CloudName,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeBaiduCloud, domain.ApplyDNSProviderTypeBaiduCloudDNS:
+		{
+			access := domain.AccessConfigForBaiduCloud{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pBaiduCloud.NewChallengeProvider(&pBaiduCloud.ChallengeProviderConfig{
+				AccessKeyId:           access.AccessKeyId,
+				SecretAccessKey:       access.SecretAccessKey,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeCloudflare:
+		{
+			access := domain.AccessConfigForCloudflare{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pCloudflare.NewChallengeProvider(&pCloudflare.ChallengeProviderConfig{
+				DnsApiToken:           access.DnsApiToken,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeClouDNS:
+		{
+			access := domain.AccessConfigForClouDNS{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pClouDNS.NewChallengeProvider(&pClouDNS.ChallengeProviderConfig{
+				AuthId:                access.AuthId,
+				AuthPassword:          access.AuthPassword,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeCMCCCloud:
+		{
+			access := domain.AccessConfigForCMCCCloud{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pCMCCCloud.NewChallengeProvider(&pCMCCCloud.ChallengeProviderConfig{
+				AccessKeyId:           access.AccessKeyId,
+				AccessKeySecret:       access.AccessKeySecret,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeDNSLA:
+		{
+			access := domain.AccessConfigForDNSLA{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pDNSLA.NewChallengeProvider(&pDNSLA.ChallengeProviderConfig{
+				ApiId:                 access.ApiId,
+				ApiSecret:             access.ApiSecret,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeDynv6:
+		{
+			access := domain.AccessConfigForDynv6{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pDynv6.NewChallengeProvider(&pDynv6.ChallengeProviderConfig{
+				HttpToken:             access.HttpToken,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeGcore:
+		{
+			access := domain.AccessConfigForGcore{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pGcore.NewChallengeProvider(&pGcore.ChallengeProviderConfig{
+				ApiToken:              access.ApiToken,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeGname:
+		{
+			access := domain.AccessConfigForGname{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pGname.NewChallengeProvider(&pGname.ChallengeProviderConfig{
+				AppId:                 access.AppId,
+				AppKey:                access.AppKey,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeGoDaddy:
+		{
+			access := domain.AccessConfigForGoDaddy{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pGoDaddy.NewChallengeProvider(&pGoDaddy.ChallengeProviderConfig{
+				ApiKey:                access.ApiKey,
+				ApiSecret:             access.ApiSecret,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeHuaweiCloud, domain.ApplyDNSProviderTypeHuaweiCloudDNS:
+		{
+			access := domain.AccessConfigForHuaweiCloud{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pHuaweiCloud.NewChallengeProvider(&pHuaweiCloud.ChallengeProviderConfig{
+				AccessKeyId:           access.AccessKeyId,
+				SecretAccessKey:       access.SecretAccessKey,
+				Region:                maputil.GetString(options.ProviderApplyConfig, "region"),
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeJDCloud, domain.ApplyDNSProviderTypeJDCloudDNS:
+		{
+			access := domain.AccessConfigForJDCloud{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pJDCloud.NewChallengeProvider(&pJDCloud.ChallengeProviderConfig{
+				AccessKeyId:           access.AccessKeyId,
+				AccessKeySecret:       access.AccessKeySecret,
+				RegionId:              maputil.GetString(options.ProviderApplyConfig, "region_id"),
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeNamecheap:
+		{
+			access := domain.AccessConfigForNamecheap{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pNamecheap.NewChallengeProvider(&pNamecheap.ChallengeProviderConfig{
+				Username:              access.Username,
+				ApiKey:                access.ApiKey,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeNameDotCom:
+		{
+			access := domain.AccessConfigForNameDotCom{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pNameDotCom.NewChallengeProvider(&pNameDotCom.ChallengeProviderConfig{
+				Username:              access.Username,
+				ApiToken:              access.ApiToken,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeNameSilo:
+		{
+			access := domain.AccessConfigForNameSilo{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pNameSilo.NewChallengeProvider(&pNameSilo.ChallengeProviderConfig{
+				ApiKey:                access.ApiKey,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeNS1:
+		{
+			access := domain.AccessConfigForNS1{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pNS1.NewChallengeProvider(&pNS1.ChallengeProviderConfig{
+				ApiKey:                access.ApiKey,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypePowerDNS:
+		{
+			access := domain.AccessConfigForPowerDNS{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pPowerDNS.NewChallengeProvider(&pPowerDNS.ChallengeProviderConfig{
+				ApiUrl:                access.ApiUrl,
+				ApiKey:                access.ApiKey,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeRainYun:
+		{
+			access := domain.AccessConfigForRainYun{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pRainYun.NewChallengeProvider(&pRainYun.ChallengeProviderConfig{
+				ApiKey:                access.ApiKey,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeTencentCloud, domain.ApplyDNSProviderTypeTencentCloudDNS:
+		{
+			access := domain.AccessConfigForTencentCloud{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pTencentCloud.NewChallengeProvider(&pTencentCloud.ChallengeProviderConfig{
+				SecretId:              access.SecretId,
+				SecretKey:             access.SecretKey,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeVolcEngine, domain.ApplyDNSProviderTypeVolcEngineDNS:
+		{
+			access := domain.AccessConfigForVolcEngine{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pVolcEngine.NewChallengeProvider(&pVolcEngine.ChallengeProviderConfig{
+				AccessKeyId:           access.AccessKeyId,
+				SecretAccessKey:       access.SecretAccessKey,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ApplyDNSProviderTypeWestcn:
+		{
+			access := domain.AccessConfigForWestcn{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pWestcn.NewChallengeProvider(&pWestcn.ChallengeProviderConfig{
+				Username:              access.Username,
+				ApiPassword:           access.ApiPassword,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+	}
+
+	return nil, fmt.Errorf("unsupported applicant provider: %s", string(options.Provider))
+}
--- a/internal/applicant/tencent.go
+++ b/internal/applicant/tencent.go
@@ -1,34 +0,0 @@
-package applicant
-
-import (
-	"certimate/internal/domain"
-	"encoding/json"
-	"os"
-
-	"github.com/go-acme/lego/v4/providers/dns/tencentcloud"
-)
-
-type tencent struct {
-	option *ApplyOption
-}
-
-func NewTencent(option *ApplyOption) Applicant {
-	return &tencent{
-		option: option,
-	}
-}
-
-func (t *tencent) Apply() (*Certificate, error) {
-
-	access := &domain.TencentAccess{}
-	json.Unmarshal([]byte(t.option.Access), access)
-
-	os.Setenv("TENCENTCLOUD_SECRET_ID", access.SecretId)
-	os.Setenv("TENCENTCLOUD_SECRET_KEY", access.SecretKey)
-	dnsProvider, err := tencentcloud.NewDNSProvider()
-	if err != nil {
-		return nil, err
-	}
-
-	return apply(t.option, dnsProvider)
-}
--- a/internal/certificate/service.go
+++ b/internal/certificate/service.go
@@ -0,0 +1,292 @@
+package certificate
+
+import (
+	"archive/zip"
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/go-acme/lego/v4/certcrypto"
+	"github.com/pocketbase/dbx"
+
+	"github.com/usual2970/certimate/internal/app"
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/domain/dtos"
+	"github.com/usual2970/certimate/internal/notify"
+	"github.com/usual2970/certimate/internal/pkg/utils/certutil"
+	"github.com/usual2970/certimate/internal/repository"
+)
+
+const (
+	defaultExpireSubject = "有 ${COUNT} 张证书即将过期"
+	defaultExpireMessage = "有 ${COUNT} 张证书即将过期，域名分别为 ${DOMAINS}，请保持关注！"
+)
+
+type certificateRepository interface {
+	ListExpireSoon(ctx context.Context) ([]*domain.Certificate, error)
+	GetById(ctx context.Context, id string) (*domain.Certificate, error)
+	DeleteWhere(ctx context.Context, exprs ...dbx.Expression) (int, error)
+}
+
+type settingsRepository interface {
+	GetByName(ctx context.Context, name string) (*domain.Settings, error)
+}
+
+type CertificateService struct {
+	certificateRepo certificateRepository
+	settingsRepo    settingsRepository
+}
+
+func NewCertificateService(certificateRepo certificateRepository, settingsRepo settingsRepository) *CertificateService {
+	return &CertificateService{
+		certificateRepo: certificateRepo,
+		settingsRepo:    settingsRepo,
+	}
+}
+
+func (s *CertificateService) InitSchedule(ctx context.Context) error {
+	// 每日发送过期证书提醒
+	app.GetScheduler().MustAdd("certificateExpireSoonNotify", "0 0 * * *", func() {
+		certificates, err := s.certificateRepo.ListExpireSoon(context.Background())
+		if err != nil {
+			app.GetLogger().Error("failed to get certificates which expire soon", "err", err)
+			return
+		}
+
+		notification := buildExpireSoonNotification(certificates)
+		if notification == nil {
+			return
+		}
+
+		if err := notify.SendToAllChannels(notification.Subject, notification.Message); err != nil {
+			app.GetLogger().Error("failed to send notification", "err", err)
+		}
+	})
+
+	// 每日清理过期证书
+	app.GetScheduler().MustAdd("certificateExpiredCleanup", "0 0 * * *", func() {
+		settings, err := s.settingsRepo.GetByName(ctx, "persistence")
+		if err != nil {
+			app.GetLogger().Error("failed to get persistence settings", "err", err)
+			return
+		}
+
+		var settingsContent *domain.PersistenceSettingsContent
+		json.Unmarshal([]byte(settings.Content), &settingsContent)
+		if settingsContent != nil && settingsContent.ExpiredCertificatesMaxDaysRetention != 0 {
+			ret, err := s.certificateRepo.DeleteWhere(
+				context.Background(),
+				dbx.NewExp(fmt.Sprintf("expireAt<DATETIME('now', '-%d days')", settingsContent.ExpiredCertificatesMaxDaysRetention)),
+			)
+			if err != nil {
+				app.GetLogger().Error("failed to delete expired certificates", "err", err)
+			}
+
+			if ret > 0 {
+				app.GetLogger().Info(fmt.Sprintf("cleanup %d expired certificates", ret))
+			}
+		}
+	})
+
+	return nil
+}
+
+func (s *CertificateService) ArchiveFile(ctx context.Context, req *dtos.CertificateArchiveFileReq) (*dtos.CertificateArchiveFileResp, error) {
+	certificate, err := s.certificateRepo.GetById(ctx, req.CertificateId)
+	if err != nil {
+		return nil, err
+	}
+
+	var buf bytes.Buffer
+	zipWriter := zip.NewWriter(&buf)
+	defer zipWriter.Close()
+
+	resp := &dtos.CertificateArchiveFileResp{
+		FileFormat: "zip",
+	}
+
+	switch strings.ToUpper(req.Format) {
+	case "", "PEM":
+		{
+			certWriter, err := zipWriter.Create("certbundle.pem")
+			if err != nil {
+				return nil, err
+			}
+
+			_, err = certWriter.Write([]byte(certificate.Certificate))
+			if err != nil {
+				return nil, err
+			}
+
+			keyWriter, err := zipWriter.Create("privkey.pem")
+			if err != nil {
+				return nil, err
+			}
+
+			_, err = keyWriter.Write([]byte(certificate.PrivateKey))
+			if err != nil {
+				return nil, err
+			}
+
+			err = zipWriter.Close()
+			if err != nil {
+				return nil, err
+			}
+
+			resp.FileBytes = buf.Bytes()
+			return resp, nil
+		}
+
+	case "PFX":
+		{
+			const pfxPassword = "certimate"
+
+			certPFX, err := certutil.TransformCertificateFromPEMToPFX(certificate.Certificate, certificate.PrivateKey, pfxPassword)
+			if err != nil {
+				return nil, err
+			}
+
+			certWriter, err := zipWriter.Create("cert.pfx")
+			if err != nil {
+				return nil, err
+			}
+
+			_, err = certWriter.Write(certPFX)
+			if err != nil {
+				return nil, err
+			}
+
+			keyWriter, err := zipWriter.Create("pfx-password.txt")
+			if err != nil {
+				return nil, err
+			}
+
+			_, err = keyWriter.Write([]byte(pfxPassword))
+			if err != nil {
+				return nil, err
+			}
+
+			err = zipWriter.Close()
+			if err != nil {
+				return nil, err
+			}
+
+			resp.FileBytes = buf.Bytes()
+			return resp, nil
+		}
+
+	case "JKS":
+		{
+			const jksPassword = "certimate"
+
+			certJKS, err := certutil.TransformCertificateFromPEMToJKS(certificate.Certificate, certificate.PrivateKey, jksPassword, jksPassword, jksPassword)
+			if err != nil {
+				return nil, err
+			}
+
+			certWriter, err := zipWriter.Create("cert.jks")
+			if err != nil {
+				return nil, err
+			}
+
+			_, err = certWriter.Write(certJKS)
+			if err != nil {
+				return nil, err
+			}
+
+			keyWriter, err := zipWriter.Create("jks-password.txt")
+			if err != nil {
+				return nil, err
+			}
+
+			_, err = keyWriter.Write([]byte(jksPassword))
+			if err != nil {
+				return nil, err
+			}
+
+			err = zipWriter.Close()
+			if err != nil {
+				return nil, err
+			}
+
+			resp.FileBytes = buf.Bytes()
+			return resp, nil
+		}
+
+	default:
+		return nil, domain.ErrInvalidParams
+	}
+}
+
+func (s *CertificateService) ValidateCertificate(ctx context.Context, req *dtos.CertificateValidateCertificateReq) (*dtos.CertificateValidateCertificateResp, error) {
+	certX509, err := certutil.ParseCertificateFromPEM(req.Certificate)
+	if err != nil {
+		return nil, err
+	} else if time.Now().After(certX509.NotAfter) {
+		return nil, fmt.Errorf("certificate has expired at %s", certX509.NotAfter.UTC().Format(time.RFC3339))
+	}
+
+	return &dtos.CertificateValidateCertificateResp{
+		IsValid: true,
+		Domains: strings.Join(certX509.DNSNames, ";"),
+	}, nil
+}
+
+func (s *CertificateService) ValidatePrivateKey(ctx context.Context, req *dtos.CertificateValidatePrivateKeyReq) (*dtos.CertificateValidatePrivateKeyResp, error) {
+	_, err := certcrypto.ParsePEMPrivateKey([]byte(req.PrivateKey))
+	if err != nil {
+		return nil, err
+	}
+
+	return &dtos.CertificateValidatePrivateKeyResp{
+		IsValid: true,
+	}, nil
+}
+
+func buildExpireSoonNotification(certificates []*domain.Certificate) *struct {
+	Subject string
+	Message string
+} {
+	if len(certificates) == 0 {
+		return nil
+	}
+
+	subject := defaultExpireSubject
+	message := defaultExpireMessage
+
+	// 查询模板信息
+	settingsRepo := repository.NewSettingsRepository()
+	settings, err := settingsRepo.GetByName(context.Background(), "notifyTemplates")
+	if err == nil {
+		var templates *domain.NotifyTemplatesSettingsContent
+		json.Unmarshal([]byte(settings.Content), &templates)
+
+		if templates != nil && len(templates.NotifyTemplates) > 0 {
+			subject = templates.NotifyTemplates[0].Subject
+			message = templates.NotifyTemplates[0].Message
+		}
+	}
+
+	// 替换变量
+	count := len(certificates)
+	domains := make([]string, count)
+	for i, record := range certificates {
+		domains[i] = record.SubjectAltNames
+	}
+	countStr := strconv.Itoa(count)
+	domainStr := strings.Join(domains, ";")
+	subject = strings.ReplaceAll(subject, "${COUNT}", countStr)
+	subject = strings.ReplaceAll(subject, "${DOMAINS}", domainStr)
+	message = strings.ReplaceAll(message, "${COUNT}", countStr)
+	message = strings.ReplaceAll(message, "${DOMAINS}", domainStr)
+
+	// 返回消息
+	return &struct {
+		Subject string
+		Message string
+	}{Subject: subject, Message: message}
+}
--- a/internal/deployer/aliyun.go
+++ b/internal/deployer/aliyun.go
@@ -1,206 +0,0 @@
-package deployer
-
-import (
-	"certimate/internal/applicant"
-	"certimate/internal/domain"
-	"certimate/internal/utils/rand"
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"strings"
-
-	cas20200407 "github.com/alibabacloud-go/cas-20200407/v2/client"
-	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
-	util "github.com/alibabacloud-go/tea-utils/v2/service"
-	"github.com/alibabacloud-go/tea/tea"
-)
-
-type aliyun struct {
-	client *cas20200407.Client
-	option *DeployerOption
-	infos  []string
-}
-
-func NewAliyun(option *DeployerOption) (Deployer, error) {
-	access := &domain.AliyunAccess{}
-	json.Unmarshal([]byte(option.Access), access)
-	a := &aliyun{
-		option: option,
-		infos:  make([]string, 0),
-	}
-	client, err := a.createClient(access.AccessKeyId, access.AccessKeySecret)
-	if err != nil {
-		return nil, err
-	}
-	a.client = client
-	return a, nil
-
-}
-
-func (a *aliyun) GetID() string {
-	return fmt.Sprintf("%s-%s", a.option.AceessRecord.GetString("name"), a.option.AceessRecord.Id)
-}
-
-func (a *aliyun) GetInfo() []string {
-	return a.infos
-}
-
-func (a *aliyun) Deploy(ctx context.Context) error {
-
-	// 查询有没有对应的资源
-	resource, err := a.resource()
-	if err != nil {
-		return err
-	}
-
-	a.infos = append(a.infos, toStr("查询对应的资源", resource))
-
-	// 查询有没有对应的联系人
-	contacts, err := a.contacts()
-	if err != nil {
-		return err
-	}
-
-	a.infos = append(a.infos, toStr("查询联系人", contacts))
-
-	// 上传证书
-	certId, err := a.uploadCert(&a.option.Certificate)
-	if err != nil {
-		return err
-	}
-
-	a.infos = append(a.infos, toStr("上传证书", certId))
-
-	// 部署证书
-	jobId, err := a.deploy(resource, certId, contacts)
-	if err != nil {
-		return err
-	}
-
-	a.infos = append(a.infos, toStr("创建部署证书任务", jobId))
-
-	// 等待部署成功
-	err = a.updateDeployStatus(*jobId)
-	if err != nil {
-		return err
-	}
-
-	// 部署成功后删除旧的证书
-	a.deleteCert(resource)
-
-	return nil
-}
-
-func (a *aliyun) updateDeployStatus(jobId int64) error {
-	// 查询部署状态
-	req := &cas20200407.UpdateDeploymentJobStatusRequest{
-		JobId: tea.Int64(jobId),
-	}
-
-	resp, err := a.client.UpdateDeploymentJobStatus(req)
-	if err != nil {
-		return err
-	}
-	a.infos = append(a.infos, toStr("查询对应的资源", resp))
-	return nil
-}
-
-func (a *aliyun) deleteCert(resource *cas20200407.ListCloudResourcesResponseBodyData) error {
-	// 查询有没有对应的资源
-	if resource.CertId == nil {
-		return nil
-	}
-
-	// 删除证书
-	_, err := a.client.DeleteUserCertificate(&cas20200407.DeleteUserCertificateRequest{
-		CertId: resource.CertId,
-	})
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (a *aliyun) contacts() ([]*cas20200407.ListContactResponseBodyContactList, error) {
-	listContactRequest := &cas20200407.ListContactRequest{}
-	runtime := &util.RuntimeOptions{}
-
-	resp, err := a.client.ListContactWithOptions(listContactRequest, runtime)
-	if err != nil {
-		return nil, err
-	}
-	if resp.Body.TotalCount == nil {
-		return nil, errors.New("no contact found")
-	}
-
-	return resp.Body.ContactList, nil
-}
-
-func (a *aliyun) deploy(resource *cas20200407.ListCloudResourcesResponseBodyData, certId int64, contacts []*cas20200407.ListContactResponseBodyContactList) (*int64, error) {
-	contactIds := make([]string, 0, len(contacts))
-	for _, contact := range contacts {
-		contactIds = append(contactIds, fmt.Sprintf("%d", *contact.ContactId))
-	}
-	// 部署证书
-	createCloudResourceRequest := &cas20200407.CreateDeploymentJobRequest{
-		CertIds:     tea.String(fmt.Sprintf("%d", certId)),
-		Name:        tea.String(a.option.Domain + rand.RandStr(6)),
-		JobType:     tea.String("user"),
-		ResourceIds: tea.String(fmt.Sprintf("%d", *resource.Id)),
-		ContactIds:  tea.String(strings.Join(contactIds, ",")),
-	}
-	runtime := &util.RuntimeOptions{}
-
-	resp, err := a.client.CreateDeploymentJobWithOptions(createCloudResourceRequest, runtime)
-	if err != nil {
-		return nil, err
-	}
-	return resp.Body.JobId, nil
-}
-
-func (a *aliyun) uploadCert(cert *applicant.Certificate) (int64, error) {
-	uploadUserCertificateRequest := &cas20200407.UploadUserCertificateRequest{
-		Cert: &cert.Certificate,
-		Key:  &cert.PrivateKey,
-		Name: tea.String(a.option.Domain + rand.RandStr(6)),
-	}
-	runtime := &util.RuntimeOptions{}
-
-	resp, err := a.client.UploadUserCertificateWithOptions(uploadUserCertificateRequest, runtime)
-	if err != nil {
-		return 0, err
-	}
-
-	return *resp.Body.CertId, nil
-}
-
-func (a *aliyun) createClient(accessKeyId, accessKeySecret string) (_result *cas20200407.Client, _err error) {
-	config := &openapi.Config{
-		AccessKeyId:     tea.String(accessKeyId),
-		AccessKeySecret: tea.String(accessKeySecret),
-	}
-	config.Endpoint = tea.String("cas.aliyuncs.com")
-	_result = &cas20200407.Client{}
-	_result, _err = cas20200407.NewClient(config)
-	return _result, _err
-}
-
-func (a *aliyun) resource() (*cas20200407.ListCloudResourcesResponseBodyData, error) {
-
-	listCloudResourcesRequest := &cas20200407.ListCloudResourcesRequest{
-		CloudProduct: tea.String(a.option.Product),
-		Keyword:      tea.String(a.option.Domain),
-	}
-
-	resp, err := a.client.ListCloudResources(listCloudResourcesRequest)
-	if err != nil {
-		return nil, err
-	}
-
-	if *resp.Body.Total == 0 {
-		return nil, errors.New("no resource found")
-	}
-
-	return resp.Body.Data[0], nil
-}
--- a/internal/deployer/aliyun_cdn.go
+++ b/internal/deployer/aliyun_cdn.go
@@ -1,81 +0,0 @@
-package deployer
-
-import (
-	"certimate/internal/domain"
-	"context"
-	"encoding/json"
-	"fmt"
-
-	cdn20180510 "github.com/alibabacloud-go/cdn-20180510/v5/client"
-	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
-	util "github.com/alibabacloud-go/tea-utils/v2/service"
-	"github.com/alibabacloud-go/tea/tea"
-)
-
-type AliyunCdn struct {
-	client *cdn20180510.Client
-	option *DeployerOption
-	infos  []string
-}
-
-func NewAliyunCdn(option *DeployerOption) (*AliyunCdn, error) {
-	access := &domain.AliyunAccess{}
-	json.Unmarshal([]byte(option.Access), access)
-	a := &AliyunCdn{
-		option: option,
-	}
-	client, err := a.createClient(access.AccessKeyId, access.AccessKeySecret)
-	if err != nil {
-		return nil, err
-	}
-
-	return &AliyunCdn{
-		client: client,
-		option: option,
-		infos:  make([]string, 0),
-	}, nil
-}
-
-func (a *AliyunCdn) GetID() string {
-	return fmt.Sprintf("%s-%s", a.option.AceessRecord.GetString("name"), a.option.AceessRecord.Id)
-}
-
-func (a *AliyunCdn) GetInfo() []string {
-	return a.infos
-}
-
-func (a *AliyunCdn) Deploy(ctx context.Context) error {
-
-	certName := fmt.Sprintf("%s-%s", a.option.Domain, a.option.DomainId)
-	setCdnDomainSSLCertificateRequest := &cdn20180510.SetCdnDomainSSLCertificateRequest{
-		DomainName:  tea.String(a.option.Domain),
-		CertName:    tea.String(certName),
-		CertType:    tea.String("upload"),
-		SSLProtocol: tea.String("on"),
-		SSLPub:      tea.String(a.option.Certificate.Certificate),
-		SSLPri:      tea.String(a.option.Certificate.PrivateKey),
-		CertRegion:  tea.String("cn-hangzhou"),
-	}
-
-	runtime := &util.RuntimeOptions{}
-
-	resp, err := a.client.SetCdnDomainSSLCertificateWithOptions(setCdnDomainSSLCertificateRequest, runtime)
-	if err != nil {
-		return err
-	}
-
-	a.infos = append(a.infos, toStr("cdn设置证书", resp))
-
-	return nil
-}
-
-func (a *AliyunCdn) createClient(accessKeyId, accessKeySecret string) (_result *cdn20180510.Client, _err error) {
-	config := &openapi.Config{
-		AccessKeyId:     tea.String(accessKeyId),
-		AccessKeySecret: tea.String(accessKeySecret),
-	}
-	config.Endpoint = tea.String("cdn.aliyuncs.com")
-	_result = &cdn20180510.Client{}
-	_result, _err = cdn20180510.NewClient(config)
-	return _result, _err
-}
--- a/internal/deployer/aliyun_esa.go
+++ b/internal/deployer/aliyun_esa.go
@@ -1,86 +0,0 @@
-/*
- * @Author: Bin
- * @Date: 2024-09-17
- * @FilePath: /certimate/internal/deployer/aliyun_esa.go
- */
-package deployer
-
-import (
-	"certimate/internal/domain"
-	"context"
-	"encoding/json"
-	"fmt"
-
-	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
-	dcdn20180115 "github.com/alibabacloud-go/dcdn-20180115/v3/client"
-	util "github.com/alibabacloud-go/tea-utils/v2/service"
-	"github.com/alibabacloud-go/tea/tea"
-)
-
-type AliyunEsa struct {
-	client *dcdn20180115.Client
-	option *DeployerOption
-	infos  []string
-}
-
-func NewAliyunEsa(option *DeployerOption) (*AliyunEsa, error) {
-	access := &domain.AliyunAccess{}
-	json.Unmarshal([]byte(option.Access), access)
-	a := &AliyunEsa{
-		option: option,
-	}
-	client, err := a.createClient(access.AccessKeyId, access.AccessKeySecret)
-	if err != nil {
-		return nil, err
-	}
-
-	return &AliyunEsa{
-		client: client,
-		option: option,
-		infos:  make([]string, 0),
-	}, nil
-}
-
-func (a *AliyunEsa) GetID() string {
-	return fmt.Sprintf("%s-%s", a.option.AceessRecord.GetString("name"), a.option.AceessRecord.Id)
-}
-
-func (a *AliyunEsa) GetInfo() []string {
-	return a.infos
-}
-
-func (a *AliyunEsa) Deploy(ctx context.Context) error {
-
-	certName := fmt.Sprintf("%s-%s", a.option.Domain, a.option.DomainId)
-	setDcdnDomainSSLCertificateRequest := &dcdn20180115.SetDcdnDomainSSLCertificateRequest{
-		DomainName:  tea.String(a.option.Domain),
-		CertName:    tea.String(certName),
-		CertType:    tea.String("upload"),
-		SSLProtocol: tea.String("on"),
-		SSLPub:      tea.String(a.option.Certificate.Certificate),
-		SSLPri:      tea.String(a.option.Certificate.PrivateKey),
-		CertRegion:  tea.String("cn-hangzhou"),
-	}
-
-	runtime := &util.RuntimeOptions{}
-
-	resp, err := a.client.SetDcdnDomainSSLCertificateWithOptions(setDcdnDomainSSLCertificateRequest, runtime)
-	if err != nil {
-		return err
-	}
-
-	a.infos = append(a.infos, toStr("dcdn设置证书", resp))
-
-	return nil
-}
-
-func (a *AliyunEsa) createClient(accessKeyId, accessKeySecret string) (_result *dcdn20180115.Client, _err error) {
-	config := &openapi.Config{
-		AccessKeyId:     tea.String(accessKeyId),
-		AccessKeySecret: tea.String(accessKeySecret),
-	}
-	config.Endpoint = tea.String("dcdn.aliyuncs.com")
-	_result = &dcdn20180115.Client{}
-	_result, _err = dcdn20180115.NewClient(config)
-	return _result, _err
-}
--- a/internal/deployer/deployer.go
+++ b/internal/deployer/deployer.go
@@ -1,157 +1,81 @@
 package deployer

 import (
-	"certimate/internal/applicant"
-	"certimate/internal/utils/app"
-	"certimate/internal/utils/variables"
 	"context"
-	"encoding/json"
-	"errors"
 	"fmt"
-	"strings"
+	"log/slog"

