bump version to v0.3.19

Merge pull request #808 from fudiwei/new-repo
move to new repo
2025-06-22 21:09:54 +08:00 · 2025-06-22 20:50:18 +08:00 · 2025-06-22 20:50:01 +08:00 · 2025-06-19 19:44:58 +08:00 · 2025-06-19 11:26:37 +08:00 · 2025-06-18 23:15:21 +08:00
1125 changed files with 62837 additions and 19372 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -10,5 +10,7 @@ trim_trailing_whitespace = true
 insert_final_newline = true

 [*.go]
+charset = utf-8
+end_of_line = lf
 indent_size = 2
 indent_style = tab
--- a/.github/ISSUE_TEMPLATE/1-bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/1-bug_report.yml
@@ -0,0 +1,80 @@
+name: "🐞 Bug Report"
+description: "报告缺陷来帮助我们完善。 / Create a report to help us improve."
+title: "[Bug] 简要描述你发现的缺陷"
+labels:
+  - bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Welcome!
+
+        **在提交 Issue 之前，请确认以下事项**：
+        1. 我**确认**已尝试过使用当前最新版本，并能复现问题。由于开发者精力有限，非当前最新版本的问题将被直接关闭，感谢理解。
+        2. 我**确认**已搜索过[已有的 Issues](https://github.com/certimate-go/certimate/issues)（包括已关闭的），没有类似的问题。
+        3. 我**确认**已阅读过[文档](https://docs.certimate.me/)，没有类似的问题。
+        4. 请**务必**按照模板规范详细描述问题，否则 Issue 将会被直接关闭。
+        5. 请保持每个 Issue 只包含一个缺陷报告。如果有多个缺陷，请分别提交 Issue。
+
+        **Before you submit the issue, please make sure of the following checklist**:
+        1. Yes, I'm using the latest release and can reproduce the issue. Issues that are not in the latest version will be closed directly.
+        2. Yes, I've searched for [existing issues](https://github.com/certimate-go/certimate/issues) (including closed ones) on GitHub and didn't find any similar.
+        3. Yes, I've read the [documentation](https://docs.certimate.me/en/) and didn't find any similar.
+        4. Please describe the problem in detail according to the template specification, otherwise the issue will be closed directly.
+        5. Please limit one report per issue.
+
+  - type: input
+    attributes:
+      label: 软件版本 / Release Version
+      description: 请提供 Certimate 的具体版本（请不要填写 `latest` 之类的无效版本号）。 / Please provide the specific version of Certimate.
+      placeholder: (e.g. v1.0.0)
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: 缺陷描述 / Description
+      description: 请详细清晰地描述你发现的缺陷或故障，如果可能请上传截图。 / Describe the bug you found in detail and clearly, and upload screenshots if possible.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: 复现步骤 / Steps to reproduce
+      description: 请提供可复现的完整步骤。 / Please walk us through it step by step.
+      placeholder: |
+        1. ...
+        2. ...
+        3. ...
+        ...
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: 日志 / Logs
+      description: 在此处添加日志信息（如果有的话）。 / Add logs here if available.
+      value: |-
+        <details>
+
+        ```console
+        # 请在此粘贴日志 / Paste logs here
+        ```
+
+        </details>
+    validations:
+      required: false
+
+  - type: textarea
+    attributes:
+      label: 其他 / Miscellaneous
+      description: 在此处添加关于该 Issue 的任何其他信息。 / Add any other context about the issue here.
+    validations:
+      required: false
+
+  - type: checkboxes
+    attributes:
+      label: 贡献 / Contribution
+      options:
+        - label: 我乐意为此贡献 PR！ / I am interested in contributing a PR for this!
+          required: false
--- a/.github/ISSUE_TEMPLATE/2-feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/2-feature_request.yml
@@ -0,0 +1,52 @@
+name: "💡 Feature Request"
+description: "提出新功能请求或改进意见。 / Suggest an idea for this project."
+title: "[Feature] 简要描述你希望实现的功能"
+labels:
+  - enhancement
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Welcome!
+
+        **在提交 Issue 之前，请确认以下事项**：
+        1. 我**确认**是基于当前最新大版本而提出的新功能请求或改进意见。
+        2. 我**确认**已搜索过[已有的 Issues](https://github.com/certimate-go/certimate/issues)（包括已关闭的），没有类似的问题。
+        3. 我**确认**已阅读过[文档](https://docs.certimate.me/)，没有类似的问题。
+        4. 请**务必**按照模板规范详细描述问题，否则 Issue 将会被直接关闭。
+        5. 请保持每个 Issue 只包含一个功能请求。如果有多个需求，请分别提交 Issue。
+
+        **Before you submit the issue, please make sure of the following checklist**:
+        1. Yes, I'm using the latest release.
+        2. Yes, I've searched for [existing issues](https://github.com/certimate-go/certimate/issues) (including closed ones) on GitHub and didn't find any similar.