-	"github.com/pocketbase/pocketbase/models"
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/core/deployer"
+	"github.com/usual2970/certimate/internal/repository"
 )

-const (
-	targetAliyunOss  = "aliyun-oss"
-	targetAliyunCdn  = "aliyun-cdn"
-	targetAliyunEsa  = "aliyun-dcdn"
-	targetSSH        = "ssh"
-	targetWebhook    = "webhook"
-	targetTencentCdn = "tencent-cdn"
-	targetQiniuCdn   = "qiniu-cdn"
-)
-
-type DeployerOption struct {
-	DomainId     string                `json:"domainId"`
-	Domain       string                `json:"domain"`
-	Product      string                `json:"product"`
-	Access       string                `json:"access"`
-	AceessRecord *models.Record        `json:"-"`
-	Certificate  applicant.Certificate `json:"certificate"`
-	Variables    map[string]string     `json:"variables"`
-}
-
 type Deployer interface {
+	SetLogger(*slog.Logger)
+
 	Deploy(ctx context.Context) error
-	GetInfo() []string
-	GetID() string
 }

-func Gets(record *models.Record, cert *applicant.Certificate) ([]Deployer, error) {
-	rs := make([]Deployer, 0)
-
-	if record.GetString("targetAccess") != "" {
-		singleDeployer, err := Get(record, cert)
-		if err != nil {
-			return nil, err
-		}
-		rs = append(rs, singleDeployer)
-	}
-
-	if record.GetString("group") != "" {
-		group := record.ExpandedOne("group")
-
-		if errs := app.GetApp().Dao().ExpandRecord(group, []string{"access"}, nil); len(errs) > 0 {
-
-			errList := make([]error, 0)
-			for name, err := range errs {
-				errList = append(errList, fmt.Errorf("展开记录失败,%s: %w", name, err))
-			}
-			err := errors.Join(errList...)
-			return nil, err
-		}
-
-		records := group.ExpandedAll("access")
-
-		deployers, err := getByGroup(record, cert, records...)
-		if err != nil {
-			return nil, err
-		}
-
-		rs = append(rs, deployers...)
-
-	}
-
-	return rs, nil
-
+type deployerOptions struct {
+	Provider             domain.DeployProviderType
+	ProviderAccessConfig map[string]any
+	ProviderDeployConfig map[string]any
 }

-func getByGroup(record *models.Record, cert *applicant.Certificate, accesses ...*models.Record) ([]Deployer, error) {
-
-	rs := make([]Deployer, 0)
-
-	for _, access := range accesses {
-		deployer, err := getWithAccess(record, cert, access)
-		if err != nil {
-			return nil, err
-		}
-		rs = append(rs, deployer)
+func NewWithDeployNode(node *domain.WorkflowNode, certdata struct {
+	Certificate string
+	PrivateKey  string
+},
+) (Deployer, error) {
+	if node.Type != domain.WorkflowNodeTypeDeploy {
+		return nil, fmt.Errorf("node type is not deploy")
 	}

-	return rs, nil
+	nodeConfig := node.GetConfigForDeploy()

+	accessRepo := repository.NewAccessRepository()
+	access, err := accessRepo.GetById(context.Background(), nodeConfig.ProviderAccessId)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get access #%s record: %w", nodeConfig.ProviderAccessId, err)
+	}
+
+	accessConfig, err := access.UnmarshalConfigToMap()
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
+	}
+
+	deployer, err := createDeployer(&deployerOptions{
+		Provider:             domain.DeployProviderType(nodeConfig.Provider),
+		ProviderAccessConfig: accessConfig,
+		ProviderDeployConfig: nodeConfig.ProviderConfig,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return &proxyDeployer{
+		deployer:          deployer,
+		deployCertificate: certdata.Certificate,
+		deployPrivateKey:  certdata.PrivateKey,
+	}, nil
 }

-func getWithAccess(record *models.Record, cert *applicant.Certificate, access *models.Record) (Deployer, error) {
-
-	option := &DeployerOption{
-		DomainId:     record.Id,
-		Domain:       record.GetString("domain"),
-		Product:      getProduct(record),
-		Access:       access.GetString("config"),
-		AceessRecord: access,
-		Variables:    variables.Parse2Map(record.GetString("variables")),
-	}
-	if cert != nil {
-		option.Certificate = *cert
-	} else {
-		option.Certificate = applicant.Certificate{
-			Certificate: record.GetString("certificate"),
-			PrivateKey:  record.GetString("privateKey"),
-		}
-	}
-
-	switch record.GetString("targetType") {
-	case targetAliyunOss:
-		return NewAliyun(option)
-	case targetAliyunCdn:
-		return NewAliyunCdn(option)
-	case targetAliyunEsa:
-		return NewAliyunEsa(option)
-	case targetSSH:
-		return NewSSH(option)
-	case targetWebhook:
-		return NewWebhook(option)
-	case targetTencentCdn:
-		return NewTencentCdn(option)
-	case targetQiniuCdn:
-		return NewQiNiu(option)
-	}
-	return nil, errors.New("not implemented")
+// TODO: 暂时使用代理模式以兼容之前版本代码，后续重新实现此处逻辑
+type proxyDeployer struct {
+	deployer          deployer.Deployer
+	deployCertificate string
+	deployPrivateKey  string
 }

-func Get(record *models.Record, cert *applicant.Certificate) (Deployer, error) {
-
-	access := record.ExpandedOne("targetAccess")
-
-	return getWithAccess(record, cert, access)
-}
-
-func getProduct(record *models.Record) string {
-	targetType := record.GetString("targetType")
-	rs := strings.Split(targetType, "-")
-	if len(rs) < 2 {
-		return ""
+func (d *proxyDeployer) SetLogger(logger *slog.Logger) {
+	if logger == nil {
+		panic("logger is nil")
 	}
-	return rs[1]
+
+	d.deployer.WithLogger(logger)
 }

-func toStr(tag string, data any) string {
-	if data == nil {
-		return tag
-	}
-	byts, _ := json.Marshal(data)
-	return tag + "：" + string(byts)
+func (d *proxyDeployer) Deploy(ctx context.Context) error {
+	_, err := d.deployer.Deploy(ctx, d.deployCertificate, d.deployPrivateKey)
+	return err
 }
--- a/internal/deployer/providers.go
+++ b/internal/deployer/providers.go
@@ -0,0 +1,935 @@
+package deployer
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/core/deployer"
+	p1PanelConsole "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/1panel-console"
+	p1PanelSite "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/1panel-site"
+	pAliyunALB "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-alb"
+	pAliyunCAS "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-cas"
+	pAliyunCASDeploy "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-cas-deploy"
+	pAliyunCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-cdn"
+	pAliyunCLB "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-clb"
+	pAliyunDCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-dcdn"
+	pAliyunESA "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-esa"
+	pAliyunFC "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-fc"
+	pAliyunLive "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-live"
+	pAliyunNLB "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-nlb"
+	pAliyunOSS "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-oss"
+	pAliyunVOD "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-vod"
+	pAliyunWAF "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aliyun-waf"
+	pAWSACM "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aws-acm"
+	pAWSCloudFront "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/aws-cloudfront"
+	pAzureKeyVault "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/azure-keyvault"
+	pBaiduCloudCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/baiducloud-cdn"
+	pBaishanCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/baishan-cdn"
+	pBaotaPanelConsole "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/baotapanel-console"
+	pBaotaPanelSite "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/baotapanel-site"
+	pBytePlusCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/byteplus-cdn"
+	pCacheFly "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/cachefly"
+	pCdnfly "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/cdnfly"
+	pDogeCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/dogecloud-cdn"
+	pEdgioApplications "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/edgio-applications"
+	pGcoreCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/gcore-cdn"
+	pHuaweiCloudCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/huaweicloud-cdn"
+	pHuaweiCloudELB "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/huaweicloud-elb"
+	pHuaweiCloudWAF "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/huaweicloud-waf"
+	pJDCloudALB "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/jdcloud-alb"
+	pJDCloudCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/jdcloud-cdn"
+	pJDCloudLive "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/jdcloud-live"
+	pJDCloudVOD "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/jdcloud-vod"
+	pK8sSecret "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/k8s-secret"
+	pLocal "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/local"
+	pQiniuCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/qiniu-cdn"
+	pQiniuPili "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/qiniu-pili"
+	pSafeLine "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/safeline"
+	pSSH "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/ssh"
+	pTencentCloudCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-cdn"
+	pTencentCloudCLB "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-clb"
+	pTencentCloudCOS "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-cos"
+	pTencentCloudCSS "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-css"
+	pTencentCloudECDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-ecdn"
+	pTencentCloudEO "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-eo"
+	pTencentCloudSCF "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-scf"
+	pTencentCloudSSL "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-ssl"
+	pTencentCloudSSLDeploy "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-ssl-deploy"
+	pTencentCloudVOD "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-vod"
+	pTencentCloudWAF "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/tencentcloud-waf"
+	pUCloudUCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/ucloud-ucdn"
+	pUCloudUS3 "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/ucloud-us3"
+	pUpyunCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/upyun-cdn"
+	pVolcEngineCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/volcengine-cdn"
+	pVolcEngineCLB "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/volcengine-clb"
+	pVolcEngineDCDN "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/volcengine-dcdn"
+	pVolcEngineImageX "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/volcengine-imagex"
+	pVolcEngineLive "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/volcengine-live"
+	pVolcEngineTOS "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/volcengine-tos"
+	pWebhook "github.com/usual2970/certimate/internal/pkg/core/deployer/providers/webhook"
+	"github.com/usual2970/certimate/internal/pkg/utils/maputil"
+	"github.com/usual2970/certimate/internal/pkg/utils/sliceutil"
+)
+
+func createDeployer(options *deployerOptions) (deployer.Deployer, error) {
+	/*
+	  注意：如果追加新的常量值，请保持以 ASCII 排序。
+	  NOTICE: If you add new constant, please keep ASCII order.
+	*/
+	switch options.Provider {
+	case domain.DeployProviderType1PanelConsole, domain.DeployProviderType1PanelSite:
+		{
+			access := domain.AccessConfigFor1Panel{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderType1PanelConsole:
+				deployer, err := p1PanelConsole.NewDeployer(&p1PanelConsole.DeployerConfig{
+					ApiUrl:                   access.ApiUrl,
+					ApiKey:                   access.ApiKey,
+					AllowInsecureConnections: access.AllowInsecureConnections,
+					AutoRestart:              maputil.GetBool(options.ProviderDeployConfig, "autoRestart"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderType1PanelSite:
+				deployer, err := p1PanelSite.NewDeployer(&p1PanelSite.DeployerConfig{
+					ApiUrl:                   access.ApiUrl,
+					ApiKey:                   access.ApiKey,
+					AllowInsecureConnections: access.AllowInsecureConnections,
+					WebsiteId:                maputil.GetInt64(options.ProviderDeployConfig, "websiteId"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeAliyunALB, domain.DeployProviderTypeAliyunCAS, domain.DeployProviderTypeAliyunCASDeploy, domain.DeployProviderTypeAliyunCDN, domain.DeployProviderTypeAliyunCLB, domain.DeployProviderTypeAliyunDCDN, domain.DeployProviderTypeAliyunESA, domain.DeployProviderTypeAliyunFC, domain.DeployProviderTypeAliyunLive, domain.DeployProviderTypeAliyunNLB, domain.DeployProviderTypeAliyunOSS, domain.DeployProviderTypeAliyunVOD, domain.DeployProviderTypeAliyunWAF:
+		{
+			access := domain.AccessConfigForAliyun{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeAliyunALB:
+				deployer, err := pAliyunALB.NewDeployer(&pAliyunALB.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					ResourceType:    pAliyunALB.ResourceType(maputil.GetString(options.ProviderDeployConfig, "resourceType")),
+					LoadbalancerId:  maputil.GetString(options.ProviderDeployConfig, "loadbalancerId"),
+					ListenerId:      maputil.GetString(options.ProviderDeployConfig, "listenerId"),
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeAliyunCAS:
+				deployer, err := pAliyunCAS.NewDeployer(&pAliyunCAS.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeAliyunCASDeploy:
+				deployer, err := pAliyunCASDeploy.NewDeployer(&pAliyunCASDeploy.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					ResourceIds:     sliceutil.Filter(strings.Split(maputil.GetString(options.ProviderDeployConfig, "resourceIds"), ";"), func(s string) bool { return s != "" }),
+					ContactIds:      sliceutil.Filter(strings.Split(maputil.GetString(options.ProviderDeployConfig, "contactIds"), ";"), func(s string) bool { return s != "" }),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeAliyunCDN:
+				deployer, err := pAliyunCDN.NewDeployer(&pAliyunCDN.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeAliyunCLB:
+				deployer, err := pAliyunCLB.NewDeployer(&pAliyunCLB.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					ResourceType:    pAliyunCLB.ResourceType(maputil.GetString(options.ProviderDeployConfig, "resourceType")),
+					LoadbalancerId:  maputil.GetString(options.ProviderDeployConfig, "loadbalancerId"),
+					ListenerPort:    maputil.GetOrDefaultInt32(options.ProviderDeployConfig, "listenerPort", 443),
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeAliyunDCDN:
+				deployer, err := pAliyunDCDN.NewDeployer(&pAliyunDCDN.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeAliyunESA:
+				deployer, err := pAliyunESA.NewDeployer(&pAliyunESA.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					SiteId:          maputil.GetInt64(options.ProviderDeployConfig, "siteId"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeAliyunFC:
+				deployer, err := pAliyunFC.NewDeployer(&pAliyunFC.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					ServiceVersion:  maputil.GetOrDefaultString(options.ProviderDeployConfig, "serviceVersion", "3.0"),
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeAliyunLive:
+				deployer, err := pAliyunLive.NewDeployer(&pAliyunLive.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeAliyunNLB:
+				deployer, err := pAliyunNLB.NewDeployer(&pAliyunNLB.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					ResourceType:    pAliyunNLB.ResourceType(maputil.GetString(options.ProviderDeployConfig, "resourceType")),
+					LoadbalancerId:  maputil.GetString(options.ProviderDeployConfig, "loadbalancerId"),
+					ListenerId:      maputil.GetString(options.ProviderDeployConfig, "listenerId"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeAliyunOSS:
+				deployer, err := pAliyunOSS.NewDeployer(&pAliyunOSS.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					Bucket:          maputil.GetString(options.ProviderDeployConfig, "bucket"),
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeAliyunVOD:
+				deployer, err := pAliyunVOD.NewDeployer(&pAliyunVOD.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeAliyunWAF:
+				deployer, err := pAliyunWAF.NewDeployer(&pAliyunWAF.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					ServiceVersion:  maputil.GetOrDefaultString(options.ProviderDeployConfig, "serviceVersion", "3.0"),
+					InstanceId:      maputil.GetString(options.ProviderDeployConfig, "instanceId"),
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeAWSACM, domain.DeployProviderTypeAWSCloudFront:
+		{
+			access := domain.AccessConfigForAWS{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeAWSACM:
+				deployer, err := pAWSACM.NewDeployer(&pAWSACM.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					SecretAccessKey: access.SecretAccessKey,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeAWSCloudFront:
+				deployer, err := pAWSCloudFront.NewDeployer(&pAWSCloudFront.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					SecretAccessKey: access.SecretAccessKey,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					DistributionId:  maputil.GetString(options.ProviderDeployConfig, "distributionId"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeAzureKeyVault:
+		{
+			access := domain.AccessConfigForAzure{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeAzureKeyVault:
+				deployer, err := pAzureKeyVault.NewDeployer(&pAzureKeyVault.DeployerConfig{
+					TenantId:     access.TenantId,
+					ClientId:     access.ClientId,
+					ClientSecret: access.ClientSecret,
+					CloudName:    access.CloudName,
+					KeyVaultName: maputil.GetString(options.ProviderDeployConfig, "keyvaultName"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeBaiduCloudCDN:
+		{
+			access := domain.AccessConfigForBaiduCloud{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeBaiduCloudCDN:
+				deployer, err := pBaiduCloudCDN.NewDeployer(&pBaiduCloudCDN.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					SecretAccessKey: access.SecretAccessKey,
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeBaishanCDN:
+		{
+			access := domain.AccessConfigForBaishan{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeBaishanCDN:
+				deployer, err := pBaishanCDN.NewDeployer(&pBaishanCDN.DeployerConfig{
+					ApiToken: access.ApiToken,
+					Domain:   maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeBaotaPanelConsole, domain.DeployProviderTypeBaotaPanelSite:
+		{
+			access := domain.AccessConfigForBaotaPanel{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeBaotaPanelConsole:
+				deployer, err := pBaotaPanelConsole.NewDeployer(&pBaotaPanelConsole.DeployerConfig{
+					ApiUrl:                   access.ApiUrl,
+					ApiKey:                   access.ApiKey,
+					AllowInsecureConnections: access.AllowInsecureConnections,
+					AutoRestart:              maputil.GetBool(options.ProviderDeployConfig, "autoRestart"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeBaotaPanelSite:
+				deployer, err := pBaotaPanelSite.NewDeployer(&pBaotaPanelSite.DeployerConfig{
+					ApiUrl:                   access.ApiUrl,
+					ApiKey:                   access.ApiKey,
+					AllowInsecureConnections: access.AllowInsecureConnections,
+					SiteType:                 maputil.GetOrDefaultString(options.ProviderDeployConfig, "siteType", "other"),
+					SiteName:                 maputil.GetString(options.ProviderDeployConfig, "siteName"),
+					SiteNames:                sliceutil.Filter(strings.Split(maputil.GetString(options.ProviderDeployConfig, "siteNames"), ";"), func(s string) bool { return s != "" }),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeBytePlusCDN:
+		{
+			access := domain.AccessConfigForBytePlus{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeBytePlusCDN:
+				deployer, err := pBytePlusCDN.NewDeployer(&pBytePlusCDN.DeployerConfig{
+					AccessKey: access.AccessKey,
+					SecretKey: access.SecretKey,
+					Domain:    maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeCacheFly:
+		{
+			access := domain.AccessConfigForCacheFly{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			deployer, err := pCacheFly.NewDeployer(&pCacheFly.DeployerConfig{
+				ApiToken: access.ApiToken,
+			})
+			return deployer, err
+		}
+
+	case domain.DeployProviderTypeCdnfly:
+		{
+			access := domain.AccessConfigForCdnfly{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			deployer, err := pCdnfly.NewDeployer(&pCdnfly.DeployerConfig{
+				ApiUrl:        access.ApiUrl,
+				ApiKey:        access.ApiKey,
+				ApiSecret:     access.ApiSecret,
+				ResourceType:  pCdnfly.ResourceType(maputil.GetString(options.ProviderDeployConfig, "resourceType")),
+				SiteId:        maputil.GetString(options.ProviderDeployConfig, "siteId"),
+				CertificateId: maputil.GetString(options.ProviderDeployConfig, "certificateId"),
+			})
+			return deployer, err
+		}
+
+	case domain.DeployProviderTypeDogeCloudCDN:
+		{
+			access := domain.AccessConfigForDogeCloud{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			deployer, err := pDogeCDN.NewDeployer(&pDogeCDN.DeployerConfig{
+				AccessKey: access.AccessKey,
+				SecretKey: access.SecretKey,
+				Domain:    maputil.GetString(options.ProviderDeployConfig, "domain"),
+			})
+			return deployer, err
+		}
+
+	case domain.DeployProviderTypeEdgioApplications:
+		{
+			access := domain.AccessConfigForEdgio{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			deployer, err := pEdgioApplications.NewDeployer(&pEdgioApplications.DeployerConfig{
+				ClientId:      access.ClientId,
+				ClientSecret:  access.ClientSecret,
+				EnvironmentId: maputil.GetString(options.ProviderDeployConfig, "environmentId"),
+			})
+			return deployer, err
+		}
+
+	case domain.DeployProviderTypeGcoreCDN:
+		{
+			access := domain.AccessConfigForGcore{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeGcoreCDN:
+				deployer, err := pGcoreCDN.NewDeployer(&pGcoreCDN.DeployerConfig{
+					ApiToken:   access.ApiToken,
+					ResourceId: maputil.GetInt64(options.ProviderDeployConfig, "resourceId"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeHuaweiCloudCDN, domain.DeployProviderTypeHuaweiCloudELB, domain.DeployProviderTypeHuaweiCloudWAF:
+		{
+			access := domain.AccessConfigForHuaweiCloud{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeHuaweiCloudCDN:
+				deployer, err := pHuaweiCloudCDN.NewDeployer(&pHuaweiCloudCDN.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					SecretAccessKey: access.SecretAccessKey,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeHuaweiCloudELB:
+				deployer, err := pHuaweiCloudELB.NewDeployer(&pHuaweiCloudELB.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					SecretAccessKey: access.SecretAccessKey,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					ResourceType:    pHuaweiCloudELB.ResourceType(maputil.GetString(options.ProviderDeployConfig, "resourceType")),
+					CertificateId:   maputil.GetString(options.ProviderDeployConfig, "certificateId"),
+					LoadbalancerId:  maputil.GetString(options.ProviderDeployConfig, "loadbalancerId"),
+					ListenerId:      maputil.GetString(options.ProviderDeployConfig, "listenerId"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeHuaweiCloudWAF:
+				deployer, err := pHuaweiCloudWAF.NewDeployer(&pHuaweiCloudWAF.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					SecretAccessKey: access.SecretAccessKey,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					ResourceType:    pHuaweiCloudWAF.ResourceType(maputil.GetString(options.ProviderDeployConfig, "resourceType")),
+					CertificateId:   maputil.GetString(options.ProviderDeployConfig, "certificateId"),
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeJDCloudALB, domain.DeployProviderTypeJDCloudCDN, domain.DeployProviderTypeJDCloudLive, domain.DeployProviderTypeJDCloudVOD:
+		{
+			access := domain.AccessConfigForJDCloud{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeJDCloudALB:
+				deployer, err := pJDCloudALB.NewDeployer(&pJDCloudALB.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					RegionId:        maputil.GetString(options.ProviderDeployConfig, "regionId"),
+					ResourceType:    pJDCloudALB.ResourceType(maputil.GetString(options.ProviderDeployConfig, "resourceType")),
+					LoadbalancerId:  maputil.GetString(options.ProviderDeployConfig, "loadbalancerId"),
+					ListenerId:      maputil.GetString(options.ProviderDeployConfig, "listenerId"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeJDCloudCDN:
+				deployer, err := pJDCloudCDN.NewDeployer(&pJDCloudCDN.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeJDCloudLive:
+				deployer, err := pJDCloudLive.NewDeployer(&pJDCloudLive.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeJDCloudVOD:
+				deployer, err := pJDCloudVOD.NewDeployer(&pJDCloudVOD.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.AccessKeySecret,
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeLocal:
+		{
+			deployer, err := pLocal.NewDeployer(&pLocal.DeployerConfig{
+				ShellEnv:       pLocal.ShellEnvType(maputil.GetString(options.ProviderDeployConfig, "shellEnv")),
+				PreCommand:     maputil.GetString(options.ProviderDeployConfig, "preCommand"),
+				PostCommand:    maputil.GetString(options.ProviderDeployConfig, "postCommand"),
+				OutputFormat:   pLocal.OutputFormatType(maputil.GetOrDefaultString(options.ProviderDeployConfig, "format", string(pLocal.OUTPUT_FORMAT_PEM))),
+				OutputCertPath: maputil.GetString(options.ProviderDeployConfig, "certPath"),
+				OutputKeyPath:  maputil.GetString(options.ProviderDeployConfig, "keyPath"),
+				PfxPassword:    maputil.GetString(options.ProviderDeployConfig, "pfxPassword"),
+				JksAlias:       maputil.GetString(options.ProviderDeployConfig, "jksAlias"),
+				JksKeypass:     maputil.GetString(options.ProviderDeployConfig, "jksKeypass"),
+				JksStorepass:   maputil.GetString(options.ProviderDeployConfig, "jksStorepass"),
+			})
+			return deployer, err
+		}
+
+	case domain.DeployProviderTypeKubernetesSecret:
+		{
+			access := domain.AccessConfigForKubernetes{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			deployer, err := pK8sSecret.NewDeployer(&pK8sSecret.DeployerConfig{
+				KubeConfig:          access.KubeConfig,
+				Namespace:           maputil.GetOrDefaultString(options.ProviderDeployConfig, "namespace", "default"),
+				SecretName:          maputil.GetString(options.ProviderDeployConfig, "secretName"),
+				SecretType:          maputil.GetOrDefaultString(options.ProviderDeployConfig, "secretType", "kubernetes.io/tls"),
+				SecretDataKeyForCrt: maputil.GetOrDefaultString(options.ProviderDeployConfig, "secretDataKeyForCrt", "tls.crt"),
+				SecretDataKeyForKey: maputil.GetOrDefaultString(options.ProviderDeployConfig, "secretDataKeyForKey", "tls.key"),
+			})
+			return deployer, err
+		}
+
+	case domain.DeployProviderTypeQiniuCDN, domain.DeployProviderTypeQiniuKodo, domain.DeployProviderTypeQiniuPili:
+		{
+			access := domain.AccessConfigForQiniu{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeQiniuCDN, domain.DeployProviderTypeQiniuKodo:
+				deployer, err := pQiniuCDN.NewDeployer(&pQiniuCDN.DeployerConfig{
+					AccessKey: access.AccessKey,
+					SecretKey: access.SecretKey,
+					Domain:    maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeQiniuPili:
+				deployer, err := pQiniuPili.NewDeployer(&pQiniuPili.DeployerConfig{
+					AccessKey: access.AccessKey,
+					SecretKey: access.SecretKey,
+					Hub:       maputil.GetString(options.ProviderDeployConfig, "hub"),
+					Domain:    maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeSafeLine:
+		{
+			access := domain.AccessConfigForSafeLine{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			deployer, err := pSafeLine.NewDeployer(&pSafeLine.DeployerConfig{
+				ApiUrl:                   access.ApiUrl,
+				ApiToken:                 access.ApiToken,
+				AllowInsecureConnections: access.AllowInsecureConnections,
+				ResourceType:             pSafeLine.ResourceType(maputil.GetString(options.ProviderDeployConfig, "resourceType")),
+				CertificateId:            maputil.GetInt32(options.ProviderDeployConfig, "certificateId"),
+			})
+			return deployer, err
+		}
+
+	case domain.DeployProviderTypeSSH:
+		{
+			access := domain.AccessConfigForSSH{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			deployer, err := pSSH.NewDeployer(&pSSH.DeployerConfig{
+				SshHost:          access.Host,
+				SshPort:          access.Port,
+				SshUsername:      access.Username,
+				SshPassword:      access.Password,
+				SshKey:           access.Key,
+				SshKeyPassphrase: access.KeyPassphrase,
+				UseSCP:           maputil.GetBool(options.ProviderDeployConfig, "useSCP"),
+				PreCommand:       maputil.GetString(options.ProviderDeployConfig, "preCommand"),
+				PostCommand:      maputil.GetString(options.ProviderDeployConfig, "postCommand"),
+				OutputFormat:     pSSH.OutputFormatType(maputil.GetOrDefaultString(options.ProviderDeployConfig, "format", string(pSSH.OUTPUT_FORMAT_PEM))),
+				OutputCertPath:   maputil.GetString(options.ProviderDeployConfig, "certPath"),
+				OutputKeyPath:    maputil.GetString(options.ProviderDeployConfig, "keyPath"),
+				PfxPassword:      maputil.GetString(options.ProviderDeployConfig, "pfxPassword"),
+				JksAlias:         maputil.GetString(options.ProviderDeployConfig, "jksAlias"),
+				JksKeypass:       maputil.GetString(options.ProviderDeployConfig, "jksKeypass"),
+				JksStorepass:     maputil.GetString(options.ProviderDeployConfig, "jksStorepass"),
+			})
+			return deployer, err
+		}
+
+	case domain.DeployProviderTypeTencentCloudCDN, domain.DeployProviderTypeTencentCloudCLB, domain.DeployProviderTypeTencentCloudCOS, domain.DeployProviderTypeTencentCloudCSS, domain.DeployProviderTypeTencentCloudECDN, domain.DeployProviderTypeTencentCloudEO, domain.DeployProviderTypeTencentCloudSCF, domain.DeployProviderTypeTencentCloudSSL, domain.DeployProviderTypeTencentCloudSSLDeploy, domain.DeployProviderTypeTencentCloudVOD, domain.DeployProviderTypeTencentCloudWAF:
+		{
+			access := domain.AccessConfigForTencentCloud{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeTencentCloudCDN:
+				deployer, err := pTencentCloudCDN.NewDeployer(&pTencentCloudCDN.DeployerConfig{
+					SecretId:  access.SecretId,
+					SecretKey: access.SecretKey,
+					Domain:    maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeTencentCloudCLB:
+				deployer, err := pTencentCloudCLB.NewDeployer(&pTencentCloudCLB.DeployerConfig{
+					SecretId:       access.SecretId,
+					SecretKey:      access.SecretKey,
+					Region:         maputil.GetString(options.ProviderDeployConfig, "region"),
+					ResourceType:   pTencentCloudCLB.ResourceType(maputil.GetString(options.ProviderDeployConfig, "resourceType")),
+					LoadbalancerId: maputil.GetString(options.ProviderDeployConfig, "loadbalancerId"),
+					ListenerId:     maputil.GetString(options.ProviderDeployConfig, "listenerId"),
+					Domain:         maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeTencentCloudCOS:
+				deployer, err := pTencentCloudCOS.NewDeployer(&pTencentCloudCOS.DeployerConfig{
+					SecretId:  access.SecretId,
+					SecretKey: access.SecretKey,
+					Region:    maputil.GetString(options.ProviderDeployConfig, "region"),
+					Bucket:    maputil.GetString(options.ProviderDeployConfig, "bucket"),
+					Domain:    maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeTencentCloudCSS:
+				deployer, err := pTencentCloudCSS.NewDeployer(&pTencentCloudCSS.DeployerConfig{
+					SecretId:  access.SecretId,
+					SecretKey: access.SecretKey,
+					Domain:    maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeTencentCloudECDN:
+				deployer, err := pTencentCloudECDN.NewDeployer(&pTencentCloudECDN.DeployerConfig{
+					SecretId:  access.SecretId,
+					SecretKey: access.SecretKey,
+					Domain:    maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeTencentCloudEO:
+				deployer, err := pTencentCloudEO.NewDeployer(&pTencentCloudEO.DeployerConfig{
+					SecretId:  access.SecretId,
+					SecretKey: access.SecretKey,
+					ZoneId:    maputil.GetString(options.ProviderDeployConfig, "zoneId"),
+					Domain:    maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeTencentCloudSCF:
+				deployer, err := pTencentCloudSCF.NewDeployer(&pTencentCloudSCF.DeployerConfig{
+					SecretId:  access.SecretId,
+					SecretKey: access.SecretKey,
+					Region:    maputil.GetString(options.ProviderDeployConfig, "region"),
+					Domain:    maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeTencentCloudSSL:
+				deployer, err := pTencentCloudSSL.NewDeployer(&pTencentCloudSSL.DeployerConfig{
+					SecretId:  access.SecretId,
+					SecretKey: access.SecretKey,
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeTencentCloudSSLDeploy:
+				deployer, err := pTencentCloudSSLDeploy.NewDeployer(&pTencentCloudSSLDeploy.DeployerConfig{
+					SecretId:     access.SecretId,
+					SecretKey:    access.SecretKey,
+					Region:       maputil.GetString(options.ProviderDeployConfig, "region"),
+					ResourceType: maputil.GetString(options.ProviderDeployConfig, "resourceType"),
+					ResourceIds:  sliceutil.Filter(strings.Split(maputil.GetString(options.ProviderDeployConfig, "resourceIds"), ";"), func(s string) bool { return s != "" }),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeTencentCloudVOD:
+				deployer, err := pTencentCloudVOD.NewDeployer(&pTencentCloudVOD.DeployerConfig{
+					SecretId:  access.SecretId,
+					SecretKey: access.SecretKey,
+					SubAppId:  maputil.GetInt64(options.ProviderDeployConfig, "subAppId"),
+					Domain:    maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeTencentCloudWAF:
+				deployer, err := pTencentCloudWAF.NewDeployer(&pTencentCloudWAF.DeployerConfig{
+					SecretId:   access.SecretId,
+					SecretKey:  access.SecretKey,
+					Domain:     maputil.GetString(options.ProviderDeployConfig, "domain"),
+					DomainId:   maputil.GetString(options.ProviderDeployConfig, "domainId"),
+					InstanceId: maputil.GetString(options.ProviderDeployConfig, "instanceId"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeUCloudUCDN, domain.DeployProviderTypeUCloudUS3:
+		{
+			access := domain.AccessConfigForUCloud{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeUCloudUCDN:
+				deployer, err := pUCloudUCDN.NewDeployer(&pUCloudUCDN.DeployerConfig{
+					PrivateKey: access.PrivateKey,
+					PublicKey:  access.PublicKey,
+					ProjectId:  access.ProjectId,
+					DomainId:   maputil.GetString(options.ProviderDeployConfig, "domainId"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeUCloudUS3:
+				deployer, err := pUCloudUS3.NewDeployer(&pUCloudUS3.DeployerConfig{
+					PrivateKey: access.PrivateKey,
+					PublicKey:  access.PublicKey,
+					ProjectId:  access.ProjectId,
+					Region:     maputil.GetString(options.ProviderDeployConfig, "region"),
+					Bucket:     maputil.GetString(options.ProviderDeployConfig, "bucket"),
+					Domain:     maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeUpyunCDN, domain.DeployProviderTypeUpyunFile:
+		{
+			access := domain.AccessConfigForUpyun{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeUpyunCDN, domain.DeployProviderTypeUpyunFile:
+				deployer, err := pUpyunCDN.NewDeployer(&pUpyunCDN.DeployerConfig{
+					Username: access.Username,
+					Password: access.Password,
+					Domain:   maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeVolcEngineCDN, domain.DeployProviderTypeVolcEngineCLB, domain.DeployProviderTypeVolcEngineDCDN, domain.DeployProviderTypeVolcEngineImageX, domain.DeployProviderTypeVolcEngineLive, domain.DeployProviderTypeVolcEngineTOS:
+		{
+			access := domain.AccessConfigForVolcEngine{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			switch options.Provider {
+			case domain.DeployProviderTypeVolcEngineCDN:
+				deployer, err := pVolcEngineCDN.NewDeployer(&pVolcEngineCDN.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.SecretAccessKey,
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeVolcEngineCLB:
+				deployer, err := pVolcEngineCLB.NewDeployer(&pVolcEngineCLB.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.SecretAccessKey,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					ResourceType:    pVolcEngineCLB.ResourceType(maputil.GetString(options.ProviderDeployConfig, "resourceType")),
+					ListenerId:      maputil.GetString(options.ProviderDeployConfig, "listenerId"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeVolcEngineDCDN:
+				deployer, err := pVolcEngineDCDN.NewDeployer(&pVolcEngineDCDN.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.SecretAccessKey,
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeVolcEngineImageX:
+				deployer, err := pVolcEngineImageX.NewDeployer(&pVolcEngineImageX.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.SecretAccessKey,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					ServiceId:       maputil.GetString(options.ProviderDeployConfig, "serviceId"),
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeVolcEngineLive:
+				deployer, err := pVolcEngineLive.NewDeployer(&pVolcEngineLive.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.SecretAccessKey,
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			case domain.DeployProviderTypeVolcEngineTOS:
+				deployer, err := pVolcEngineTOS.NewDeployer(&pVolcEngineTOS.DeployerConfig{
+					AccessKeyId:     access.AccessKeyId,
+					AccessKeySecret: access.SecretAccessKey,
+					Region:          maputil.GetString(options.ProviderDeployConfig, "region"),
+					Bucket:          maputil.GetString(options.ProviderDeployConfig, "bucket"),
+					Domain:          maputil.GetString(options.ProviderDeployConfig, "domain"),
+				})
+				return deployer, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.DeployProviderTypeWebhook:
+		{
+			access := domain.AccessConfigForWebhook{}
+			if err := maputil.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			deployer, err := pWebhook.NewDeployer(&pWebhook.DeployerConfig{
+				WebhookUrl:               access.Url,
+				WebhookData:              maputil.GetString(options.ProviderDeployConfig, "webhookData"),
+				AllowInsecureConnections: access.AllowInsecureConnections,
+			})
+			return deployer, err
+		}
+	}
+
+	return nil, fmt.Errorf("unsupported deployer provider: %s", string(options.Provider))
+}
--- a/internal/deployer/qiniu.go
+++ b/internal/deployer/qiniu.go
@@ -1,212 +0,0 @@
-package deployer
-
-import (
-	"bytes"
-	"certimate/internal/domain"
-	xhttp "certimate/internal/utils/http"
-	"context"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-
-	"github.com/qiniu/go-sdk/v7/auth"
-)
-
-const qiniuGateway = "http://api.qiniu.com"
-
-type qiuniu struct {
-	option      *DeployerOption
-	info        []string
-	credentials *auth.Credentials
-}
-
-func NewQiNiu(option *DeployerOption) (*qiuniu, error) {
-	access := &domain.QiniuAccess{}
-	json.Unmarshal([]byte(option.Access), access)
-
-	return &qiuniu{
-		option: option,
-		info:   make([]string, 0),
-
-		credentials: auth.New(access.AccessKey, access.SecretKey),
-	}, nil
-}
-
-func (a *qiuniu) GetID() string {
-	return fmt.Sprintf("%s-%s", a.option.AceessRecord.GetString("name"), a.option.AceessRecord.Id)
-}
-
-func (q *qiuniu) GetInfo() []string {
-	return q.info
-}
-
-func (q *qiuniu) Deploy(ctx context.Context) error {
-
-	// 上传证书
-	certId, err := q.uploadCert()
-	if err != nil {
-		return fmt.Errorf("uploadCert failed: %w", err)
-	}
-
-	// 获取域名信息
-	domainInfo, err := q.getDomainInfo()
-	if err != nil {
-		return fmt.Errorf("getDomainInfo failed: %w", err)
-	}
-
-	// 判断域名是否启用 https
-
-	if domainInfo.Https != nil && domainInfo.Https.CertID != "" {
-		// 启用了 https
-		// 修改域名证书
-		err = q.modifyDomainCert(certId)
-		if err != nil {
-			return fmt.Errorf("modifyDomainCert failed: %w", err)
-		}
-	} else {
-		// 没启用 https
-		// 启用 https
-
-		err = q.enableHttps(certId)
-		if err != nil {
-			return fmt.Errorf("enableHttps failed: %w", err)
-		}
-	}
-
-	return nil
-}
-
-func (q *qiuniu) enableHttps(certId string) error {
-	path := fmt.Sprintf("/domain/%s/sslize", q.option.Domain)
-
-	body := &modifyDomainCertReq{
-		CertID:      certId,
-		ForceHttps:  true,
-		Http2Enable: true,
-	}
-
-	bodyBytes, err := json.Marshal(body)
-	if err != nil {
-		return fmt.Errorf("enable https failed: %w", err)
-	}
-
-	_, err = q.req(qiniuGateway+path, http.MethodPut, bytes.NewReader(bodyBytes))
-	if err != nil {
-		return fmt.Errorf("enable https failed: %w", err)
-	}
-
-	return nil
-}
-
-type domainInfo struct {
-	Https *modifyDomainCertReq `json:"https"`
-}
-
-func (q *qiuniu) getDomainInfo() (*domainInfo, error) {
-	path := fmt.Sprintf("/domain/%s", q.option.Domain)
-
-	res, err := q.req(qiniuGateway+path, http.MethodGet, nil)
-	if err != nil {
-		return nil, fmt.Errorf("req failed: %w", err)
-	}
-
-	resp := &domainInfo{}
-	err = json.Unmarshal(res, resp)
-	if err != nil {
-		return nil, fmt.Errorf("json.Unmarshal failed: %w", err)
-	}
-
-	return resp, nil
-}
-
-type uploadCertReq struct {
-	Name       string `json:"name"`
-	CommonName string `json:"common_name"`
-	Pri        string `json:"pri"`
-	Ca         string `json:"ca"`
-}
-
-type uploadCertResp struct {
-	CertID string `json:"certID"`
-}
-
-func (q *qiuniu) uploadCert() (string, error) {
-	path := "/sslcert"
-
-	body := &uploadCertReq{
-		Name:       q.option.Domain,
-		CommonName: q.option.Domain,
-		Pri:        q.option.Certificate.PrivateKey,
-		Ca:         q.option.Certificate.Certificate,
-	}
-
-	bodyBytes, err := json.Marshal(body)
-	if err != nil {
-		return "", fmt.Errorf("json.Marshal failed: %w", err)
-	}
-
-	res, err := q.req(qiniuGateway+path, http.MethodPost, bytes.NewReader(bodyBytes))
-	if err != nil {
-		return "", fmt.Errorf("req failed: %w", err)
-	}
-	resp := &uploadCertResp{}
-	err = json.Unmarshal(res, resp)
-	if err != nil {
-		return "", fmt.Errorf("json.Unmarshal failed: %w", err)
-	}
-
-	return resp.CertID, nil
-}
-
-type modifyDomainCertReq struct {
-	CertID      string `json:"certId"`
-	ForceHttps  bool   `json:"forceHttps"`
-	Http2Enable bool   `json:"http2Enable"`
-}
-
-func (q *qiuniu) modifyDomainCert(certId string) error {
-	path := fmt.Sprintf("/domain/%s/httpsconf", q.option.Domain)
-
-	body := &modifyDomainCertReq{
-		CertID:      certId,
-		ForceHttps:  true,
-		Http2Enable: true,
-	}
-
-	bodyBytes, err := json.Marshal(body)
-	if err != nil {
-		return fmt.Errorf("json.Marshal failed: %w", err)
-	}
-
-	_, err = q.req(qiniuGateway+path, http.MethodPut, bytes.NewReader(bodyBytes))
-	if err != nil {
-		return fmt.Errorf("req failed: %w", err)
-	}
-
-	return nil
-}
-
-func (q *qiuniu) req(url, method string, body io.Reader) ([]byte, error) {
-	req := xhttp.BuildReq(url, method, body, map[string]string{
-		"Content-Type": "application/json",
-	})
-
-	if err := q.credentials.AddToken(auth.TokenQBox, req); err != nil {
-		return nil, fmt.Errorf("credentials.AddToken failed: %w", err)
-	}
-
-	respBody, err := xhttp.ToRequest(req)
-	if err != nil {
-		return nil, fmt.Errorf("ToRequest failed: %w", err)
-	}
-
-	defer respBody.Close()
-
-	res, err := io.ReadAll(respBody)
-	if err != nil {
-		return nil, fmt.Errorf("io.ReadAll failed: %w", err)
-	}
-
-	return res, nil
-}
--- a/internal/deployer/qiniu_test.go
+++ b/internal/deployer/qiniu_test.go
@@ -1,86 +0,0 @@
-package deployer
-
-import (
-	"certimate/internal/applicant"
-	"testing"
-
-	"github.com/qiniu/go-sdk/v7/auth"
-)
-
-func Test_qiuniu_uploadCert(t *testing.T) {
-	type fields struct {
-		option *DeployerOption
-	}
-	tests := []struct {
-		name    string
-		fields  fields
-		want    string
-		wantErr bool
-	}{
-		{
-			name: "test",
-			fields: fields{
-				option: &DeployerOption{
-					DomainId: "1",
-					Domain:   "example.com",
-					Product:  "test",
-					Access:   `{"bucket":"test","accessKey":"","secretKey":""}`,
-					Certificate: applicant.Certificate{
-						Certificate: "",
-						PrivateKey:  "",
-					},
-				},
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			q, _ := NewQiNiu(tt.fields.option)
-			got, err := q.uploadCert()
-			if (err != nil) != tt.wantErr {
-				t.Errorf("qiuniu.uploadCert() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if got != tt.want {
-				t.Errorf("qiuniu.uploadCert() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
-func Test_qiuniu_modifyDomainCert(t *testing.T) {
-	type fields struct {
-		option      *DeployerOption
-		info        []string
-		credentials *auth.Credentials
-	}
-	type args struct {
-		certId string
-	}
-	tests := []struct {
-		name    string
-		fields  fields
-		args    args
-		wantErr bool
-	}{
-		{
-			name: "test",
-			fields: fields{
-				option: &DeployerOption{
-					DomainId: "1",
-					Domain:   "jt1.ikit.fun",
-					Product:  "test",
-					Access:   `{"bucket":"test","accessKey":"","secretKey":""}`,
-				},
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			q, _ := NewQiNiu(tt.fields.option)
-			if err := q.modifyDomainCert(tt.args.certId); (err != nil) != tt.wantErr {
-				t.Errorf("qiuniu.modifyDomainCert() error = %v, wantErr %v", err, tt.wantErr)
-			}
-		})
-	}
-}
--- a/internal/deployer/ssh.go
+++ b/internal/deployer/ssh.go
@@ -1,155 +0,0 @@
-package deployer
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"os"
-	xpath "path"
-	"strings"
-
-	"github.com/pkg/sftp"
-	sshPkg "golang.org/x/crypto/ssh"
-)
-
-type ssh struct {
-	option *DeployerOption
-	infos  []string
-}
-
-type sshAccess struct {
-	Host     string `json:"host"`
-	Username string `json:"username"`
-	Password string `json:"password"`
-	Key      string `json:"key"`
-	Port     string `json:"port"`
-	Command  string `json:"command"`
-	CertPath string `json:"certPath"`
-	KeyPath  string `json:"keyPath"`
-}
-
-func NewSSH(option *DeployerOption) (Deployer, error) {
-	return &ssh{
-		option: option,
-		infos:  make([]string, 0),
-	}, nil
-}
-
-func (a *ssh) GetID() string {
-	return fmt.Sprintf("%s-%s", a.option.AceessRecord.GetString("name"), a.option.AceessRecord.Id)
-}
-
-func (s *ssh) GetInfo() []string {
-	return s.infos
-}
-
-func (s *ssh) Deploy(ctx context.Context) error {
-	access := &sshAccess{}
-	if err := json.Unmarshal([]byte(s.option.Access), access); err != nil {
-		return err
-	}
-
-	// 将证书路径和命令中的变量替换为实际值
-	for k, v := range s.option.Variables {
-		key := fmt.Sprintf("${%s}", k)
-		access.CertPath = strings.ReplaceAll(access.CertPath, key, v)
-		access.KeyPath = strings.ReplaceAll(access.KeyPath, key, v)
-		access.Command = strings.ReplaceAll(access.Command, key, v)
-	}
-
-	// 连接
-	client, err := s.getClient(access)
-	if err != nil {
-		return err
-	}
-	defer client.Close()
-
-	s.infos = append(s.infos, toStr("ssh连接成功", nil))
-
-	// 上传
-	session, err := client.NewSession()
-	if err != nil {
-		return fmt.Errorf("failed to create session: %w", err)
-	}
-	defer session.Close()
-
-	s.infos = append(s.infos, toStr("ssh创建session成功", nil))
-
-	// 上传证书
-	if err := s.upload(client, s.option.Certificate.Certificate, access.CertPath); err != nil {
-		return fmt.Errorf("failed to upload certificate: %w", err)
-	}
-
-	s.infos = append(s.infos, toStr("ssh上传证书成功", nil))
-
-	// 上传私钥
-	if err := s.upload(client, s.option.Certificate.PrivateKey, access.KeyPath); err != nil {
-		return fmt.Errorf("failed to upload private key: %w", err)
-	}
-
-	s.infos = append(s.infos, toStr("ssh上传私钥成功", nil))
-
-	// 执行命令
-	var stdoutBuf bytes.Buffer
-	session.Stdout = &stdoutBuf
-	var stderrBuf bytes.Buffer
-	session.Stderr = &stderrBuf
-
-	if err := session.Run(access.Command); err != nil {
-		return fmt.Errorf("failed to run command: %w, stdout: %s, stderr: %s", err, stdoutBuf.String(), stderrBuf.String())
-	}
-
-	s.infos = append(s.infos, toStr("ssh执行命令成功", []string{stdoutBuf.String()}))
-
-	return nil
-}
-
-func (s *ssh) upload(client *sshPkg.Client, content, path string) error {
-
-	sftpCli, err := sftp.NewClient(client)
-	if err != nil {
-		return fmt.Errorf("failed to create sftp client: %w", err)
-	}
-	defer sftpCli.Close()
-
-	if err := sftpCli.MkdirAll(xpath.Dir(path)); err != nil {
-		return fmt.Errorf("failed to create remote directory: %w", err)
-	}
-
-	file, err := sftpCli.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC)
-	if err != nil {
-		return fmt.Errorf("failed to open remote file: %w", err)
-	}
-	defer file.Close()
-
-	_, err = file.Write([]byte(content))
-	if err != nil {
-		return fmt.Errorf("failed to write to remote file: %w", err)
-	}
-
-	return nil
-}
-
-func (s *ssh) getClient(access *sshAccess) (*sshPkg.Client, error) {
-
-	var authMethod sshPkg.AuthMethod
-
-	if access.Key != "" {
-		signer, err := sshPkg.ParsePrivateKey([]byte(access.Key))
-		if err != nil {
-			return nil, err
-		}
-		authMethod = sshPkg.PublicKeys(signer)
-	} else {
-		authMethod = sshPkg.Password(access.Password)
-	}
-
-	return sshPkg.Dial("tcp", fmt.Sprintf("%s:%s", access.Host, access.Port), &sshPkg.ClientConfig{
-		User: access.Username,
-		Auth: []sshPkg.AuthMethod{
-			authMethod,
-		},
-		HostKeyCallback: sshPkg.InsecureIgnoreHostKey(),
-	})
-}
--- a/internal/deployer/ssh_test.go
+++ b/internal/deployer/ssh_test.go
@@ -1,12 +0,0 @@
-package deployer
-
-import (
-	"os"
-	"path"
-	"testing"
-)
-
-func TestPath(t *testing.T) {
-	dir := path.Dir("./a/b/c")
-	os.MkdirAll(dir, 0755)
-}
--- a/internal/deployer/tencent_cdn.go
+++ b/internal/deployer/tencent_cdn.go
@@ -1,175 +0,0 @@
-package deployer
-
-import (
-	"certimate/internal/domain"
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
-	ssl "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl/v20191205"
-	tag "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/tag/v20180813"
-)
-
-type tencentCdn struct {
-	option     *DeployerOption
-	credential *common.Credential
-	infos      []string
-}
-
-func NewTencentCdn(option *DeployerOption) (Deployer, error) {
-
-	access := &domain.TencentAccess{}
-	if err := json.Unmarshal([]byte(option.Access), access); err != nil {
-		return nil, fmt.Errorf("failed to unmarshal tencent access: %w", err)
-	}
-
-	credential := common.NewCredential(
-		access.SecretId,
-		access.SecretKey,
-	)
-
-	return &tencentCdn{
-		option:     option,
-		credential: credential,
-		infos:      make([]string, 0),
-	}, nil
-}
-
-func (a *tencentCdn) GetID() string {
-	return fmt.Sprintf("%s-%s", a.option.AceessRecord.GetString("name"), a.option.AceessRecord.Id)
-}
-
-func (t *tencentCdn) GetInfo() []string {
-	return t.infos
-}
-
-func (t *tencentCdn) Deploy(ctx context.Context) error {
-
-	// 查询有没有对应的资源
-	resource, err := t.resource()
-	if err != nil {
-		return fmt.Errorf("failed to get resource: %w", err)
-	}
-
-	t.infos = append(t.infos, toStr("查询对应的资源", resource))
-
-	// 上传证书
-	certId, err := t.uploadCert()
-	if err != nil {
-		return fmt.Errorf("failed to upload certificate: %w", err)
-	}
-	t.infos = append(t.infos, toStr("上传证书", certId))
-
-	if err := t.deploy(resource, certId); err != nil {
-		return fmt.Errorf("failed to deploy: %w", err)
-	}
-
-	return nil
-}
-
-func (t *tencentCdn) uploadCert() (string, error) {
-
-	cpf := profile.NewClientProfile()
-	cpf.HttpProfile.Endpoint = "ssl.tencentcloudapi.com"
-
-	client, _ := ssl.NewClient(t.credential, "", cpf)
-
-	request := ssl.NewUploadCertificateRequest()
-
-	request.CertificatePublicKey = common.StringPtr(t.option.Certificate.Certificate)
-	request.CertificatePrivateKey = common.StringPtr(t.option.Certificate.PrivateKey)
-	request.Alias = common.StringPtr(t.option.Domain)
-	request.Repeatable = common.BoolPtr(true)
-
-	response, err := client.UploadCertificate(request)
-	if err != nil {
-		return "", fmt.Errorf("failed to upload certificate: %w", err)
-	}
-
-	return *response.Response.CertificateId, nil
-}
-
-func (t *tencentCdn) deploy(resource *tag.ResourceTagMapping, certId string) error {
-	cpf := profile.NewClientProfile()
-	cpf.HttpProfile.Endpoint = "ssl.tencentcloudapi.com"
-	// 实例化要请求产品的client对象,clientProfile是可选的
-	client, _ := ssl.NewClient(t.credential, "", cpf)
-
-	resourceId, err := getResourceId(resource)
-	if err != nil {
-		return fmt.Errorf("failed to get resource id: %w", err)
-	}
-
-	// 实例化一个请求对象,每个接口都会对应一个request对象
-	request := ssl.NewDeployCertificateInstanceRequest()
-
-	request.CertificateId = common.StringPtr(certId)
-	request.InstanceIdList = common.StringPtrs([]string{resourceId})
-	request.ResourceType = common.StringPtr("cdn")
-	request.Status = common.Int64Ptr(1)
-
-	// 返回的resp是一个DeployCertificateInstanceResponse的实例，与请求对象对应
-	resp, err := client.DeployCertificateInstance(request)
-
-	if err != nil {
-		return fmt.Errorf("failed to deploy certificate: %w", err)
-	}
-	t.infos = append(t.infos, toStr("部署证书", resp.Response))
-	return nil
-}
-
-func (t *tencentCdn) resource() (*tag.ResourceTagMapping, error) {
-	request := tag.NewGetResourcesRequest()
-	cpf := profile.NewClientProfile()
-	cpf.HttpProfile.Endpoint = "tag.tencentcloudapi.com"
-
-	client, err := tag.NewClient(t.credential, "", cpf)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create client: %w", err)
-	}
-
-	response, err := client.GetResources(request)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get resources: %w", err)
-	}
-
-	for _, resource := range response.Response.ResourceTagMappingList {
-		if t.compare(resource) {
-			return resource, nil
-		}
-	}
-
-	return nil, errors.New("no resource found")
-
-}
-
-func (t *tencentCdn) compare(resource *tag.ResourceTagMapping) bool {
-	slices := strings.Split(*resource.Resource, "/")
-	if len(slices) != 3 {
-		return false
-	}
-
-	typeSlices := strings.Split(slices[0], "::")
-	if len(typeSlices) != 3 {
-		return false
-	}
-
-	if typeSlices[1] != "cdn" || slices[2] != t.option.Domain {
-		return false
-	}
-
-	return true
-
-}
-
-func getResourceId(resource *tag.ResourceTagMapping) (string, error) {
-	slices := strings.Split(*resource.Resource, "/")
-	if len(slices) != 3 {
-		return "", errors.New("invalid resource")
-	}
-	return slices[2], nil
-}
--- a/internal/deployer/webhook.go
+++ b/internal/deployer/webhook.go
@@ -1,67 +0,0 @@
-package deployer
-
-import (
-	"bytes"
-	xhttp "certimate/internal/utils/http"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-)
-
-type webhookAccess struct {
-	Url string `json:"url"`
-}
-
-type hookData struct {
-	Domain      string `json:"domain"`
-	Certificate string `json:"certificate"`
-	PrivateKey  string `json:"privateKey"`
-}
-
-type webhook struct {
-	option *DeployerOption
-	infos  []string
-}
-
-func NewWebhook(option *DeployerOption) (Deployer, error) {
-
-	return &webhook{
-		option: option,
-		infos:  make([]string, 0),
-	}, nil
-}
-
-func (a *webhook) GetID() string {
-	return fmt.Sprintf("%s-%s", a.option.AceessRecord.GetString("name"), a.option.AceessRecord.Id)
-}
-
-func (w *webhook) GetInfo() []string {
-	return w.infos
-}
-
-func (w *webhook) Deploy(ctx context.Context) error {
-	access := &webhookAccess{}
-	if err := json.Unmarshal([]byte(w.option.Access), access); err != nil {
-		return fmt.Errorf("failed to parse hook access config: %w", err)
-	}
-
-	data := &hookData{
-		Domain:      w.option.Domain,
-		Certificate: w.option.Certificate.Certificate,
-		PrivateKey:  w.option.Certificate.PrivateKey,
-	}
-
-	body, _ := json.Marshal(data)
-
-	resp, err := xhttp.Req(access.Url, http.MethodPost, bytes.NewReader(body), map[string]string{
-		"Content-Type": "application/json",
-	})
-	if err != nil {
-		return fmt.Errorf("failed to send hook request: %w", err)
-	}
-
-	w.infos = append(w.infos, toStr("webhook response", string(resp)))
-
-	return nil
-}
--- a/internal/domain/access.go
+++ b/internal/domain/access.go
@@ -1,29 +1,226 @@
 package domain

-type AliyunAccess struct {
+import (
+	"encoding/json"
+	"time"
+)
+
+const CollectionNameAccess = "access"
+
+type Access struct {
+	Meta
+	Name      string     `json:"name" db:"name"`
+	Provider  string     `json:"provider" db:"provider"`
+	Config    string     `json:"config" db:"config"`
+	DeletedAt *time.Time `json:"deleted" db:"deleted"`
+}
+
+func (a *Access) UnmarshalConfigToMap() (map[string]any, error) {
+	config := make(map[string]any)
+	if err := json.Unmarshal([]byte(a.Config), &config); err != nil {
+		return nil, err
+	}
+
+	return config, nil
+}
+
+type AccessConfigFor1Panel struct {
+	ApiUrl                   string `json:"apiUrl"`
+	ApiKey                   string `json:"apiKey"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
+}
+
+type AccessConfigForACMEHttpReq struct {
+	Endpoint string `json:"endpoint"`
+	Mode     string `json:"mode,omitempty"`
+	Username string `json:"username,omitempty"`
+	Password string `json:"password,omitempty"`
+}
+
+type AccessConfigForAliyun struct {
 	AccessKeyId     string `json:"accessKeyId"`
 	AccessKeySecret string `json:"accessKeySecret"`
 }

-type TencentAccess struct {
-	SecretId  string `json:"secretId"`
-	SecretKey string `json:"secretKey"`
+type AccessConfigForAWS struct {
+	AccessKeyId     string `json:"accessKeyId"`
+	SecretAccessKey string `json:"secretAccessKey"`
 }

-type CloudflareAccess struct {
-	DnsApiToken string `json:"dnsApiToken"`
+type AccessConfigForAzure struct {
+	TenantId     string `json:"tenantId"`
+	ClientId     string `json:"clientId"`
+	ClientSecret string `json:"clientSecret"`
+	CloudName    string `json:"cloudName,omitempty"`
 }

-type QiniuAccess struct {
+type AccessConfigForBaiduCloud struct {
+	AccessKeyId     string `json:"accessKeyId"`
+	SecretAccessKey string `json:"secretAccessKey"`
+}
+
+type AccessConfigForBaishan struct {
+	ApiToken string `json:"apiToken"`
+}
+
+type AccessConfigForBaotaPanel struct {
+	ApiUrl                   string `json:"apiUrl"`
+	ApiKey                   string `json:"apiKey"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
+}
+
+type AccessConfigForBytePlus struct {
 	AccessKey string `json:"accessKey"`
 	SecretKey string `json:"secretKey"`
 }

-type NameSiloAccess struct {
-	ApiKey string `json:"apiKey"`
+type AccessConfigForCacheFly struct {
+	ApiToken string `json:"apiToken"`
 }

-type GodaddyAccess struct {
+type AccessConfigForCdnfly struct {
+	ApiUrl    string `json:"apiUrl"`
 	ApiKey    string `json:"apiKey"`
 	ApiSecret string `json:"apiSecret"`
 }
+
+type AccessConfigForCloudflare struct {
+	DnsApiToken string `json:"dnsApiToken"`
+}
+
+type AccessConfigForClouDNS struct {
+	AuthId       string `json:"authId"`
+	AuthPassword string `json:"authPassword"`
+}
+
+type AccessConfigForCMCCCloud struct {
+	AccessKeyId     string `json:"accessKeyId"`
+	AccessKeySecret string `json:"accessKeySecret"`
+}
+
+type AccessConfigForDNSLA struct {
+	ApiId     string `json:"apiId"`
+	ApiSecret string `json:"apiSecret"`
+}
+
+type AccessConfigForDogeCloud struct {
+	AccessKey string `json:"accessKey"`
+	SecretKey string `json:"secretKey"`
+}
+
+type AccessConfigForDynv6 struct {
+	HttpToken string `json:"httpToken"`
+}
+
+type AccessConfigForEdgio struct {
+	ClientId     string `json:"clientId"`
+	ClientSecret string `json:"clientSecret"`
+}
+
+type AccessConfigForGcore struct {
+	ApiToken string `json:"apiToken"`
+}
+
+type AccessConfigForGname struct {
+	AppId  string `json:"appId"`
+	AppKey string `json:"appKey"`
+}
+
+type AccessConfigForGoDaddy struct {
+	ApiKey    string `json:"apiKey"`
+	ApiSecret string `json:"apiSecret"`
+}
+
+type AccessConfigForHuaweiCloud struct {
+	AccessKeyId     string `json:"accessKeyId"`
+	SecretAccessKey string `json:"secretAccessKey"`
+}
+
+type AccessConfigForJDCloud struct {
+	AccessKeyId     string `json:"accessKeyId"`
+	AccessKeySecret string `json:"accessKeySecret"`
+}
+
+type AccessConfigForKubernetes struct {
+	KubeConfig string `json:"kubeConfig,omitempty"`
+}
+
+type AccessConfigForLocal struct{}
+
+type AccessConfigForNamecheap struct {
+	Username string `json:"username"`
+	ApiKey   string `json:"apiKey"`
+}
+
+type AccessConfigForNameDotCom struct {
+	Username string `json:"username"`
+	ApiToken string `json:"apiToken"`
+}
+
+type AccessConfigForNameSilo struct {
+	ApiKey string `json:"apiKey"`
+}
+
+type AccessConfigForNS1 struct {
+	ApiKey string `json:"apiKey"`
+}
+
+type AccessConfigForPowerDNS struct {
+	ApiUrl string `json:"apiUrl"`
+	ApiKey string `json:"apiKey"`
+}
+
+type AccessConfigForQiniu struct {
+	AccessKey string `json:"accessKey"`
+	SecretKey string `json:"secretKey"`
+}
+
+type AccessConfigForRainYun struct {
+	ApiKey string `json:"apiKey"`
+}
+
+type AccessConfigForSafeLine struct {
+	ApiUrl                   string `json:"apiUrl"`
+	ApiToken                 string `json:"apiToken"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
+}
+
+type AccessConfigForSSH struct {
+	Host          string `json:"host"`
+	Port          int32  `json:"port"`
+	Username      string `json:"username"`
+	Password      string `json:"password,omitempty"`
+	Key           string `json:"key,omitempty"`
+	KeyPassphrase string `json:"keyPassphrase,omitempty"`
+}
+
+type AccessConfigForTencentCloud struct {
+	SecretId  string `json:"secretId"`
+	SecretKey string `json:"secretKey"`
+}
+
+type AccessConfigForUCloud struct {
+	PrivateKey string `json:"privateKey"`
+	PublicKey  string `json:"publicKey"`
+	ProjectId  string `json:"projectId,omitempty"`
+}
+
+type AccessConfigForUpyun struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+type AccessConfigForVolcEngine struct {
+	AccessKeyId     string `json:"accessKeyId"`
+	SecretAccessKey string `json:"secretAccessKey"`
+}
+
+type AccessConfigForWebhook struct {
+	Url                      string `json:"url"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
+}
+
+type AccessConfigForWestcn struct {
+	Username    string `json:"username"`
+	ApiPassword string `json:"password"`
+}
--- a/internal/domain/acme_account.go
+++ b/internal/domain/acme_account.go
@@ -0,0 +1,15 @@
+package domain
+
+import (
+	"github.com/go-acme/lego/v4/registration"
+)
+
+const CollectionNameAcmeAccount = "acme_accounts"
+
+type AcmeAccount struct {
+	Meta
+	CA       string                 `json:"ca" db:"ca"`
+	Email    string                 `json:"email" db:"email"`
+	Resource *registration.Resource `json:"resource" db:"resource"`
+	Key      string                 `json:"key" db:"key"`
+}
--- a/internal/domain/certificate.go
+++ b/internal/domain/certificate.go
@@ -0,0 +1,136 @@
+package domain
+
+import (
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"crypto/x509"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/usual2970/certimate/internal/pkg/utils/certutil"
+)
+
+const CollectionNameCertificate = "certificate"
+
+type Certificate struct {
+	Meta
+	Source            CertificateSourceType       `json:"source" db:"source"`
+	SubjectAltNames   string                      `json:"subjectAltNames" db:"subjectAltNames"`
+	SerialNumber      string                      `json:"serialNumber" db:"serialNumber"`
+	Certificate       string                      `json:"certificate" db:"certificate"`
+	PrivateKey        string                      `json:"privateKey" db:"privateKey"`
+	Issuer            string                      `json:"issuer" db:"issuer"`
+	IssuerCertificate string                      `json:"issuerCertificate" db:"issuerCertificate"`
+	KeyAlgorithm      CertificateKeyAlgorithmType `json:"keyAlgorithm" db:"keyAlgorithm"`
+	EffectAt          time.Time                   `json:"effectAt" db:"effectAt"`
+	ExpireAt          time.Time                   `json:"expireAt" db:"expireAt"`
+	ACMEAccountUrl    string                      `json:"acmeAccountUrl" db:"acmeAccountUrl"`
+	ACMECertUrl       string                      `json:"acmeCertUrl" db:"acmeCertUrl"`
+	ACMECertStableUrl string                      `json:"acmeCertStableUrl" db:"acmeCertStableUrl"`
+	WorkflowId        string                      `json:"workflowId" db:"workflowId"`
+	WorkflowNodeId    string                      `json:"workflowNodeId" db:"workflowNodeId"`
+	WorkflowRunId     string                      `json:"workflowRunId" db:"workflowRunId"`
+	WorkflowOutputId  string                      `json:"workflowOutputId" db:"workflowOutputId"`
+	DeletedAt         *time.Time                  `json:"deleted" db:"deleted"`
+}
+
+func (c *Certificate) PopulateFromX509(certX509 *x509.Certificate) *Certificate {
+	c.SubjectAltNames = strings.Join(certX509.DNSNames, ";")
+	c.SerialNumber = strings.ToUpper(certX509.SerialNumber.Text(16))
+	c.Issuer = strings.Join(certX509.Issuer.Organization, ";")
+	c.EffectAt = certX509.NotBefore
+	c.ExpireAt = certX509.NotAfter
+
+	switch certX509.PublicKeyAlgorithm {
+	case x509.RSA:
+		{
+			len := 0
+			if pubkey, ok := certX509.PublicKey.(*rsa.PublicKey); ok {
+				len = pubkey.N.BitLen()
+			}
+
+			switch len {
+			case 0:
+				c.KeyAlgorithm = CertificateKeyAlgorithmType("RSA")
+			case 2048:
+				c.KeyAlgorithm = CertificateKeyAlgorithmTypeRSA2048
+			case 3072:
+				c.KeyAlgorithm = CertificateKeyAlgorithmTypeRSA3072
+			case 4096:
+				c.KeyAlgorithm = CertificateKeyAlgorithmTypeRSA4096
+			case 8192:
+				c.KeyAlgorithm = CertificateKeyAlgorithmTypeRSA8192
+			default:
+				c.KeyAlgorithm = CertificateKeyAlgorithmType(fmt.Sprintf("RSA%d", len))
+			}
+		}
+
+	case x509.ECDSA:
+		{
+			len := 0
+			if pubkey, ok := certX509.PublicKey.(*ecdsa.PublicKey); ok {
+				if pubkey.Curve != nil && pubkey.Curve.Params() != nil {
+					len = pubkey.Curve.Params().BitSize
+				}
+			}
+
+			switch len {
+			case 0:
+				c.KeyAlgorithm = CertificateKeyAlgorithmType("EC")
+			case 256:
+				c.KeyAlgorithm = CertificateKeyAlgorithmTypeEC256
+			case 384:
+				c.KeyAlgorithm = CertificateKeyAlgorithmTypeEC384
+			case 521:
+				c.KeyAlgorithm = CertificateKeyAlgorithmTypeEC512
+			default:
+				c.KeyAlgorithm = CertificateKeyAlgorithmType(fmt.Sprintf("EC%d", len))
+			}
+		}
+
+	case x509.Ed25519:
+		{
+			c.KeyAlgorithm = CertificateKeyAlgorithmType("ED25519")
+		}
+
+	default:
+		c.KeyAlgorithm = CertificateKeyAlgorithmType("")
+	}
+
+	return c
+}
+
+func (c *Certificate) PopulateFromPEM(certPEM, privkeyPEM string) *Certificate {
+	c.Certificate = certPEM
+	c.PrivateKey = privkeyPEM
+
+	_, issuerCertPEM, _ := certutil.ExtractCertificatesFromPEM(certPEM)
+	c.IssuerCertificate = issuerCertPEM
+
+	certX509, _ := certutil.ParseCertificateFromPEM(certPEM)
+	if certX509 != nil {
+		c.PopulateFromX509(certX509)
+	}
+
+	return c
+}
+
+type CertificateSourceType string
+
+const (
+	CertificateSourceTypeWorkflow = CertificateSourceType("workflow")
+	CertificateSourceTypeUpload   = CertificateSourceType("upload")
+)
+
+type CertificateKeyAlgorithmType string
+
+const (
+	CertificateKeyAlgorithmTypeRSA2048 = CertificateKeyAlgorithmType("RSA2048")
+	CertificateKeyAlgorithmTypeRSA3072 = CertificateKeyAlgorithmType("RSA3072")
+	CertificateKeyAlgorithmTypeRSA4096 = CertificateKeyAlgorithmType("RSA4096")
+	CertificateKeyAlgorithmTypeRSA8192 = CertificateKeyAlgorithmType("RSA8192")
+	CertificateKeyAlgorithmTypeEC256   = CertificateKeyAlgorithmType("EC256")
+	CertificateKeyAlgorithmTypeEC384   = CertificateKeyAlgorithmType("EC384")
+	CertificateKeyAlgorithmTypeEC512   = CertificateKeyAlgorithmType("EC512")
+)
--- a/internal/domain/dtos/certificate.go
+++ b/internal/domain/dtos/certificate.go
@@ -0,0 +1,28 @@
+package dtos
+
+type CertificateArchiveFileReq struct {
+	CertificateId string `json:"-"`
+	Format        string `json:"format"`
+}
+
+type CertificateArchiveFileResp struct {
+	FileBytes  []byte `json:"fileBytes"`
+	FileFormat string `json:"fileFormat"`
+}
+
+type CertificateValidateCertificateReq struct {
+	Certificate string `json:"certificate"`
+}
+
+type CertificateValidateCertificateResp struct {
+	IsValid bool   `json:"isValid"`
+	Domains string `json:"domains,omitempty"`
+}
+
+type CertificateValidatePrivateKeyReq struct {
+	PrivateKey string `json:"privateKey"`
+}
+
+type CertificateValidatePrivateKeyResp struct {
+	IsValid bool `json:"isValid"`
+}
--- a/internal/domain/dtos/notify.go
+++ b/internal/domain/dtos/notify.go
@@ -0,0 +1,7 @@
+package dtos
+
+import "github.com/usual2970/certimate/internal/domain"
+
+type NotifyTestPushReq struct {
+	Channel domain.NotifyChannelType `json:"channel"`
+}
--- a/internal/domain/dtos/workflow.go
+++ b/internal/domain/dtos/workflow.go
@@ -0,0 +1,13 @@
+package dtos
+
+import "github.com/usual2970/certimate/internal/domain"
+
+type WorkflowStartRunReq struct {
+	WorkflowId string                     `json:"-"`
+	RunTrigger domain.WorkflowTriggerType `json:"trigger"`
+}
+
+type WorkflowCancelRunReq struct {
+	WorkflowId string `json:"-"`
+	RunId      string `json:"-"`
+}
--- a/internal/domain/error.go
+++ b/internal/domain/error.go
@@ -0,0 +1,30 @@
+package domain
+
+var (
+	ErrInvalidParams  = NewError(400, "invalid params")
+	ErrRecordNotFound = NewError(404, "record not found")
+)
+
+type Error struct {
+	Code int    `json:"code"`
+	Msg  string `json:"msg"`
+}
+
+func NewError(code int, msg string) *Error {
+	if code == 0 {
+		code = -1
+	}
+
+	return &Error{code, msg}
+}
+
+func (e *Error) Error() string {
+	return e.Msg
+}
+
+func IsRecordNotFoundError(err error) bool {
+	if e, ok := err.(*Error); ok {
+		return e.Code == ErrRecordNotFound.Code
+	}
+	return false
+}
--- a/internal/domain/meta.go
+++ b/internal/domain/meta.go
@@ -0,0 +1,9 @@
+package domain
+
+import "time"
+
+type Meta struct {
+	Id        string    `json:"id" db:"id"`
+	CreatedAt time.Time `json:"created" db:"created"`
+	UpdatedAt time.Time `json:"updated" db:"updated"`
+}
--- a/internal/domain/notify.go
+++ b/internal/domain/notify.go
@@ -0,0 +1,20 @@
+package domain
+
+type NotifyChannelType string
+
+/*
+消息通知渠道常量值。
+
+	注意：如果追加新的常量值，请保持以 ASCII 排序。
+	NOTICE: If you add new constant, please keep ASCII order.
+*/
+const (
+	NotifyChannelTypeBark       = NotifyChannelType("bark")
+	NotifyChannelTypeDingTalk   = NotifyChannelType("dingtalk")
+	NotifyChannelTypeEmail      = NotifyChannelType("email")
+	NotifyChannelTypeLark       = NotifyChannelType("lark")
+	NotifyChannelTypeServerChan = NotifyChannelType("serverchan")
+	NotifyChannelTypeTelegram   = NotifyChannelType("telegram")
+	NotifyChannelTypeWebhook    = NotifyChannelType("webhook")
+	NotifyChannelTypeWeCom      = NotifyChannelType("wecom")
+)
--- a/internal/domain/provider.go
+++ b/internal/domain/provider.go
@@ -0,0 +1,178 @@
+package domain
+
+type AccessProviderType string
+
+/*
+授权提供商类型常量值。
+
+	注意：如果追加新的常量值，请保持以 ASCII 排序。
+	NOTICE: If you add new constant, please keep ASCII order.
+*/
+const (
+	AccessProviderType1Panel       = AccessProviderType("1panel")
+	AccessProviderTypeACMEHttpReq  = AccessProviderType("acmehttpreq")
+	AccessProviderTypeAkamai       = AccessProviderType("akamai") // Akamai（预留）
+	AccessProviderTypeAliyun       = AccessProviderType("aliyun")
+	AccessProviderTypeAWS          = AccessProviderType("aws")
+	AccessProviderTypeAzure        = AccessProviderType("azure")
+	AccessProviderTypeBaiduCloud   = AccessProviderType("baiducloud")
+	AccessProviderTypeBaishan      = AccessProviderType("baishan")
+	AccessProviderTypeBaotaPanel   = AccessProviderType("baotapanel")
+	AccessProviderTypeBytePlus     = AccessProviderType("byteplus")
+	AccessProviderTypeCacheFly     = AccessProviderType("cachefly")
+	AccessProviderTypeCdnfly       = AccessProviderType("cdnfly")
+	AccessProviderTypeCloudflare   = AccessProviderType("cloudflare")
+	AccessProviderTypeClouDNS      = AccessProviderType("cloudns")
+	AccessProviderTypeCMCCCloud    = AccessProviderType("cmcccloud")
+	AccessProviderTypeCTCCCloud    = AccessProviderType("ctcccloud") // 联通云（预留）
+	AccessProviderTypeCUCCCloud    = AccessProviderType("cucccloud") // 天翼云（预留）
+	AccessProviderTypeDNSLA        = AccessProviderType("dnsla")
+	AccessProviderTypeDogeCloud    = AccessProviderType("dogecloud")
+	AccessProviderTypeDynv6        = AccessProviderType("dynv6")
+	AccessProviderTypeEdgio        = AccessProviderType("edgio")
+	AccessProviderTypeFastly       = AccessProviderType("fastly") // Fastly（预留）
+	AccessProviderTypeGname        = AccessProviderType("gname")
+	AccessProviderTypeGcore        = AccessProviderType("gcore")
+	AccessProviderTypeGoDaddy      = AccessProviderType("godaddy")
+	AccessProviderTypeGoEdge       = AccessProviderType("goedge") // GoEdge（预留）
+	AccessProviderTypeHuaweiCloud  = AccessProviderType("huaweicloud")
+	AccessProviderTypeJDCloud      = AccessProviderType("jdcloud")
+	AccessProviderTypeKubernetes   = AccessProviderType("k8s")
+	AccessProviderTypeLocal        = AccessProviderType("local")
+	AccessProviderTypeNamecheap    = AccessProviderType("namecheap")
+	AccessProviderTypeNameDotCom   = AccessProviderType("namedotcom")
+	AccessProviderTypeNameSilo     = AccessProviderType("namesilo")
+	AccessProviderTypeNS1          = AccessProviderType("ns1")
+	AccessProviderTypePowerDNS     = AccessProviderType("powerdns")
+	AccessProviderTypeQiniu        = AccessProviderType("qiniu")
+	AccessProviderTypeQingCloud    = AccessProviderType("qingcloud") // 青云（预留）
+	AccessProviderTypeRainYun      = AccessProviderType("rainyun")
+	AccessProviderTypeSafeLine     = AccessProviderType("safeline")
+	AccessProviderTypeSSH          = AccessProviderType("ssh")
+	AccessProviderTypeTencentCloud = AccessProviderType("tencentcloud")
+	AccessProviderTypeUCloud       = AccessProviderType("ucloud")
+	AccessProviderTypeUpyun        = AccessProviderType("upyun")
+	AccessProviderTypeVolcEngine   = AccessProviderType("volcengine")
+	AccessProviderTypeWebhook      = AccessProviderType("webhook")
+	AccessProviderTypeWestcn       = AccessProviderType("westcn")
+)
+
+type ApplyDNSProviderType string
+
+/*
+申请证书 DNS 提供商常量值。
+短横线前的部分始终等于授权提供商类型。
+
+	注意：如果追加新的常量值，请保持以 ASCII 排序。
+	NOTICE: If you add new constant, please keep ASCII order.
+*/
+const (
+	ApplyDNSProviderTypeACMEHttpReq     = ApplyDNSProviderType("acmehttpreq")
+	ApplyDNSProviderTypeAliyun          = ApplyDNSProviderType("aliyun") // 兼容旧值，等同于 [ApplyDNSProviderTypeAliyunDNS]
+	ApplyDNSProviderTypeAliyunDNS       = ApplyDNSProviderType("aliyun-dns")
+	ApplyDNSProviderTypeAWS             = ApplyDNSProviderType("aws") // 兼容旧值，等同于 [ApplyDNSProviderTypeAWSRoute53]
+	ApplyDNSProviderTypeAWSRoute53      = ApplyDNSProviderType("aws-route53")
+	ApplyDNSProviderTypeAzure           = ApplyDNSProviderType("azure") // 兼容旧值，等同于 [ApplyDNSProviderTypeAzure]
+	ApplyDNSProviderTypeAzureDNS        = ApplyDNSProviderType("azure-dns")
+	ApplyDNSProviderTypeBaiduCloud      = ApplyDNSProviderType("baiducloud") // 兼容旧值，等同于 [ApplyDNSProviderTypeBaiduCloudDNS]
+	ApplyDNSProviderTypeBaiduCloudDNS   = ApplyDNSProviderType("baiducloud-dns")
+	ApplyDNSProviderTypeCloudflare      = ApplyDNSProviderType("cloudflare")
+	ApplyDNSProviderTypeClouDNS         = ApplyDNSProviderType("cloudns")
+	ApplyDNSProviderTypeCMCCCloud       = ApplyDNSProviderType("cmcccloud")
+	ApplyDNSProviderTypeDNSLA           = ApplyDNSProviderType("dnsla")
+	ApplyDNSProviderTypeDynv6           = ApplyDNSProviderType("dynv6")
+	ApplyDNSProviderTypeGcore           = ApplyDNSProviderType("gcore")
+	ApplyDNSProviderTypeGname           = ApplyDNSProviderType("gname")
+	ApplyDNSProviderTypeGoDaddy         = ApplyDNSProviderType("godaddy")
+	ApplyDNSProviderTypeHuaweiCloud     = ApplyDNSProviderType("huaweicloud") // 兼容旧值，等同于 [ApplyDNSProviderTypeHuaweiCloudDNS]
+	ApplyDNSProviderTypeHuaweiCloudDNS  = ApplyDNSProviderType("huaweicloud-dns")
+	ApplyDNSProviderTypeJDCloud         = ApplyDNSProviderType("jdcloud") // 兼容旧值，等同于 [ApplyDNSProviderTypeJDCloudDNS]
+	ApplyDNSProviderTypeJDCloudDNS      = ApplyDNSProviderType("jdcloud-dns")
+	ApplyDNSProviderTypeNamecheap       = ApplyDNSProviderType("namecheap")
+	ApplyDNSProviderTypeNameDotCom      = ApplyDNSProviderType("namedotcom")
+	ApplyDNSProviderTypeNameSilo        = ApplyDNSProviderType("namesilo")
+	ApplyDNSProviderTypeNS1             = ApplyDNSProviderType("ns1")
+	ApplyDNSProviderTypePowerDNS        = ApplyDNSProviderType("powerdns")
+	ApplyDNSProviderTypeRainYun         = ApplyDNSProviderType("rainyun")
+	ApplyDNSProviderTypeTencentCloud    = ApplyDNSProviderType("tencentcloud") // 兼容旧值，等同于 [ApplyDNSProviderTypeTencentCloudDNS]
+	ApplyDNSProviderTypeTencentCloudDNS = ApplyDNSProviderType("tencentcloud-dns")
+	ApplyDNSProviderTypeVolcEngine      = ApplyDNSProviderType("volcengine") // 兼容旧值，等同于 [ApplyDNSProviderTypeVolcEngineDNS]
+	ApplyDNSProviderTypeVolcEngineDNS   = ApplyDNSProviderType("volcengine-dns")
+	ApplyDNSProviderTypeWestcn          = ApplyDNSProviderType("westcn")
+)
+
+type DeployProviderType string
+
+/*
+部署目标提供商常量值。
+短横线前的部分始终等于授权提供商类型。
+
+	注意：如果追加新的常量值，请保持以 ASCII 排序。
+	NOTICE: If you add new constant, please keep ASCII order.
+*/
+const (
+	DeployProviderType1PanelConsole         = DeployProviderType("1panel-console")
+	DeployProviderType1PanelSite            = DeployProviderType("1panel-site")
+	DeployProviderTypeAliyunALB             = DeployProviderType("aliyun-alb")
+	DeployProviderTypeAliyunCAS             = DeployProviderType("aliyun-cas")
+	DeployProviderTypeAliyunCASDeploy       = DeployProviderType("aliyun-casdeploy")
+	DeployProviderTypeAliyunCDN             = DeployProviderType("aliyun-cdn")
+	DeployProviderTypeAliyunCLB             = DeployProviderType("aliyun-clb")
+	DeployProviderTypeAliyunDCDN            = DeployProviderType("aliyun-dcdn")
+	DeployProviderTypeAliyunESA             = DeployProviderType("aliyun-esa")
+	DeployProviderTypeAliyunFC              = DeployProviderType("aliyun-fc")
+	DeployProviderTypeAliyunLive            = DeployProviderType("aliyun-live")
+	DeployProviderTypeAliyunNLB             = DeployProviderType("aliyun-nlb")
+	DeployProviderTypeAliyunOSS             = DeployProviderType("aliyun-oss")
+	DeployProviderTypeAliyunVOD             = DeployProviderType("aliyun-vod")
+	DeployProviderTypeAliyunWAF             = DeployProviderType("aliyun-waf")
+	DeployProviderTypeAWSACM                = DeployProviderType("aws-acm")
+	DeployProviderTypeAWSCloudFront         = DeployProviderType("aws-cloudfront")
+	DeployProviderTypeAzureKeyVault         = DeployProviderType("azure-keyvault")
+	DeployProviderTypeBaiduCloudCDN         = DeployProviderType("baiducloud-cdn")
+	DeployProviderTypeBaishanCDN            = DeployProviderType("baishan-cdn")
+	DeployProviderTypeBaotaPanelConsole     = DeployProviderType("baotapanel-console")
+	DeployProviderTypeBaotaPanelSite        = DeployProviderType("baotapanel-site")
+	DeployProviderTypeBytePlusCDN           = DeployProviderType("byteplus-cdn")
+	DeployProviderTypeCacheFly              = DeployProviderType("cachefly")
+	DeployProviderTypeCdnfly                = DeployProviderType("cdnfly")
+	DeployProviderTypeDogeCloudCDN          = DeployProviderType("dogecloud-cdn")
+	DeployProviderTypeEdgioApplications     = DeployProviderType("edgio-applications")
+	DeployProviderTypeGcoreCDN              = DeployProviderType("gcore-cdn")
+	DeployProviderTypeHuaweiCloudCDN        = DeployProviderType("huaweicloud-cdn")
+	DeployProviderTypeHuaweiCloudELB        = DeployProviderType("huaweicloud-elb")
+	DeployProviderTypeHuaweiCloudWAF        = DeployProviderType("huaweicloud-waf")
+	DeployProviderTypeJDCloudALB            = DeployProviderType("jdcloud-alb")
+	DeployProviderTypeJDCloudCDN            = DeployProviderType("jdcloud-cdn")
+	DeployProviderTypeJDCloudLive           = DeployProviderType("jdcloud-live")
+	DeployProviderTypeJDCloudVOD            = DeployProviderType("jdcloud-vod")
+	DeployProviderTypeKubernetesSecret      = DeployProviderType("k8s-secret")
+	DeployProviderTypeLocal                 = DeployProviderType("local")
+	DeployProviderTypeQiniuCDN              = DeployProviderType("qiniu-cdn")
+	DeployProviderTypeQiniuKodo             = DeployProviderType("qiniu-kodo")
+	DeployProviderTypeQiniuPili             = DeployProviderType("qiniu-pili")
+	DeployProviderTypeSafeLine              = DeployProviderType("safeline")
+	DeployProviderTypeSSH                   = DeployProviderType("ssh")
+	DeployProviderTypeTencentCloudCDN       = DeployProviderType("tencentcloud-cdn")
+	DeployProviderTypeTencentCloudCLB       = DeployProviderType("tencentcloud-clb")
+	DeployProviderTypeTencentCloudCOS       = DeployProviderType("tencentcloud-cos")
+	DeployProviderTypeTencentCloudCSS       = DeployProviderType("tencentcloud-css")
+	DeployProviderTypeTencentCloudECDN      = DeployProviderType("tencentcloud-ecdn")
+	DeployProviderTypeTencentCloudEO        = DeployProviderType("tencentcloud-eo")
+	DeployProviderTypeTencentCloudSCF       = DeployProviderType("tencentcloud-scf")
+	DeployProviderTypeTencentCloudSSL       = DeployProviderType("tencentcloud-ssl")
+	DeployProviderTypeTencentCloudSSLDeploy = DeployProviderType("tencentcloud-ssldeploy")
+	DeployProviderTypeTencentCloudVOD       = DeployProviderType("tencentcloud-vod")
+	DeployProviderTypeTencentCloudWAF       = DeployProviderType("tencentcloud-waf")
+	DeployProviderTypeUCloudUCDN            = DeployProviderType("ucloud-ucdn")
+	DeployProviderTypeUCloudUS3             = DeployProviderType("ucloud-us3")
+	DeployProviderTypeUpyunCDN              = DeployProviderType("upyun-cdn")
+	DeployProviderTypeUpyunFile             = DeployProviderType("upyun-file")
+	DeployProviderTypeVolcEngineCDN         = DeployProviderType("volcengine-cdn")
+	DeployProviderTypeVolcEngineCLB         = DeployProviderType("volcengine-clb")
+	DeployProviderTypeVolcEngineDCDN        = DeployProviderType("volcengine-dcdn")
+	DeployProviderTypeVolcEngineImageX      = DeployProviderType("volcengine-imagex")
+	DeployProviderTypeVolcEngineLive        = DeployProviderType("volcengine-live")
+	DeployProviderTypeVolcEngineTOS         = DeployProviderType("volcengine-tos")
+	DeployProviderTypeWebhook               = DeployProviderType("webhook")
+)
--- a/internal/domain/settings.go
+++ b/internal/domain/settings.go
@@ -0,0 +1,42 @@
+package domain
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+const CollectionNameSettings = "settings"
+
+type Settings struct {
+	Meta
+	Name    string `json:"name" db:"name"`
+	Content string `json:"content" db:"content"`
+}
+
+type NotifyTemplatesSettingsContent struct {
+	NotifyTemplates []struct {
+		Subject string `json:"subject"`
+		Message string `json:"message"`
+	} `json:"notifyTemplates"`
+}
+
+type NotifyChannelsSettingsContent map[string]map[string]any
+
+func (s *Settings) GetNotifyChannelConfig(channel string) (map[string]any, error) {
+	conf := &NotifyChannelsSettingsContent{}
+	if err := json.Unmarshal([]byte(s.Content), conf); err != nil {
+		return nil, err
+	}
+
+	v, ok := (*conf)[channel]
+	if !ok {
+		return nil, fmt.Errorf("channel \"%s\" not found", channel)
+	}
+
+	return v, nil
+}
+
+type PersistenceSettingsContent struct {
+	WorkflowRunsMaxDaysRetention        int `json:"workflowRunsMaxDaysRetention"`
+	ExpiredCertificatesMaxDaysRetention int `json:"expiredCertificatesMaxDaysRetention"`
+}
--- a/internal/domain/statistics.go
+++ b/internal/domain/statistics.go
@@ -0,0 +1,11 @@
+package domain
+
+type Statistics struct {
+	CertificateTotal      int `json:"certificateTotal"`
+	CertificateExpireSoon int `json:"certificateExpireSoon"`
+	CertificateExpired    int `json:"certificateExpired"`
+
+	WorkflowTotal    int `json:"workflowTotal"`
+	WorkflowEnabled  int `json:"workflowEnabled"`
+	WorkflowDisabled int `json:"workflowDisabled"`
+}
--- a/internal/domain/workflow.go
+++ b/internal/domain/workflow.go
@@ -0,0 +1,184 @@
+package domain
+
+import (
+	"time"
+
+	"github.com/usual2970/certimate/internal/pkg/utils/maputil"
+)
+
+const CollectionNameWorkflow = "workflow"
+
+type Workflow struct {
+	Meta
+	Name          string                `json:"name" db:"name"`
+	Description   string                `json:"description" db:"description"`
+	Trigger       WorkflowTriggerType   `json:"trigger" db:"trigger"`
+	TriggerCron   string                `json:"triggerCron" db:"triggerCron"`
+	Enabled       bool                  `json:"enabled" db:"enabled"`
+	Content       *WorkflowNode         `json:"content" db:"content"`
+	Draft         *WorkflowNode         `json:"draft" db:"draft"`
+	HasDraft      bool                  `json:"hasDraft" db:"hasDraft"`
+	LastRunId     string                `json:"lastRunId" db:"lastRunId"`
+	LastRunStatus WorkflowRunStatusType `json:"lastRunStatus" db:"lastRunStatus"`
+	LastRunTime   time.Time             `json:"lastRunTime" db:"lastRunTime"`
+}
+
+type WorkflowNodeType string
+
+const (
+	WorkflowNodeTypeStart               = WorkflowNodeType("start")
+	WorkflowNodeTypeEnd                 = WorkflowNodeType("end")
+	WorkflowNodeTypeApply               = WorkflowNodeType("apply")
+	WorkflowNodeTypeUpload              = WorkflowNodeType("upload")
+	WorkflowNodeTypeDeploy              = WorkflowNodeType("deploy")
+	WorkflowNodeTypeNotify              = WorkflowNodeType("notify")
+	WorkflowNodeTypeBranch              = WorkflowNodeType("branch")
+	WorkflowNodeTypeCondition           = WorkflowNodeType("condition")
+	WorkflowNodeTypeExecuteResultBranch = WorkflowNodeType("execute_result_branch")
+	WorkflowNodeTypeExecuteSuccess      = WorkflowNodeType("execute_success")
+	WorkflowNodeTypeExecuteFailure      = WorkflowNodeType("execute_failure")
+)
+
+type WorkflowTriggerType string
+
+const (
+	WorkflowTriggerTypeAuto   = WorkflowTriggerType("auto")
+	WorkflowTriggerTypeManual = WorkflowTriggerType("manual")
+)
+
+type WorkflowNode struct {
+	Id   string           `json:"id"`
+	Type WorkflowNodeType `json:"type"`
+	Name string           `json:"name"`
+
+	Config  map[string]any   `json:"config"`
+	Inputs  []WorkflowNodeIO `json:"inputs"`
+	Outputs []WorkflowNodeIO `json:"outputs"`
+
+	Next     *WorkflowNode  `json:"next,omitempty"`
+	Branches []WorkflowNode `json:"branches,omitempty"`
+
+	Validated bool `json:"validated"`
+}
+
+type WorkflowNodeConfigForApply struct {
+	Domains               string         `json:"domains"`               // 域名列表，以半角分号分隔
+	ContactEmail          string         `json:"contactEmail"`          // 联系邮箱
+	ChallengeType         string         `json:"challengeType"`         // TODO: 验证方式。目前仅支持 dns-01
+	Provider              string         `json:"provider"`              // DNS 提供商
+	ProviderAccessId      string         `json:"providerAccessId"`      // DNS 提供商授权记录 ID
+	ProviderConfig        map[string]any `json:"providerConfig"`        // DNS 提供商额外配置
+	KeyAlgorithm          string         `json:"keyAlgorithm"`          // 密钥算法
+	Nameservers           string         `json:"nameservers"`           // DNS 服务器列表，以半角分号分隔
+	DnsPropagationTimeout int32          `json:"dnsPropagationTimeout"` // DNS 传播超时时间（零值取决于提供商的默认值）
+	DnsTTL                int32          `json:"dnsTTL"`                // DNS TTL（零值取决于提供商的默认值）
+	DisableFollowCNAME    bool           `json:"disableFollowCNAME"`    // 是否关闭 CNAME 跟随
+	DisableARI            bool           `json:"disableARI"`            // 是否关闭 ARI
+	SkipBeforeExpiryDays  int32          `json:"skipBeforeExpiryDays"`  // 证书到期前多少天前跳过续期（零值将使用默认值 30）
+}
+
+type WorkflowNodeConfigForUpload struct {
+	Certificate string `json:"certificate"`
+	PrivateKey  string `json:"privateKey"`
+	Domains     string `json:"domains"`
+}
+
+type WorkflowNodeConfigForDeploy struct {
+	Certificate         string         `json:"certificate"`         // 前序节点输出的证书，形如“${NodeId}#certificate”
+	Provider            string         `json:"provider"`            // 主机提供商
+	ProviderAccessId    string         `json:"providerAccessId"`    // 主机提供商授权记录 ID
+	ProviderConfig      map[string]any `json:"providerConfig"`      // 主机提供商额外配置
+	SkipOnLastSucceeded bool           `json:"skipOnLastSucceeded"` // 上次部署成功时是否跳过
+}
+
+type WorkflowNodeConfigForNotify struct {
+	Channel string `json:"channel"` // 通知渠道
+	Subject string `json:"subject"` // 通知主题
+	Message string `json:"message"` // 通知内容
+}
+
+func (n *WorkflowNode) getConfigString(key string) string {
+	return maputil.GetString(n.Config, key)
+}
+
+func (n *WorkflowNode) getConfigBool(key string) bool {
+	return maputil.GetBool(n.Config, key)
+}
+
+func (n *WorkflowNode) getConfigInt32(key string) int32 {
+	return maputil.GetInt32(n.Config, key)
+}
+
+func (n *WorkflowNode) getConfigMap(key string) map[string]any {
+	if val, ok := n.Config[key]; ok {
+		if result, ok := val.(map[string]any); ok {
+			return result
+		}
+	}
+
+	return make(map[string]any)
+}
+
+func (n *WorkflowNode) GetConfigForApply() WorkflowNodeConfigForApply {
+	skipBeforeExpiryDays := n.getConfigInt32("skipBeforeExpiryDays")
+	if skipBeforeExpiryDays == 0 {
+		skipBeforeExpiryDays = 30
+	}
+
+	return WorkflowNodeConfigForApply{
+		Domains:               n.getConfigString("domains"),
+		ContactEmail:          n.getConfigString("contactEmail"),
+		Provider:              n.getConfigString("provider"),
+		ProviderAccessId:      n.getConfigString("providerAccessId"),
+		ProviderConfig:        n.getConfigMap("providerConfig"),
+		KeyAlgorithm:          n.getConfigString("keyAlgorithm"),
+		Nameservers:           n.getConfigString("nameservers"),
+		DnsPropagationTimeout: n.getConfigInt32("dnsPropagationTimeout"),
+		DnsTTL:                n.getConfigInt32("dnsTTL"),
+		DisableFollowCNAME:    n.getConfigBool("disableFollowCNAME"),
+		DisableARI:            n.getConfigBool("disableARI"),
+		SkipBeforeExpiryDays:  skipBeforeExpiryDays,
+	}
+}
+
+func (n *WorkflowNode) GetConfigForUpload() WorkflowNodeConfigForUpload {
+	return WorkflowNodeConfigForUpload{
+		Certificate: n.getConfigString("certificate"),
+		PrivateKey:  n.getConfigString("privateKey"),
+		Domains:     n.getConfigString("domains"),
+	}
+}
+
+func (n *WorkflowNode) GetConfigForDeploy() WorkflowNodeConfigForDeploy {
+	return WorkflowNodeConfigForDeploy{
+		Certificate:         n.getConfigString("certificate"),
+		Provider:            n.getConfigString("provider"),
+		ProviderAccessId:    n.getConfigString("providerAccessId"),
+		ProviderConfig:      n.getConfigMap("providerConfig"),
+		SkipOnLastSucceeded: n.getConfigBool("skipOnLastSucceeded"),
+	}
+}
+
+func (n *WorkflowNode) GetConfigForNotify() WorkflowNodeConfigForNotify {
+	return WorkflowNodeConfigForNotify{
+		Channel: n.getConfigString("channel"),
+		Subject: n.getConfigString("subject"),
+		Message: n.getConfigString("message"),
+	}
+}
+
+type WorkflowNodeIO struct {
+	Label         string                      `json:"label"`
+	Name          string                      `json:"name"`
+	Type          string                      `json:"type"`
+	Required      bool                        `json:"required"`
+	Value         any                         `json:"value"`
+	ValueSelector WorkflowNodeIOValueSelector `json:"valueSelector"`
+}
+
+type WorkflowNodeIOValueSelector struct {
+	Id   string `json:"id"`
+	Name string `json:"name"`
+}
+
+const WorkflowNodeIONameCertificate string = "certificate"
--- a/internal/domain/workflow_log.go
+++ b/internal/domain/workflow_log.go
@@ -0,0 +1,30 @@
+package domain
+
+import "strings"
+
+const CollectionNameWorkflowLog = "workflow_logs"
+
+type WorkflowLog struct {
+	Meta
+	WorkflowId string         `json:"workflowId" db:"workflowId"`
+	RunId      string         `json:"workflorunIdwId" db:"runId"`
+	NodeId     string         `json:"nodeId" db:"nodeId"`
+	NodeName   string         `json:"nodeName" db:"nodeName"`
+	Timestamp  int64          `json:"timestamp" db:"timestamp"` // 毫秒级时间戳
+	Level      string         `json:"level" db:"level"`
+	Message    string         `json:"message" db:"message"`
+	Data       map[string]any `json:"data" db:"data"`
+}
+
+type WorkflowLogs []WorkflowLog
+
+func (r WorkflowLogs) ErrorString() string {
+	var builder strings.Builder
+	for _, log := range r {
+		if log.Level == "ERROR" {
+			builder.WriteString(log.Message)
+			builder.WriteString("\n")
+		}
+	}
+	return strings.TrimSpace(builder.String())
+}
--- a/internal/domain/workflow_output.go
+++ b/internal/domain/workflow_output.go
@@ -0,0 +1,13 @@
+package domain
+
+const CollectionNameWorkflowOutput = "workflow_output"
+
+type WorkflowOutput struct {
+	Meta
+	WorkflowId string           `json:"workflowId" db:"workflow"`
+	RunId      string           `json:"runId" db:"runId"`
+	NodeId     string           `json:"nodeId" db:"nodeId"`
+	Node       *WorkflowNode    `json:"node" db:"node"`
+	Outputs    []WorkflowNodeIO `json:"outputs" db:"outputs"`
+	Succeeded  bool             `json:"succeeded" db:"succeeded"`
+}
--- a/internal/domain/workflow_run.go
+++ b/internal/domain/workflow_run.go
@@ -0,0 +1,28 @@
+package domain
+
+import (
+	"time"
+)
+
+const CollectionNameWorkflowRun = "workflow_run"
+
+type WorkflowRun struct {
+	Meta
+	WorkflowId string                `json:"workflowId" db:"workflowId"`
+	Status     WorkflowRunStatusType `json:"status" db:"status"`
+	Trigger    WorkflowTriggerType   `json:"trigger" db:"trigger"`
+	StartedAt  time.Time             `json:"startedAt" db:"startedAt"`
+	EndedAt    time.Time             `json:"endedAt" db:"endedAt"`
+	Detail     *WorkflowNode         `json:"detail" db:"detail"`
+	Error      string                `json:"error" db:"error"`
+}
+
+type WorkflowRunStatusType string
+
+const (
+	WorkflowRunStatusTypePending   WorkflowRunStatusType = "pending"
+	WorkflowRunStatusTypeRunning   WorkflowRunStatusType = "running"
+	WorkflowRunStatusTypeSucceeded WorkflowRunStatusType = "succeeded"
+	WorkflowRunStatusTypeFailed    WorkflowRunStatusType = "failed"
+	WorkflowRunStatusTypeCanceled  WorkflowRunStatusType = "canceled"
+)
--- a/internal/domains/deploy.go
+++ b/internal/domains/deploy.go
@@ -1,123 +0,0 @@
-package domains
-
-import (
-	"certimate/internal/applicant"
-	"certimate/internal/deployer"
-	"certimate/internal/utils/app"
-	"context"
-	"errors"
-	"fmt"
-	"time"
-
-	"github.com/pocketbase/pocketbase/models"
-)
-
-type Phase string
-
-const (
-	checkPhase  Phase = "check"
-	applyPhase  Phase = "apply"
-	deployPhase Phase = "deploy"
-)
-
-func deploy(ctx context.Context, record *models.Record) error {
-	defer func() {
-		if r := recover(); r != nil {
-			app.GetApp().Logger().Error("部署失败", "err", r)
-		}
-	}()
-	var certificate *applicant.Certificate
-
-	history := NewHistory(record)
-	defer history.commit()
-
-	// ############1.检查域名配置
-	history.record(checkPhase, "开始检查", nil)
-
-	currRecord, err := app.GetApp().Dao().FindRecordById("domains", record.Id)
-	if err != nil {
-		app.GetApp().Logger().Error("获取记录失败", "err", err)
-		history.record(checkPhase, "获取域名配置失败", &RecordInfo{Err: err})
-		return err
-	}
-	history.record(checkPhase, "获取记录成功", nil)
-	if errs := app.GetApp().Dao().ExpandRecord(currRecord, []string{"access", "targetAccess", "group"}, nil); len(errs) > 0 {
-
-		errList := make([]error, 0)
-		for name, err := range errs {
-			errList = append(errList, fmt.Errorf("展开记录失败,%s: %w", name, err))
-		}
-		err = errors.Join(errList...)
-		app.GetApp().Logger().Error("展开记录失败", "err", err)
-		history.record(checkPhase, "获取授权信息失败", &RecordInfo{Err: err})
-		return err
-	}
-	history.record(checkPhase, "获取授权信息成功", nil)
-
-	cert := currRecord.GetString("certificate")
-	expiredAt := currRecord.GetDateTime("expiredAt").Time()
-
-	if cert != "" && time.Until(expiredAt) > time.Hour*24*10 && currRecord.GetBool("deployed") {
-		app.GetApp().Logger().Info("证书在有效期内")
-		history.record(checkPhase, "证书在有效期内且已部署，跳过", &RecordInfo{
-			Info: []string{fmt.Sprintf("证书有效期至 %s", expiredAt.Format("2006-01-02"))},
-		}, true)
-		return err
-	}
-	history.record(checkPhase, "检查通过", nil, true)
-
-	// ############2.申请证书
-	history.record(applyPhase, "开始申请", nil)
-
-	if cert != "" && time.Until(expiredAt) > time.Hour*24 {
-		history.record(applyPhase, "证书在有效期内，跳过", &RecordInfo{
-			Info: []string{fmt.Sprintf("证书有效期至 %s", expiredAt.Format("2006-01-02"))},
-		})
-	} else {
-		applicant, err := applicant.Get(currRecord)
-		if err != nil {
-			history.record(applyPhase, "获取applicant失败", &RecordInfo{Err: err})
-			app.GetApp().Logger().Error("获取applicant失败", "err", err)
-			return err
-		}
-		certificate, err = applicant.Apply()
-		if err != nil {
-			history.record(applyPhase, "申请证书失败", &RecordInfo{Err: err})
-			app.GetApp().Logger().Error("申请证书失败", "err", err)
-			return err
-		}
-		history.record(applyPhase, "申请证书成功", &RecordInfo{
-			Info: []string{fmt.Sprintf("证书地址: %s", certificate.CertUrl)},
-		})
-		history.setCert(certificate)
-	}
-
-	history.record(applyPhase, "保存证书成功", nil, true)
-
-	// ############3.部署证书
-	history.record(deployPhase, "开始部署", nil, false)
-	deployers, err := deployer.Gets(currRecord, certificate)
-	if err != nil {
-		history.record(deployPhase, "获取deployer失败", &RecordInfo{Err: err})
-		app.GetApp().Logger().Error("获取deployer失败", "err", err)
-		return err
-	}
-
-	for _, deployer := range deployers {
-		if err = deployer.Deploy(ctx); err != nil {
-
-			app.GetApp().Logger().Error("部署失败", "err", err)
-			history.record(deployPhase, "部署失败", &RecordInfo{Err: err, Info: deployer.GetInfo()})
-			return err
-		}
-		history.record(deployPhase, fmt.Sprintf("[%s]-部署成功", deployer.GetID()), &RecordInfo{
-			Info: deployer.GetInfo(),
-		}, false)
-
-	}
-
-	app.GetApp().Logger().Info("部署成功")
-	history.record(deployPhase, "部署成功", nil, true)
-
-	return nil
-}
--- a/internal/domains/domains.go
+++ b/internal/domains/domains.go
@@ -1,82 +0,0 @@
-package domains
-
-import (
-	"certimate/internal/utils/app"
-	"context"
-	"fmt"
-
-	"github.com/pocketbase/pocketbase/models"
-)
-
-func create(ctx context.Context, record *models.Record) error {
-	if !record.GetBool("enabled") {
-		return nil
-	}
-
-	if record.GetBool("rightnow") {
-		go func() {
-			if err := deploy(ctx, record); err != nil {
-				app.GetApp().Logger().Error("deploy failed", "err", err)
-			}
-		}()
-
-	}
-
-	scheduler := app.GetScheduler()
-
-	err := scheduler.Add(record.Id, record.GetString("crontab"), func() {
-		deploy(ctx, record)
-	})
-
-	if err != nil {
-		app.GetApp().Logger().Error("add cron job failed", "err", err)
-		return fmt.Errorf("add cron job failed: %w", err)
-	}
-	app.GetApp().Logger().Error("add cron job failed", "domain", record.GetString("domain"))
-
-	scheduler.Start()
-	return nil
-}
-
-func update(ctx context.Context, record *models.Record) error {
-	scheduler := app.GetScheduler()
-	scheduler.Remove(record.Id)
-	if !record.GetBool("enabled") {
-		return nil
-	}
-
-	if record.GetBool("rightnow") {
-
-		go func() {
-			if err := deploy(ctx, record); err != nil {
-				app.GetApp().Logger().Error("deploy failed", "err", err)
-			}
-		}()
-	}
-
-	err := scheduler.Add(record.Id, record.GetString("crontab"), func() {
-		deploy(ctx, record)
-	})
-
-	if err != nil {
-		app.GetApp().Logger().Error("update cron job failed", "err", err)
-		return fmt.Errorf("update cron job failed: %w", err)
-	}
-	app.GetApp().Logger().Info("update cron job success", "domain", record.GetString("domain"))
-
-	scheduler.Start()
-	return nil
-}
-
-func delete(_ context.Context, record *models.Record) error {
-	scheduler := app.GetScheduler()
-
-	scheduler.Remove(record.Id)
-	scheduler.Start()
-	return nil
-}
-
-func setRightnow(ctx context.Context, record *models.Record, ok bool) error {
-	record.Set("rightnow", ok)
-	return app.GetApp().Dao().SaveRecord(record)
-}
--- a/internal/domains/event.go
+++ b/internal/domains/event.go
@@ -1,27 +0,0 @@
-package domains
-
-import (
-	"certimate/internal/utils/app"
-
-	"github.com/pocketbase/pocketbase/core"
-)
-
-const tableName = "domains"
-
-func AddEvent() error {
-	app := app.GetApp()
-
-	app.OnRecordAfterCreateRequest(tableName).Add(func(e *core.RecordCreateEvent) error {
-		return create(e.HttpContext.Request().Context(), e.Record)
-	})
-
-	app.OnRecordAfterUpdateRequest(tableName).Add(func(e *core.RecordUpdateEvent) error {
-		return update(e.HttpContext.Request().Context(), e.Record)
-	})
-
-	app.OnRecordAfterDeleteRequest(tableName).Add(func(e *core.RecordDeleteEvent) error {
-		return delete(e.HttpContext.Request().Context(), e.Record)
-	})
-
-	return nil
-}
--- a/internal/domains/history.go
+++ b/internal/domains/history.go
@@ -1,116 +0,0 @@
-package domains
-
-import (
-	"certimate/internal/applicant"
-	"certimate/internal/utils/app"
-	"certimate/internal/utils/xtime"
-	"time"
-
-	"github.com/pocketbase/pocketbase/models"
-)
-
-type historyItem struct {
-	Time    string   `json:"time"`
-	Message string   `json:"message"`
-	Error   string   `json:"error"`
-	Info    []string `json:"info"`
-}
-
-type RecordInfo struct {
-	Err  error    `json:"err"`
-	Info []string `json:"info"`
-}
-
-type history struct {
-	Domain       string                  `json:"domain"`
-	Log          map[Phase][]historyItem `json:"log"`
-	Phase        Phase                   `json:"phase"`
-	PhaseSuccess bool                    `json:"phaseSuccess"`
-	DeployedAt   string                  `json:"deployedAt"`
-	Cert         *applicant.Certificate  `json:"cert"`
-}
-
-func NewHistory(record *models.Record) *history {
-	return &history{
-		Domain:       record.Id,
-		DeployedAt:   time.Now().UTC().Format("2006-01-02T15:04:05Z"),
-		Log:          make(map[Phase][]historyItem),
-		Phase:        checkPhase,
-		PhaseSuccess: false,
-	}
-}
-
-func (a *history) record(phase Phase, msg string, info *RecordInfo, pass ...bool) {
-	if info == nil {
-		info = &RecordInfo{}
-	}
-	a.Phase = phase
-	if len(pass) > 0 {
-		a.PhaseSuccess = pass[0]
-	}
-
-	errMsg := ""
-	if info.Err != nil {
-		errMsg = info.Err.Error()
-		a.PhaseSuccess = false
-	}
-
-	a.Log[phase] = append(a.Log[phase], historyItem{
-		Message: msg,
-		Error:   errMsg,
-		Info:    info.Info,
-		Time:    xtime.BeijingTimeStr(),
-	})
-
-}
-
-func (a *history) setCert(cert *applicant.Certificate) {
-	a.Cert = cert
-}
-
-func (a *history) commit() error {
-	collection, err := app.GetApp().Dao().FindCollectionByNameOrId("deployments")
-	if err != nil {
-		return err
-	}
-
-	record := models.NewRecord(collection)
-
-	record.Set("domain", a.Domain)
-	record.Set("deployedAt", a.DeployedAt)
-	record.Set("log", a.Log)
-	record.Set("phase", string(a.Phase))
-	record.Set("phaseSuccess", a.PhaseSuccess)
-
-	if err := app.GetApp().Dao().SaveRecord(record); err != nil {
-		return err
-	}
-
-	domainRecord, err := app.GetApp().Dao().FindRecordById("domains", a.Domain)
-	if err != nil {
-		return err
-	}
-
-	domainRecord.Set("lastDeployedAt", a.DeployedAt)
-	domainRecord.Set("lastDeployment", record.Id)
-	domainRecord.Set("rightnow", false)
-	if a.Phase == deployPhase && a.PhaseSuccess {
-		domainRecord.Set("deployed", true)
-	}
-	cert := a.Cert
-	if cert != nil {
-		domainRecord.Set("certUrl", cert.CertUrl)
-		domainRecord.Set("certStableUrl", cert.CertStableUrl)
-		domainRecord.Set("privateKey", cert.PrivateKey)
-		domainRecord.Set("certificate", cert.Certificate)
-		domainRecord.Set("issuerCertificate", cert.IssuerCertificate)
-		domainRecord.Set("csr", cert.Csr)
-		domainRecord.Set("expiredAt", time.Now().Add(time.Hour*24*90))
-	}
-
-	if err := app.GetApp().Dao().SaveRecord(domainRecord); err != nil {
-		return err
-	}
-
-	return nil
-}
--- a/internal/domains/init.go
+++ b/internal/domains/init.go
@@ -1,32 +0,0 @@
-package domains
-
-import (
-	"certimate/internal/utils/app"
-	"context"
-)
-
-func InitSchedule() {
-	// 查询所有启用的域名
-	records, err := app.GetApp().Dao().FindRecordsByFilter("domains", "enabled=true", "-id", 500, 0)
-	if err != nil {
-		app.GetApp().Logger().Error("查询所有启用的域名失败", "err", err)
-		return
-	}
-
-	// 加入到定时任务
-	for _, record := range records {
-		if err := app.GetScheduler().Add(record.Id, record.GetString("crontab"), func() {
-			if err := deploy(context.Background(), record); err != nil {
-				app.GetApp().Logger().Error("部署失败", "err", err)
-				return
-			}
-		}); err != nil {
-			app.GetApp().Logger().Error("加入到定时任务失败", "err", err)
-		}
-	}
-
-	// 启动定时任务
-	app.GetScheduler().Start()
-	app.GetApp().Logger().Info("定时任务启动成功", "total", app.GetScheduler().Total())
-
-}
--- a/internal/notify/notify.go
+++ b/internal/notify/notify.go
@@ -0,0 +1,78 @@
+package notify
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"golang.org/x/sync/errgroup"
+
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/core/notifier"
+	"github.com/usual2970/certimate/internal/pkg/utils/maputil"
+	"github.com/usual2970/certimate/internal/repository"
+)
+
+func SendToAllChannels(subject, message string) error {
+	notifiers, err := getEnabledNotifiers()
+	if err != nil {
+		return err
+	}
+	if len(notifiers) == 0 {
+		return nil
+	}
+
+	var eg errgroup.Group
+	for _, n := range notifiers {
+		if n == nil {
+			continue
+		}
+
+		eg.Go(func() error {
+			_, err := n.Notify(context.Background(), subject, message)
+			return err
+		})
+	}
+
+	err = eg.Wait()
+	return err
+}
+
+func SendToChannel(subject, message string, channel string, channelConfig map[string]any) error {
+	notifier, err := createNotifier(domain.NotifyChannelType(channel), channelConfig)
+	if err != nil {
+		return err
+	}
+
+	_, err = notifier.Notify(context.Background(), subject, message)
+	return err
+}
+
+func getEnabledNotifiers() ([]notifier.Notifier, error) {
+	settingsRepo := repository.NewSettingsRepository()
+	settings, err := settingsRepo.GetByName(context.Background(), "notifyChannels")
+	if err != nil {
+		return nil, fmt.Errorf("find notifyChannels error: %w", err)
+	}
+
+	rs := make(map[string]map[string]any)
+	if err := json.Unmarshal([]byte(settings.Content), &rs); err != nil {
+		return nil, fmt.Errorf("unmarshal notifyChannels error: %w", err)
+	}
+
+	notifiers := make([]notifier.Notifier, 0)
+	for k, v := range rs {
+		if !maputil.GetBool(v, "enabled") {
+			continue
+		}
+
+		notifier, err := createNotifier(domain.NotifyChannelType(k), v)
+		if err != nil {
+			continue
+		}
+
+		notifiers = append(notifiers, notifier)
+	}
+
+	return notifiers, nil
+}
--- a/internal/notify/providers.go
+++ b/internal/notify/providers.go
@@ -0,0 +1,77 @@
+package notify
+
+import (
+	"fmt"
+
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/pkg/core/notifier"
+	pBark "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/bark"
+	pDingTalk "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/dingtalk"
+	pEmail "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/email"
+	pLark "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/lark"
+	pServerChan "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/serverchan"
+	pTelegram "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/telegram"
+	pWebhook "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/webhook"
+	pWeCom "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/wecom"
+	"github.com/usual2970/certimate/internal/pkg/utils/maputil"
+)
+
+func createNotifier(channel domain.NotifyChannelType, channelConfig map[string]any) (notifier.Notifier, error) {
+	/*
+	  注意：如果追加新的常量值，请保持以 ASCII 排序。
+	  NOTICE: If you add new constant, please keep ASCII order.
+	*/
+	switch channel {
+	case domain.NotifyChannelTypeBark:
+		return pBark.NewNotifier(&pBark.NotifierConfig{
+			DeviceKey: maputil.GetString(channelConfig, "deviceKey"),
+			ServerUrl: maputil.GetString(channelConfig, "serverUrl"),
+		})
+
+	case domain.NotifyChannelTypeDingTalk:
+		return pDingTalk.NewNotifier(&pDingTalk.NotifierConfig{
+			AccessToken: maputil.GetString(channelConfig, "accessToken"),
+			Secret:      maputil.GetString(channelConfig, "secret"),
+		})
+
+	case domain.NotifyChannelTypeEmail:
+		return pEmail.NewNotifier(&pEmail.NotifierConfig{
+			SmtpHost:        maputil.GetString(channelConfig, "smtpHost"),
+			SmtpPort:        maputil.GetInt32(channelConfig, "smtpPort"),
+			SmtpTLS:         maputil.GetOrDefaultBool(channelConfig, "smtpTLS", true),
+			Username:        maputil.GetOrDefaultString(channelConfig, "username", maputil.GetString(channelConfig, "senderAddress")),
+			Password:        maputil.GetString(channelConfig, "password"),
+			SenderAddress:   maputil.GetString(channelConfig, "senderAddress"),
+			ReceiverAddress: maputil.GetString(channelConfig, "receiverAddress"),
+		})
+
+	case domain.NotifyChannelTypeLark:
+		return pLark.NewNotifier(&pLark.NotifierConfig{
+			WebhookUrl: maputil.GetString(channelConfig, "webhookUrl"),
+		})
+
+	case domain.NotifyChannelTypeServerChan:
+		return pServerChan.NewNotifier(&pServerChan.NotifierConfig{
+			Url: maputil.GetString(channelConfig, "url"),
+		})
+
+	case domain.NotifyChannelTypeTelegram:
+		return pTelegram.NewNotifier(&pTelegram.NotifierConfig{
+			ApiToken: maputil.GetString(channelConfig, "apiToken"),
+			ChatId:   maputil.GetInt64(channelConfig, "chatId"),
+		})
+
+	case domain.NotifyChannelTypeWebhook:
+		return pWebhook.NewNotifier(&pWebhook.NotifierConfig{
+			Url:                      maputil.GetString(channelConfig, "url"),
+			AllowInsecureConnections: maputil.GetBool(channelConfig, "allowInsecureConnections"),
+		})
+
+	case domain.NotifyChannelTypeWeCom:
+		return pWeCom.NewNotifier(&pWeCom.NotifierConfig{
+			WebhookUrl: maputil.GetString(channelConfig, "webhookUrl"),
+		})
+	}
+
+	return nil, fmt.Errorf("unsupported notifier channel: %s", channelConfig)
+}
--- a/internal/notify/service.go
+++ b/internal/notify/service.go
@@ -0,0 +1,42 @@
+package notify
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/usual2970/certimate/internal/domain"
+	"github.com/usual2970/certimate/internal/domain/dtos"
+)
+
+const (
+	notifyTestTitle = "测试通知"
+	notifyTestBody  = "欢迎使用 Certimate ，这是一条测试通知。"
+)
+
+type settingsRepository interface {
+	GetByName(ctx context.Context, name string) (*domain.Settings, error)
+}
+
+type NotifyService struct {
+	settingsRepo settingsRepository
+}
+
+func NewNotifyService(settingsRepo settingsRepository) *NotifyService {
+	return &NotifyService{
+		settingsRepo: settingsRepo,
+	}
+}
+
+func (n *NotifyService) Test(ctx context.Context, req *dtos.NotifyTestPushReq) error {
+	settings, err := n.settingsRepo.GetByName(ctx, "notifyChannels")
+	if err != nil {
+		return fmt.Errorf("failed to get notify channels settings: %w", err)
+	}
+
+	channelConfig, err := settings.GetNotifyChannelConfig(string(req.Channel))
+	if err != nil {
+		return fmt.Errorf("failed to get notify channel \"%s\" config: %w", req.Channel, err)
+	}
+
+	return SendToChannel(notifyTestTitle, notifyTestBody, string(req.Channel), channelConfig)
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/acmehttpreq/acmehttpreq.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/acmehttpreq/acmehttpreq.go
@@ -0,0 +1,40 @@
+package acmehttpreq
+
+import (
+	"net/url"
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/httpreq"
+)
+
+type ChallengeProviderConfig struct {
+	Endpoint              string `json:"endpoint"`
+	Mode                  string `json:"mode"`
+	Username              string `json:"username"`
+	Password              string `json:"password"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	endpoint, _ := url.Parse(config.Endpoint)
+	providerConfig := httpreq.NewDefaultConfig()
+	providerConfig.Endpoint = endpoint
+	providerConfig.Mode = config.Mode
+	providerConfig.Username = config.Username
+	providerConfig.Password = config.Password
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+
+	provider, err := httpreq.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/aliyun/aliyun.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/aliyun/aliyun.go
@@ -0,0 +1,38 @@
+package aliyun
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/alidns"
+)
+
+type ChallengeProviderConfig struct {
+	AccessKeyId           string `json:"accessKeyId"`
+	AccessKeySecret       string `json:"accessKeySecret"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := alidns.NewDefaultConfig()
+	providerConfig.APIKey = config.AccessKeyId
+	providerConfig.SecretKey = config.AccessKeySecret
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := alidns.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/aws-route53/aws-route53.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/aws-route53/aws-route53.go
@@ -0,0 +1,42 @@
+package awsroute53
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/route53"
+)
+
+type ChallengeProviderConfig struct {
+	AccessKeyId           string `json:"accessKeyId"`
+	SecretAccessKey       string `json:"secretAccessKey"`
+	Region                string `json:"region"`
+	HostedZoneId          string `json:"hostedZoneId"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := route53.NewDefaultConfig()
+	providerConfig.AccessKeyID = config.AccessKeyId
+	providerConfig.SecretAccessKey = config.SecretAccessKey
+	providerConfig.Region = config.Region
+	providerConfig.HostedZoneID = config.HostedZoneId
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := route53.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/azure-dns/azure-dns.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/azure-dns/azure-dns.go
@@ -0,0 +1,50 @@
+package azuredns
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/azuredns"
+
+	azcommon "github.com/usual2970/certimate/internal/pkg/vendors/azure-sdk/common"
+)
+
+type ChallengeProviderConfig struct {
+	TenantId              string `json:"tenantId"`
+	ClientId              string `json:"clientId"`
+	ClientSecret          string `json:"clientSecret"`
+	CloudName             string `json:"cloudName,omitempty"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := azuredns.NewDefaultConfig()
+	providerConfig.TenantID = config.TenantId
+	providerConfig.ClientID = config.ClientId
+	providerConfig.ClientSecret = config.ClientSecret
+	if config.CloudName != "" {
+		env, err := azcommon.GetCloudEnvironmentConfiguration(config.CloudName)
+		if err != nil {
+			return nil, err
+		}
+		providerConfig.Environment = env
+	}
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := azuredns.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/baiducloud/baiducloud.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/baiducloud/baiducloud.go
@@ -0,0 +1,39 @@
+package baiducloud
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+
+	internal "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/baiducloud/internal"
+)
+
+type ChallengeProviderConfig struct {
+	AccessKeyId           string `json:"accessKeyId"`
+	SecretAccessKey       string `json:"secretAccessKey"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := internal.NewDefaultConfig()
+	providerConfig.AccessKeyID = config.AccessKeyId
+	providerConfig.SecretAccessKey = config.SecretAccessKey
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = config.DnsTTL
+	}
+
+	provider, err := internal.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/baiducloud/internal/lego.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/baiducloud/internal/lego.go
@@ -0,0 +1,204 @@
+package lego_baiducloud
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	bceDns "github.com/baidubce/bce-sdk-go/services/dns"
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/platform/config/env"
+	"github.com/google/uuid"
+)
+
+const (
+	envNamespace = "BAIDUCLOUD_"
+
+	EnvAccessKeyID     = envNamespace + "ACCESS_KEY_ID"
+	EnvSecretAccessKey = envNamespace + "SECRET_ACCESS_KEY"
+
+	EnvTTL                = envNamespace + "TTL"
+	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
+	EnvPollingInterval    = envNamespace + "POLLING_INTERVAL"
+	EnvHTTPTimeout        = envNamespace + "HTTP_TIMEOUT"
+)
+
+var _ challenge.ProviderTimeout = (*DNSProvider)(nil)
+
+type Config struct {
+	AccessKeyID     string
+	SecretAccessKey string
+
+	PropagationTimeout time.Duration
+	PollingInterval    time.Duration
+	TTL                int32
+	HTTPTimeout        time.Duration
+}
+
+type DNSProvider struct {
+	client *bceDns.Client
+	config *Config
+}
+
+func NewDefaultConfig() *Config {
+	return &Config{
+		TTL:                int32(env.GetOrDefaultInt(EnvTTL, 300)),
+		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute),
+		PollingInterval:    env.GetOrDefaultSecond(EnvPollingInterval, dns01.DefaultPollingInterval),
+		HTTPTimeout:        env.GetOrDefaultSecond(EnvHTTPTimeout, 30*time.Second),
+	}
+}
+
+func NewDNSProvider() (*DNSProvider, error) {
+	values, err := env.Get(EnvAccessKeyID, EnvSecretAccessKey)
+	if err != nil {
+		return nil, fmt.Errorf("baiducloud: %w", err)
+	}
+
+	config := NewDefaultConfig()
+	config.AccessKeyID = values[EnvAccessKeyID]
+	config.SecretAccessKey = values[EnvSecretAccessKey]
+
+	return NewDNSProviderConfig(config)
+}
+
+func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
+	if config == nil {
+		return nil, errors.New("baiducloud: the configuration of the DNS provider is nil")
+	}
+
+	client, err := bceDns.NewClient(config.AccessKeyID, config.SecretAccessKey, "")
+	if err != nil {
+		return nil, err
+	} else {
+		if client.Config != nil {
+			client.Config.ConnectionTimeoutInMillis = int(config.HTTPTimeout.Milliseconds())
+		}
+	}
+
+	return &DNSProvider{
+		client: client,
+		config: config,
+	}, nil
+}
+
+func (d *DNSProvider) Present(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("baiducloud: %w", err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	if err != nil {
+		return fmt.Errorf("baiducloud: %w", err)
+	}
+
+	if err := d.addOrUpdateDNSRecord(dns01.UnFqdn(authZone), subDomain, info.Value); err != nil {
+		return fmt.Errorf("baiducloud: %w", err)
+	}
+
+	return nil
+}
+
+func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("baiducloud: %w", err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	if err != nil {
+		return fmt.Errorf("baiducloud: %w", err)
+	}
+
+	if err := d.removeDNSRecord(dns01.UnFqdn(authZone), subDomain); err != nil {
+		return fmt.Errorf("baiducloud: %w", err)
+	}
+
+	return nil
+}
+
+func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
+	return d.config.PropagationTimeout, d.config.PollingInterval
+}
+
+func (d *DNSProvider) getDNSRecord(zoneName, subDomain string) (*bceDns.Record, error) {
+	pageMarker := ""
+	pageSize := 1000
+	for {
+		request := &bceDns.ListRecordRequest{}
+		request.Rr = subDomain
+		request.Marker = pageMarker
+		request.MaxKeys = pageSize
+
+		response, err := d.client.ListRecord(zoneName, request)
+		if err != nil {
+			return nil, err
+		}
+
+		for _, record := range response.Records {
+			if record.Type == "TXT" && record.Rr == subDomain {
+				return &record, nil
+			}
+		}
+
+		if len(response.Records) < pageSize {
+			break
+		}
+
+		pageMarker = response.NextMarker
+	}
+
+	return nil, nil
+}
+
+func (d *DNSProvider) addOrUpdateDNSRecord(zoneName, subDomain, value string) error {
+	record, err := d.getDNSRecord(zoneName, subDomain)
+	if err != nil {
+		return err
+	}
+
+	if record == nil {
+		request := &bceDns.CreateRecordRequest{
+			Type:  "TXT",
+			Rr:    subDomain,
+			Value: value,
+			Ttl:   &d.config.TTL,
+		}
+		err := d.client.CreateRecord(zoneName, request, d.generateClientToken())
+		return err
+	} else {
+		request := &bceDns.UpdateRecordRequest{
+			Type:  "TXT",
+			Rr:    subDomain,
+			Value: value,
+			Ttl:   &d.config.TTL,
+		}
+		err := d.client.UpdateRecord(zoneName, record.Id, request, d.generateClientToken())
+		return err
+	}
+}
+
+func (d *DNSProvider) removeDNSRecord(zoneName, subDomain string) error {
+	record, err := d.getDNSRecord(zoneName, subDomain)
+	if err != nil {
+		return err
+	}
+
+	if record == nil {
+		return nil
+	} else {
+		err = d.client.DeleteRecord(zoneName, record.Id, d.generateClientToken())
+		return err
+	}
+}
+
+func (d *DNSProvider) generateClientToken() string {
+	return strings.ReplaceAll(uuid.New().String(), "-", "")
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/cloudflare/cloudflare.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/cloudflare/cloudflare.go
@@ -0,0 +1,36 @@
+package cloudflare
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/cloudflare"
+)
+
+type ChallengeProviderConfig struct {
+	DnsApiToken           string `json:"dnsApiToken"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := cloudflare.NewDefaultConfig()
+	providerConfig.AuthToken = config.DnsApiToken
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := cloudflare.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/cloudns/cloudns.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/cloudns/cloudns.go
@@ -0,0 +1,38 @@
+package cloudns
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/cloudns"
+)
+
+type ChallengeProviderConfig struct {
+	AuthId                string `json:"authId"`
+	AuthPassword          string `json:"authPassword"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := cloudns.NewDefaultConfig()
+	providerConfig.AuthID = config.AuthId
+	providerConfig.AuthPassword = config.AuthPassword
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := cloudns.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/cmcccloud/cmcccloud.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/cmcccloud/cmcccloud.go
@@ -0,0 +1,40 @@
+package cmcccloud
+
+import (
+	"errors"
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+
+	"github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/cmcccloud/internal"
+)
+
+type ChallengeProviderConfig struct {
+	AccessKeyId           string `json:"accessKeyId"`
+	AccessKeySecret       string `json:"accessKeySecret"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		return nil, errors.New("config is nil")
+	}
+
+	providerConfig := internal.NewDefaultConfig()
+	providerConfig.AccessKey = config.AccessKeyId
+	providerConfig.SecretKey = config.AccessKeySecret
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = config.DnsTTL
+	}
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+
+	provider, err := internal.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/cmcccloud/internal/lego.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/cmcccloud/internal/lego.go
@@ -0,0 +1,221 @@
+package internal
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/platform/config/env"
+	"gitlab.ecloud.com/ecloud/ecloudsdkclouddns"
+	"gitlab.ecloud.com/ecloud/ecloudsdkclouddns/model"
+	"gitlab.ecloud.com/ecloud/ecloudsdkcore/config"
+)
+
+const (
+	envNamespace = "CMCCCLOUD_"
+
+	EnvAccessKey          = envNamespace + "ACCESS_KEY"
+	EnvSecretKey          = envNamespace + "SECRET_KEY"
+	EnvTTL                = envNamespace + "TTL"
+	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
+	EnvPollingInterval    = envNamespace + "POLLING_INTERVAL"
+	EnvReadTimeOut        = envNamespace + "READ_TIMEOUT"
+	EnvConnectTimeout     = envNamespace + "CONNECT_TIMEOUT"
+)
+
+var _ challenge.ProviderTimeout = (*DNSProvider)(nil)
+
+type Config struct {
+	AccessKey          string
+	SecretKey          string
+	ReadTimeOut        int
+	ConnectTimeout     int
+	PropagationTimeout time.Duration
+	PollingInterval    time.Duration
+	TTL                int32
+}
+
+type DNSProvider struct {
+	client *ecloudsdkclouddns.Client
+	config *Config
+}
+
+func NewDefaultConfig() *Config {
+	return &Config{
+		ReadTimeOut:        env.GetOrDefaultInt(EnvReadTimeOut, 30),
+		ConnectTimeout:     env.GetOrDefaultInt(EnvConnectTimeout, 30),
+		TTL:                int32(env.GetOrDefaultInt(EnvTTL, 600)),
+		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute),
+		PollingInterval:    env.GetOrDefaultSecond(EnvPollingInterval, dns01.DefaultPollingInterval),
+	}
+}
+
+func NewDNSProvider() (*DNSProvider, error) {
+	values, err := env.Get(EnvAccessKey, EnvSecretKey)
+	if err != nil {
+		return nil, fmt.Errorf("cmccecloud: %w", err)
+	}
+
+	cfg := NewDefaultConfig()
+	cfg.AccessKey = values[EnvAccessKey]
+	cfg.SecretKey = values[EnvSecretKey]
+
+	return NewDNSProviderConfig(cfg)
+}
+
+func NewDNSProviderConfig(cfg *Config) (*DNSProvider, error) {
+	if cfg == nil {
+		return nil, errors.New("cmccecloud: the configuration of the DNS provider is nil")
+	}
+
+	client := ecloudsdkclouddns.NewClient(&config.Config{
+		AccessKey: cfg.AccessKey,
+		SecretKey: cfg.SecretKey,
+		// 资源池常量见: https://ecloud.10086.cn/op-help-center/doc/article/54462
+		// 默认全局
+		PoolId:         "CIDC-CORE-00",
+		ReadTimeOut:    cfg.ReadTimeOut,
+		ConnectTimeout: cfg.ConnectTimeout,
+	})
+
+	return &DNSProvider{
+		client: client,
+		config: cfg,
+	}, nil
+}
+
+func (d *DNSProvider) Present(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	zoneName, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("cmccecloud: %w", err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, zoneName)
+	if err != nil {
+		return fmt.Errorf("cmccecloud: %w", err)
+	}
+
+	readDomain := strings.Trim(zoneName, ".")
+	record, err := d.getDomainRecord(readDomain, subDomain)
+	if err != nil {
+		return err
+	}
+	if record == nil {
+		// add new record
+		resp, err := d.client.CreateRecordOpenapi(&model.CreateRecordOpenapiRequest{
+			CreateRecordOpenapiBody: &model.CreateRecordOpenapiBody{
+				LineId:      "0", // 默认线路
+				Rr:          subDomain,
+				DomainName:  readDomain,
+				Description: "from certimate",
+				Type:        model.CreateRecordOpenapiBodyTypeEnumTxt,
+				Value:       info.Value,
+				Ttl:         &d.config.TTL,
+			},
+		})
+		if err != nil {
+			return fmt.Errorf("lego: %w", err)
+		}
+		if resp.State != model.CreateRecordOpenapiResponseStateEnumOk {
+			return fmt.Errorf("lego: create record failed, response state: %s, message: %s, code: %s", resp.State, resp.ErrorMessage, resp.ErrorCode)
+		}
+		return nil
+	} else {
+		// update record
+		resp, err := d.client.ModifyRecordOpenapi(&model.ModifyRecordOpenapiRequest{
+			ModifyRecordOpenapiBody: &model.ModifyRecordOpenapiBody{
+				RecordId:    record.RecordId,
+				Rr:          subDomain,
+				DomainName:  readDomain,
+				Description: "from certmate",
+				LineId:      "0",
+				Type:        model.ModifyRecordOpenapiBodyTypeEnumTxt,
+				Value:       info.Value,
+				Ttl:         &d.config.TTL,
+			},
+		})
+		if err != nil {
+			return fmt.Errorf("lego: %w", err)
+		}
+		if resp.State != model.ModifyRecordOpenapiResponseStateEnumOk {
+			return fmt.Errorf("lego: create record failed, response state: %s", resp.State)
+		}
+		return nil
+	}
+}
+
+func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
+	challengeInfo := dns01.GetChallengeInfo(domain, keyAuth)
+	zoneName, err := dns01.FindZoneByFqdn(challengeInfo.FQDN)
+	if err != nil {
+		return fmt.Errorf("cmccecloud: %w", err)
+	}
+	subDomain, err := dns01.ExtractSubDomain(challengeInfo.FQDN, zoneName)
+	if err != nil {
+		return fmt.Errorf("cmccecloud: %w", err)
+	}
+	readDomain := strings.Trim(zoneName, ".")
+	record, err := d.getDomainRecord(readDomain, subDomain)
+	if err != nil {
+		return err
+	}
+	if record == nil {
+		return nil
+	}
+	resp, err := d.client.DeleteRecordOpenapi(&model.DeleteRecordOpenapiRequest{
+		DeleteRecordOpenapiBody: &model.DeleteRecordOpenapiBody{
+			RecordIdList: []string{record.RecordId},
+		},
+	})
+	if err != nil {
+		return fmt.Errorf("lego: %w", err)
+	}
+	if resp.State != model.DeleteRecordOpenapiResponseStateEnumOk {
+		return fmt.Errorf("lego: delete record failed, response state: %s", resp.State)
+	}
+	return nil
+}
+
+func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
+	return d.config.PropagationTimeout, d.config.PollingInterval
+}
+
+func (d *DNSProvider) getDomainRecord(domain string, rr string) (*model.ListRecordOpenapiResponseData, error) {
+	pageSize := int32(50)
+	page := int32(1)
+	for {
+		resp, err := d.client.ListRecordOpenapi(&model.ListRecordOpenapiRequest{
+			ListRecordOpenapiBody: &model.ListRecordOpenapiBody{
+				DomainName: domain,
+			},
+			ListRecordOpenapiQuery: &model.ListRecordOpenapiQuery{
+				PageSize: &pageSize,
+				Page:     &page,
+			},
+		})
+		if err != nil {
+			return nil, err
+		}
+		if resp.State != model.ListRecordOpenapiResponseStateEnumOk {
+			respStr, _ := json.Marshal(resp)
+			return nil, fmt.Errorf("request error. %s", string(respStr))
+		}
+		if resp.Body.Data != nil {
+			for _, item := range *resp.Body.Data {
+				if item.Rr == rr {
+					return &item, nil
+				}
+			}
+		}
+		if resp.Body.TotalPages == nil || page >= *resp.Body.TotalPages {
+			return nil, nil
+		}
+		page++
+	}
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/dnsla/dnsla.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/dnsla/dnsla.go
@@ -0,0 +1,39 @@
+package dnsla
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+
+	internal "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/dnsla/internal"
+)
+
+type ChallengeProviderConfig struct {
+	ApiId                 string `json:"apiId"`
+	ApiSecret             string `json:"apiSecret"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := internal.NewDefaultConfig()
+	providerConfig.APIId = config.ApiId
+	providerConfig.APISecret = config.ApiSecret
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := internal.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/dnsla/internal/lego.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/dnsla/internal/lego.go
@@ -0,0 +1,240 @@
+package lego_dnsla
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/platform/config/env"
+
+	dnslasdk "github.com/usual2970/certimate/internal/pkg/vendors/dnsla-sdk"
+)
+
+const (
+	envNamespace = "DNSLA_"
+
+	EnvAPIId     = envNamespace + "API_ID"
+	EnvAPISecret = envNamespace + "API_KEY"
+
+	EnvTTL                = envNamespace + "TTL"
+	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
+	EnvPollingInterval    = envNamespace + "POLLING_INTERVAL"
+	EnvHTTPTimeout        = envNamespace + "HTTP_TIMEOUT"
+)
+
+var _ challenge.ProviderTimeout = (*DNSProvider)(nil)
+
+type Config struct {
+	APIId     string
+	APISecret string
+
+	PropagationTimeout time.Duration
+	PollingInterval    time.Duration
+	TTL                int
+	HTTPTimeout        time.Duration
+}
+
+type DNSProvider struct {
+	client *dnslasdk.Client
+	config *Config
+}
+
+func NewDefaultConfig() *Config {
+	return &Config{
+		TTL:                env.GetOrDefaultInt(EnvTTL, 300),
+		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute),
+		PollingInterval:    env.GetOrDefaultSecond(EnvPollingInterval, dns01.DefaultPollingInterval),
+		HTTPTimeout:        env.GetOrDefaultSecond(EnvHTTPTimeout, 30*time.Second),
+	}
+}
+
+func NewDNSProvider() (*DNSProvider, error) {
+	values, err := env.Get(EnvAPIId, EnvAPISecret)
+	if err != nil {
+		return nil, fmt.Errorf("dnsla: %w", err)
+	}
+
+	config := NewDefaultConfig()
+	config.APIId = values[EnvAPIId]
+	config.APISecret = values[EnvAPISecret]
+
+	return NewDNSProviderConfig(config)
+}
+
+func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
+	if config == nil {
+		return nil, errors.New("dnsla: the configuration of the DNS provider is nil")
+	}
+
+	client := dnslasdk.NewClient(config.APIId, config.APISecret).
+		WithTimeout(config.HTTPTimeout)
+
+	return &DNSProvider{
+		client: client,
+		config: config,
+	}, nil
+}
+
+func (d *DNSProvider) Present(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("dnsla: %w", err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	if err != nil {
+		return fmt.Errorf("dnsla: %w", err)
+	}
+
+	if err := d.addOrUpdateDNSRecord(dns01.UnFqdn(authZone), subDomain, info.Value); err != nil {
+		return fmt.Errorf("dnsla: %w", err)
+	}
+
+	return nil
+}
+
+func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("dnsla: %w", err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	if err != nil {
+		return fmt.Errorf("dnsla: %w", err)
+	}
+
+	if err := d.removeDNSRecord(dns01.UnFqdn(authZone), subDomain); err != nil {
+		return fmt.Errorf("dnsla: %w", err)
+	}
+
+	return nil
+}
+
+func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
+	return d.config.PropagationTimeout, d.config.PollingInterval
+}
+
+func (d *DNSProvider) getDNSZone(zoneName string) (*dnslasdk.DomainInfo, error) {
+	pageIndex := 1
+	pageSize := 100
+	for {
+		request := &dnslasdk.ListDomainsRequest{
+			PageIndex: int32(pageIndex),
+			PageSize:  int32(pageSize),
+		}
+		response, err := d.client.ListDomains(request)
+		if err != nil {
+			return nil, err
+		}
+
+		if response.Data != nil {
+			for _, item := range response.Data.Results {
+				if strings.TrimRight(item.Domain, ".") == zoneName || strings.TrimRight(item.DisplayDomain, ".") == zoneName {
+					return item, nil
+				}
+			}
+		}
+
+		if response.Data == nil || len(response.Data.Results) < pageSize {
+			break
+		}
+
+		pageIndex++
+	}
+
+	return nil, fmt.Errorf("dnsla: zone %s not found", zoneName)
+}
+
+func (d *DNSProvider) getDNSZoneAndRecord(zoneName, subDomain string) (*dnslasdk.DomainInfo, *dnslasdk.RecordInfo, error) {
+	zone, err := d.getDNSZone(zoneName)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	pageIndex := 1
+	pageSize := 100
+	for {
+		request := &dnslasdk.ListRecordsRequest{
+			DomainId:  zone.Id,
+			Host:      &subDomain,
+			PageIndex: int32(pageIndex),
+			PageSize:  int32(pageSize),
+		}
+		response, err := d.client.ListRecords(request)
+		if err != nil {
+			return zone, nil, err
+		}
+
+		if response.Data != nil {
+			for _, record := range response.Data.Results {
+				if record.Type == 16 && (record.Host == subDomain || record.DisplayHost == subDomain) {
+					return zone, record, nil
+				}
+			}
+		}
+
+		if response.Data == nil || len(response.Data.Results) < pageSize {
+			break
+		}
+
+		pageIndex++
+	}
+
+	return zone, nil, nil
+}
+
+func (d *DNSProvider) addOrUpdateDNSRecord(zoneName, subDomain, value string) error {
+	zone, record, err := d.getDNSZoneAndRecord(zoneName, subDomain)
+	if err != nil {
+		return err
+	}
+
+	if record == nil {
+		request := &dnslasdk.CreateRecordRequest{
+			DomainId: zone.Id,
+			Type:     16,
+			Host:     subDomain,
+			Data:     value,
+			Ttl:      int32(d.config.TTL),
+		}
+		_, err := d.client.CreateRecord(request)
+		return err
+	} else {
+		reqType := int32(16)
+		reqTtl := int32(d.config.TTL)
+		request := &dnslasdk.UpdateRecordRequest{
+			Id:   record.Id,
+			Type: &reqType,
+			Host: &subDomain,
+			Data: &value,
+			Ttl:  &reqTtl,
+		}
+		_, err := d.client.UpdateRecord(request)
+		return err
+	}
+}
+
+func (d *DNSProvider) removeDNSRecord(zoneName, subDomain string) error {
+	_, record, err := d.getDNSZoneAndRecord(zoneName, subDomain)
+	if err != nil {
+		return err
+	}
+
+	if record == nil {
+		return nil
+	} else {
+		request := &dnslasdk.DeleteRecordRequest{
+			Id: record.Id,
+		}
+		_, err = d.client.DeleteRecord(request)
+		return err
+	}
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/dynv6/dnsla.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/dynv6/dnsla.go
@@ -0,0 +1,37 @@
+package dynv6
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+
+	internal "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/dynv6/internal"
+)
+
+type ChallengeProviderConfig struct {
+	HttpToken             string `json:"httpToken"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := internal.NewDefaultConfig()
+	providerConfig.HTTPToken = config.HttpToken
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := internal.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/dynv6/internal/lego.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/dynv6/internal/lego.go
@@ -0,0 +1,167 @@
+package lego_dynv6
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/platform/config/env"
+	"github.com/libdns/dynv6"
+	"github.com/libdns/libdns"
+)
+
+const (
+	envNamespace = "DYNV6_"
+
+	EnvHTTPToken = envNamespace + "HTTP_TOKEN"
+
+	EnvTTL                = envNamespace + "TTL"
+	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
+	EnvPollingInterval    = envNamespace + "POLLING_INTERVAL"
+)
+
+var _ challenge.ProviderTimeout = (*DNSProvider)(nil)
+
+type Config struct {
+	HTTPToken string
+
+	PropagationTimeout time.Duration
+	PollingInterval    time.Duration
+	TTL                int
+}
+
+type DNSProvider struct {
+	client *dynv6.Provider
+	config *Config
+}
+
+func NewDefaultConfig() *Config {
+	return &Config{
+		TTL:                env.GetOrDefaultInt(EnvTTL, dns01.DefaultTTL),
+		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute),
+		PollingInterval:    env.GetOrDefaultSecond(EnvPollingInterval, dns01.DefaultPollingInterval),
+	}
+}
+
+func NewDNSProvider() (*DNSProvider, error) {
+	values, err := env.Get(EnvHTTPToken)
+	if err != nil {
+		return nil, fmt.Errorf("dynv6: %w", err)
+	}
+
+	config := NewDefaultConfig()
+	config.HTTPToken = values[EnvHTTPToken]
+
+	return NewDNSProviderConfig(config)
+}
+
+func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
+	if config == nil {
+		return nil, errors.New("dynv6: the configuration of the DNS provider is nil")
+	}
+
+	client := &dynv6.Provider{Token: config.HTTPToken}
+
+	return &DNSProvider{
+		client: client,
+		config: config,
+	}, nil
+}
+
+func (d *DNSProvider) Present(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("dynv6: %w", err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	if err != nil {
+		return fmt.Errorf("dynv6: %w", err)
+	}
+
+	if err := d.addOrUpdateDNSRecord(dns01.UnFqdn(authZone), subDomain, info.Value); err != nil {
+		return fmt.Errorf("dynv6: %w", err)
+	}
+
+	return nil
+}
+
+func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("dynv6: %w", err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	if err != nil {
+		return fmt.Errorf("dynv6: %w", err)
+	}
+
+	if err := d.removeDNSRecord(dns01.UnFqdn(authZone), subDomain); err != nil {
+		return fmt.Errorf("dynv6: %w", err)
+	}
+
+	return nil
+}
+
+func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
+	return d.config.PropagationTimeout, d.config.PollingInterval
+}
+
+func (d *DNSProvider) getDNSRecord(zoneName, subDomain string) (*libdns.Record, error) {
+	records, err := d.client.GetRecords(context.Background(), zoneName)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, record := range records {
+		if record.Type == "TXT" && record.Name == subDomain {
+			return &record, nil
+		}
+	}
+
+	return nil, nil
+}
+
+func (d *DNSProvider) addOrUpdateDNSRecord(zoneName, subDomain, value string) error {
+	record, err := d.getDNSRecord(zoneName, subDomain)
+	if err != nil {
+		return err
+	}
+
+	if record == nil {
+		record = &libdns.Record{
+			Type:  "TXT",
+			Name:  subDomain,
+			Value: value,
+			TTL:   time.Duration(d.config.TTL) * time.Second,
+		}
+		_, err := d.client.AppendRecords(context.Background(), zoneName, []libdns.Record{*record})
+		return err
+	} else {
+		record.Value = value
+		_, err := d.client.SetRecords(context.Background(), zoneName, []libdns.Record{*record})
+		return err
+	}
+}
+
+func (d *DNSProvider) removeDNSRecord(zoneName, subDomain string) error {
+	record, err := d.getDNSRecord(zoneName, subDomain)
+	if err != nil {
+		return err
+	}
+
+	if record == nil {
+		return nil
+	} else {
+		_, err = d.client.DeleteRecords(context.Background(), zoneName, []libdns.Record{*record})
+		return err
+	}
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/gcore/gcore.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/gcore/gcore.go
@@ -0,0 +1,36 @@
+package gcore
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/gcore"
+)
+
+type ChallengeProviderConfig struct {
+	ApiToken              string `json:"apiToken"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := gcore.NewDefaultConfig()
+	providerConfig.APIToken = config.ApiToken
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := gcore.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/gname/gname.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/gname/gname.go
@@ -0,0 +1,39 @@
+package gname
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+
+	internal "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/gname/internal"
+)
+
+type ChallengeProviderConfig struct {
+	AppId                 string `json:"appId"`
+	AppKey                string `json:"appKey"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := internal.NewDefaultConfig()
+	providerConfig.AppID = config.AppId
+	providerConfig.AppKey = config.AppKey
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := internal.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/gname/internal/lego.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/gname/internal/lego.go
@@ -0,0 +1,203 @@
+package lego_gname
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/platform/config/env"
+
+	gnamesdk "github.com/usual2970/certimate/internal/pkg/vendors/gname-sdk"
+)
+
+const (
+	envNamespace = "GNAME_"
+
+	EnvAppID  = envNamespace + "APP_ID"
+	EnvAppKey = envNamespace + "APP_KEY"
+
+	EnvTTL                = envNamespace + "TTL"
+	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
+	EnvPollingInterval    = envNamespace + "POLLING_INTERVAL"
+	EnvHTTPTimeout        = envNamespace + "HTTP_TIMEOUT"
+)
+
+var _ challenge.ProviderTimeout = (*DNSProvider)(nil)
+
+type Config struct {
+	AppID  string
+	AppKey string
+
+	PropagationTimeout time.Duration
+	PollingInterval    time.Duration
+	TTL                int
+	HTTPTimeout        time.Duration
+}
+
+type DNSProvider struct {
+	client *gnamesdk.Client
+	config *Config
+}
+
+func NewDefaultConfig() *Config {
+	return &Config{
+		TTL:                env.GetOrDefaultInt(EnvTTL, 300),
+		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute),
+		PollingInterval:    env.GetOrDefaultSecond(EnvPollingInterval, dns01.DefaultPollingInterval),
+		HTTPTimeout:        env.GetOrDefaultSecond(EnvHTTPTimeout, 30*time.Second),
+	}
+}
+
+func NewDNSProvider() (*DNSProvider, error) {
+	values, err := env.Get(EnvAppID, EnvAppKey)
+	if err != nil {
+		return nil, fmt.Errorf("gname: %w", err)
+	}
+
+	config := NewDefaultConfig()
+	config.AppID = values[EnvAppID]
+	config.AppKey = values[EnvAppKey]
+
+	return NewDNSProviderConfig(config)
+}
+
+func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
+	if config == nil {
+		return nil, errors.New("gname: the configuration of the DNS provider is nil")
+	}
+
+	client := gnamesdk.NewClient(config.AppID, config.AppKey).
+		WithTimeout(config.HTTPTimeout)
+
+	return &DNSProvider{
+		client: client,
+		config: config,
+	}, nil
+}
+
+func (d *DNSProvider) Present(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("gname: %w", err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	if err != nil {
+		return fmt.Errorf("gname: %w", err)
+	}
+
+	if err := d.addOrUpdateDNSRecord(dns01.UnFqdn(authZone), subDomain, info.Value); err != nil {
+		return fmt.Errorf("gname: %w", err)
+	}
+
+	return nil
+}
+
+func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("gname: %w", err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	if err != nil {
+		return fmt.Errorf("gname: %w", err)
+	}
+
+	if err := d.removeDNSRecord(dns01.UnFqdn(authZone), subDomain); err != nil {
+		return fmt.Errorf("gname: %w", err)
+	}
+
+	return nil
+}
+
+func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
+	return d.config.PropagationTimeout, d.config.PollingInterval
+}
+
+func (d *DNSProvider) getDNSRecord(zoneName, subDomain string) (*gnamesdk.ResolutionRecord, error) {
+	page := 1
+	pageSize := 20
+	for {
+		request := &gnamesdk.ListDomainResolutionRequest{}
+		request.ZoneName = zoneName
+		request.Page = &page
+		request.PageSize = &pageSize
+
+		response, err := d.client.ListDomainResolution(request)
+		if err != nil {
+			return nil, err
+		}
+
+		for _, record := range response.Data {
+			if record.RecordType == "TXT" && record.RecordName == subDomain {
+				return record, nil
+			}
+		}
+
+		if len(response.Data) == 0 {
+			break
+		}
+		if response.Page*response.PageSize >= response.Count {
+			break
+		}
+
+		page++
+	}
+
+	return nil, nil
+}
+
+func (d *DNSProvider) addOrUpdateDNSRecord(zoneName, subDomain, value string) error {
+	record, err := d.getDNSRecord(zoneName, subDomain)
+	if err != nil {
+		return err
+	}
+
+	if record == nil {
+		request := &gnamesdk.AddDomainResolutionRequest{
+			ZoneName:    zoneName,
+			RecordType:  "TXT",
+			RecordName:  subDomain,
+			RecordValue: value,
+			TTL:         d.config.TTL,
+		}
+		_, err := d.client.AddDomainResolution(request)
+		return err
+	} else {
+		request := &gnamesdk.ModifyDomainResolutionRequest{
+			ID:          record.ID,
+			ZoneName:    zoneName,
+			RecordType:  "TXT",
+			RecordName:  subDomain,
+			RecordValue: value,
+			TTL:         d.config.TTL,
+		}
+		_, err := d.client.ModifyDomainResolution(request)
+		return err
+	}
+}
+
+func (d *DNSProvider) removeDNSRecord(zoneName, subDomain string) error {
+	record, err := d.getDNSRecord(zoneName, subDomain)
+	if err != nil {
+		return err
+	}
+
+	if record == nil {
+		return nil
+	}
+
+	request := &gnamesdk.DeleteDomainResolutionRequest{
+		ZoneName: zoneName,
+		RecordID: record.ID,
+	}
+	_, err = d.client.DeleteDomainResolution(request)
+	return err
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/godaddy/godaddy.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/godaddy/godaddy.go
@@ -0,0 +1,38 @@
+package godaddy
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/godaddy"
+)
+
+type ChallengeProviderConfig struct {
+	ApiKey                string `json:"apiKey"`
+	ApiSecret             string `json:"apiSecret"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := godaddy.NewDefaultConfig()
+	providerConfig.APIKey = config.ApiKey
+	providerConfig.APISecret = config.ApiSecret
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := godaddy.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/huaweicloud/huaweicloud.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/huaweicloud/huaweicloud.go
@@ -0,0 +1,46 @@
+package huaweicloud
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	hwc "github.com/go-acme/lego/v4/providers/dns/huaweicloud"
+)
+
+type ChallengeProviderConfig struct {
+	AccessKeyId           string `json:"accessKeyId"`
+	SecretAccessKey       string `json:"secretAccessKey"`
+	Region                string `json:"region"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	region := config.Region
+	if region == "" {
+		// 华为云的 SDK 要求必须传一个区域，实际上 DNS-01 流程里用不到，但不传会报错
+		region = "cn-north-1"
+	}
+
+	providerConfig := hwc.NewDefaultConfig()
+	providerConfig.AccessKeyID = config.AccessKeyId
+	providerConfig.SecretAccessKey = config.SecretAccessKey
+	providerConfig.Region = region
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = config.DnsTTL
+	}
+
+	provider, err := hwc.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/jdcloud/internal/lego.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/jdcloud/internal/lego.go
@@ -0,0 +1,238 @@
+package lego_jdcloud
+
+import (
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/challenge/dns01"
+	"github.com/go-acme/lego/v4/platform/config/env"
+	jdCore "github.com/jdcloud-api/jdcloud-sdk-go/core"
+	jdDnsApi "github.com/jdcloud-api/jdcloud-sdk-go/services/domainservice/apis"
+	jdDnsClient "github.com/jdcloud-api/jdcloud-sdk-go/services/domainservice/client"
+	jdDnsModel "github.com/jdcloud-api/jdcloud-sdk-go/services/domainservice/models"
+)
+
+const (
+	envNamespace = "JDCLOUD_"
+
+	EnvAccessKeyID     = envNamespace + "ACCESS_KEY_ID"
+	EnvAccessKeySecret = envNamespace + "ACCESS_KEY_SECRET"
+	EnvRegionId        = envNamespace + "REGION_ID"
+
+	EnvTTL                = envNamespace + "TTL"
+	EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
+	EnvPollingInterval    = envNamespace + "POLLING_INTERVAL"
+	EnvHTTPTimeout        = envNamespace + "HTTP_TIMEOUT"
+)
+
+var _ challenge.ProviderTimeout = (*DNSProvider)(nil)
+
+type Config struct {
+	AccessKeyID     string
+	AccessKeySecret string
+	RegionId        string
+
+	PropagationTimeout time.Duration
+	PollingInterval    time.Duration
+	TTL                int32
+	HTTPTimeout        time.Duration
+}
+
+type DNSProvider struct {
+	client *jdDnsClient.DomainserviceClient
+	config *Config
+}
+
+func NewDefaultConfig() *Config {
+	return &Config{
+		TTL:                int32(env.GetOrDefaultInt(EnvTTL, 300)),
+		PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, 2*time.Minute),
+		PollingInterval:    env.GetOrDefaultSecond(EnvPollingInterval, dns01.DefaultPollingInterval),
+		HTTPTimeout:        env.GetOrDefaultSecond(EnvHTTPTimeout, 30*time.Second),
+	}
+}
+
+func NewDNSProvider() (*DNSProvider, error) {
+	values, err := env.Get(EnvAccessKeyID, EnvAccessKeySecret)
+	if err != nil {
+		return nil, fmt.Errorf("jdcloud: %w", err)
+	}
+
+	config := NewDefaultConfig()
+	config.AccessKeyID = values[EnvAccessKeyID]
+	config.AccessKeySecret = values[EnvAccessKeySecret]
+	config.RegionId = values[EnvRegionId]
+
+	return NewDNSProviderConfig(config)
+}
+
+func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
+	if config == nil {
+		return nil, errors.New("jdcloud: the configuration of the DNS provider is nil")
+	}
+
+	clientCredentials := jdCore.NewCredentials(config.AccessKeyID, config.AccessKeySecret)
+	client := jdDnsClient.NewDomainserviceClient(clientCredentials)
+	clientConfig := &client.Config
+	clientConfig.SetTimeout(config.HTTPTimeout)
+	client.SetConfig(clientConfig)
+	client.SetLogger(jdCore.NewDefaultLogger(jdCore.LogWarn))
+
+	return &DNSProvider{
+		client: client,
+		config: config,
+	}, nil
+}
+
+func (d *DNSProvider) Present(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("jdcloud: %w", err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	if err != nil {
+		return fmt.Errorf("jdcloud: %w", err)
+	}
+
+	if err := d.addOrUpdateDNSRecord(dns01.UnFqdn(authZone), subDomain, info.Value); err != nil {
+		return fmt.Errorf("jdcloud: %w", err)
+	}
+
+	return nil
+}
+
+func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
+	info := dns01.GetChallengeInfo(domain, keyAuth)
+
+	authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+	if err != nil {
+		return fmt.Errorf("jdcloud: %w", err)
+	}
+
+	subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+	if err != nil {
+		return fmt.Errorf("jdcloud: %w", err)
+	}
+
+	if err := d.removeDNSRecord(dns01.UnFqdn(authZone), subDomain); err != nil {
+		return fmt.Errorf("jdcloud: %w", err)
+	}
+
+	return nil
+}
+
+func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
+	return d.config.PropagationTimeout, d.config.PollingInterval
+}
+
+func (d *DNSProvider) getDNSZone(zoneName string) (*jdDnsModel.DomainInfo, error) {
+	pageNumber := 1
+	pageSize := 10
+	for {
+		request := jdDnsApi.NewDescribeDomainsRequest(d.config.RegionId, pageNumber, pageSize)
+		request.SetDomainName(zoneName)
+
+		response, err := d.client.DescribeDomains(request)
+		if err != nil {
+			return nil, err
+		}
+
+		for _, item := range response.Result.DataList {
+			if item.DomainName == zoneName {
+				return &item, nil
+			}
+		}
+
+		if len(response.Result.DataList) < pageSize {
+			break
+		}
+
+		pageNumber++
+	}
+
+	return nil, fmt.Errorf("jdcloud: zone %s not found", zoneName)
+}
+
+func (d *DNSProvider) getDNSZoneAndRecord(zoneName, subDomain string) (*jdDnsModel.DomainInfo, *jdDnsModel.RRInfo, error) {
+	zone, err := d.getDNSZone(zoneName)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	pageNumber := 1
+	pageSize := 10
+	for {
+		request := jdDnsApi.NewDescribeResourceRecordRequest(d.config.RegionId, fmt.Sprintf("%d", zone.Id))
+		request.SetSearch(subDomain)
+		request.SetPageNumber(pageNumber)
+		request.SetPageSize(pageSize)
+
+		response, err := d.client.DescribeResourceRecord(request)
+		if err != nil {
+			return zone, nil, err
+		}
+
+		for _, record := range response.Result.DataList {
+			if record.Type == "TXT" && record.HostRecord == subDomain {
+				return zone, &record, nil
+			}
+		}
+
+		if len(response.Result.DataList) < pageSize {
+			break
+		}
+
+		pageNumber++
+	}
+
+	return zone, nil, nil
+}
+
+func (d *DNSProvider) addOrUpdateDNSRecord(zoneName, subDomain, value string) error {
+	zone, record, err := d.getDNSZoneAndRecord(zoneName, subDomain)
+	if err != nil {
+		return err
+	}
+
+	if record == nil {
+		request := jdDnsApi.NewCreateResourceRecordRequest(d.config.RegionId, fmt.Sprintf("%d", zone.Id), &jdDnsModel.AddRR{
+			Type:       "TXT",
+			HostRecord: subDomain,
+			HostValue:  value,
+			Ttl:        int(d.config.TTL),
+			ViewValue:  -1,
+		})
+		_, err := d.client.CreateResourceRecord(request)
+		return err
+	} else {
+		request := jdDnsApi.NewModifyResourceRecordRequest(d.config.RegionId, fmt.Sprintf("%d", zone.Id), fmt.Sprintf("%d", record.Id), &jdDnsModel.UpdateRR{
+			Type:       "TXT",
+			HostRecord: subDomain,
+			HostValue:  value,
+			Ttl:        int(d.config.TTL),
+			ViewValue:  -1,
+		})
+		_, err := d.client.ModifyResourceRecord(request)
+		return err
+	}
+}
+
+func (d *DNSProvider) removeDNSRecord(zoneName, subDomain string) error {
+	zone, record, err := d.getDNSZoneAndRecord(zoneName, subDomain)
+	if err != nil {
+		return err
+	}
+
+	if record == nil {
+		return nil
+	} else {
+		request := jdDnsApi.NewDeleteResourceRecordRequest(d.config.RegionId, fmt.Sprintf("%d", zone.Id), fmt.Sprintf("%d", record.Id))
+		_, err = d.client.DeleteResourceRecord(request)
+		return err
+	}
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/jdcloud/jdcloud.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/jdcloud/jdcloud.go
@@ -0,0 +1,47 @@
+package jdcloud
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+
+	internal "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/jdcloud/internal"
+)
+
+type ChallengeProviderConfig struct {
+	AccessKeyId           string `json:"accessKeyId"`
+	AccessKeySecret       string `json:"accessKeySecret"`
+	RegionId              string `json:"regionId"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	regionId := config.RegionId
+	if regionId == "" {
+		// 京东云的 SDK 要求必须传一个区域，实际上 DNS-01 流程里用不到，但不传会报错
+		regionId = "cn-north-1"
+	}
+
+	providerConfig := internal.NewDefaultConfig()
+	providerConfig.AccessKeyID = config.AccessKeyId
+	providerConfig.AccessKeySecret = config.AccessKeySecret
+	providerConfig.RegionId = regionId
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = config.DnsTTL
+	}
+
+	provider, err := internal.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/namecheap/namecheap.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/namecheap/namecheap.go
@@ -0,0 +1,38 @@
+package namedotcom
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/namecheap"
+)
+
+type ChallengeProviderConfig struct {
+	Username              string `json:"username"`
+	ApiKey                string `json:"apiKey"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := namecheap.NewDefaultConfig()
+	providerConfig.APIUser = config.Username
+	providerConfig.APIKey = config.ApiKey
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := namecheap.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/namedotcom/namedotcom.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/namedotcom/namedotcom.go
@@ -0,0 +1,38 @@
+package namedotcom
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/namedotcom"
+)
+
+type ChallengeProviderConfig struct {
+	Username              string `json:"username"`
+	ApiToken              string `json:"apiToken"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := namedotcom.NewDefaultConfig()
+	providerConfig.Username = config.Username
+	providerConfig.APIToken = config.ApiToken
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := namedotcom.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/namesilo/namesilo.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/namesilo/namesilo.go
@@ -0,0 +1,36 @@
+package namesilo
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/namesilo"
+)
+
+type ChallengeProviderConfig struct {
+	ApiKey                string `json:"apiKey"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := namesilo.NewDefaultConfig()
+	providerConfig.APIKey = config.ApiKey
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := namesilo.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/ns1/ns1.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/ns1/ns1.go
@@ -0,0 +1,36 @@
+package ns1
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/ns1"
+)
+
+type ChallengeProviderConfig struct {
+	ApiKey                string `json:"apiKey"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := ns1.NewDefaultConfig()
+	providerConfig.APIKey = config.ApiKey
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := ns1.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/powerdns/powerdns.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/powerdns/powerdns.go
@@ -0,0 +1,40 @@
+package namesilo
+
+import (
+	"net/url"
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/pdns"
+)
+
+type ChallengeProviderConfig struct {
+	ApiUrl                string `json:"apiUrl"`
+	ApiKey                string `json:"apiKey"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	host, _ := url.Parse(config.ApiUrl)
+	providerConfig := pdns.NewDefaultConfig()
+	providerConfig.Host = host
+	providerConfig.APIKey = config.ApiKey
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := pdns.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/rainyun/rainyun.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/rainyun/rainyun.go
@@ -0,0 +1,36 @@
+package rainyun
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/rainyun"
+)
+
+type ChallengeProviderConfig struct {
+	ApiKey                string `json:"apiKey"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := rainyun.NewDefaultConfig()
+	providerConfig.APIKey = config.ApiKey
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := rainyun.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/tencentcloud/tencentcloud.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/tencentcloud/tencentcloud.go
@@ -0,0 +1,38 @@
+package tencentcloud
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/tencentcloud"
+)
+
+type ChallengeProviderConfig struct {
+	SecretId              string `json:"secretId"`
+	SecretKey             string `json:"secretKey"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := tencentcloud.NewDefaultConfig()
+	providerConfig.SecretID = config.SecretId
+	providerConfig.SecretKey = config.SecretKey
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := tencentcloud.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/volcengine/volcengine.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/volcengine/volcengine.go
@@ -0,0 +1,38 @@
+package volcengine
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/volcengine"
+)
+
+type ChallengeProviderConfig struct {
+	AccessKeyId           string `json:"accessKeyId"`
+	SecretAccessKey       string `json:"secretAccessKey"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := volcengine.NewDefaultConfig()
+	providerConfig.AccessKey = config.AccessKeyId
+	providerConfig.SecretKey = config.SecretAccessKey
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := volcengine.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/internal/pkg/core/applicant/acme-dns-01/lego-providers/westcn/westcn.go
+++ b/internal/pkg/core/applicant/acme-dns-01/lego-providers/westcn/westcn.go
@@ -0,0 +1,38 @@
+package westcn
+
+import (
+	"time"
+
+	"github.com/go-acme/lego/v4/challenge"
+	"github.com/go-acme/lego/v4/providers/dns/westcn"
+)
+
+type ChallengeProviderConfig struct {
+	Username              string `json:"username"`
+	ApiPassword           string `json:"apiPassword"`
+	DnsPropagationTimeout int32  `json:"dnsPropagationTimeout,omitempty"`
+	DnsTTL                int32  `json:"dnsTTL,omitempty"`
+}
+
+func NewChallengeProvider(config *ChallengeProviderConfig) (challenge.Provider, error) {
+	if config == nil {
+		panic("config is nil")
+	}
+
+	providerConfig := westcn.NewDefaultConfig()
+	providerConfig.Username = config.Username
+	providerConfig.Password = config.ApiPassword
+	if config.DnsPropagationTimeout != 0 {
+		providerConfig.PropagationTimeout = time.Duration(config.DnsPropagationTimeout) * time.Second
+	}
+	if config.DnsTTL != 0 {
+		providerConfig.TTL = int(config.DnsTTL)
+	}
+
+	provider, err := westcn.NewDNSProviderConfig(providerConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return provider, nil
+}
--- a/Show More
+++ b/Show More