+        3. Yes, I've read the [documentation](https://docs.certimate.me/en/) and didn't find any similar.
+        4. Please describe the problem in detail according to the template specification, otherwise the issue will be closed directly.
+        5. Please limit one request per issue.
+
+  - type: textarea
+    attributes:
+      label: 功能描述 / Description
+      description: 请详细清晰地描述你希望添加的功能，如果可能请上传截图。 / Describe the feature you'd like to add in detail and clearly, and upload screenshots if possible.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: 请求动机 / Motivation
+      description: 为什么这个功能对项目有帮助？ / Why is this feature helpful to the project?
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: 其他 / Miscellaneous
+      description: 在此处添加关于该 Issue 的任何其他信息（新增提供商请求请补充 API 文档链接等资料）。 / Add any other context about the problem here.
+    validations:
+      required: false
+
+  - type: checkboxes
+    attributes:
+      label: 贡献 / Contribution
+      options:
+        - label: 我乐意为此贡献 PR！ / I am interested in contributing a PR for this!
+          required: false
--- a/.github/ISSUE_TEMPLATE/3-questions.yml
+++ b/.github/ISSUE_TEMPLATE/3-questions.yml
@@ -0,0 +1,44 @@
+name: "❓ Questions"
+description: "遇到了困难需要求助？ / Have problem in use and need help?"
+title: "简要描述你遇到的问题"
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## Welcome!
+
+        **在提交 Issue 之前，请确认以下事项**：
+        1. 我**确认**正在使用的是当前最新版本。
+        2. 我**确认**已搜索过[已有的 Issues](https://github.com/certimate-go/certimate/issues)（包括已关闭的），没有类似的问题。
+        3. 我**确认**已阅读过[文档](https://docs.certimate.me/)，没有类似的问题。
+        4. 请**务必**按照模板规范详细描述问题，否则 Issue 将会被直接关闭。
+        5. 请保持每个 Issue 只包含一个问题求助。如果有多个问题，请分别提交 Issue。
+
+        **Before you submit the issue, please make sure of the following checklist**:
+        1. Yes, I'm using the latest release.
+        2. Yes, I've searched for [existing issues](https://github.com/certimate-go/certimate/issues) (including closed ones) on GitHub and didn't find any similar.
+        3. Yes, I've read the [documentation](https://docs.certimate.me/en/) and didn't find any similar.
+        4. Please describe the problem in detail according to the template specification, otherwise the issue will be closed directly.
+        5. Please limit one question per issue.
+
+  - type: input
+    attributes:
+      label: 软件版本 / Release Version
+      description: 请提供 Certimate 的具体版本（请不要填写 `latest` 之类的无效版本号）。 / Please provide the specific version of Certimate.
+      placeholder: (e.g. v1.0.0)
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: 问题描述 / Description
+      description: 请详细清晰地描述你遇到的问题，如果可能请上传截图。 / Describe the problem you encountered in detail and clearly, and upload screenshots if possible.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: 其他 / Miscellaneous
+      description: 在此处添加关于该问题的任何其他信息。 / Add any other context about the problem here.
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,33 +0,0 @@
---
-name: Bug report
-about: 创建一个报告来帮助我们改进
-title: "[Bug] 标题简要描述问题"
-labels: bug
-assignees: ""
---
-
-**描述问题**
-简要描述问题是什么，1 个 ISSUE 只描述一个问题。 
-
-**复现步骤**
-复现该问题的步骤：
-
-1. 去到 '...'
-2. 点击 '...'
-3. 滚动到 '...'
-4. 发现问题
-
-**期望的结果**
-简要描述你期望发生的事情。
-
-**截图**
-如有可能，请添加截图以帮助解释问题。
-
-**环境**
-
- 操作系统: [e.g. Windows, macOS]
- 浏览器: [e.g. Chrome, Safari]
- 仓库版本: [e.g. v1.0.0]
-
-**其他信息**
-在此处添加关于该问题的任何其他信息。
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,5 +1,8 @@
 blank_issues_enabled: false
 contact_links:
-  - name: 加入频道讨论
-    url: https://t.me/+ZXphsppxUg41YmVl
-    about: 加入到电报频道寻求更多帮助
+  - name: "🌐 加入频道讨论"
+    about: "加入到电报频道寻求更多帮助。 / Join in our Telegram channel."
+    url: "https://t.me/+ZXphsppxUg41YmVl"
+  - name: "📖 常见问题"
+    about: "请先阅读文档 FAQ，可能会有你需要的答案。 / Please take a look to FAQs."
+    url: "https://docs.certimate.me/docs/reference/faq"
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,19 +0,0 @@
---
-name: Feature request
-about: 提出一个新功能请求
-title: "[Feature] 简要描述你希望实现的功能"
-labels: enhancement
-assignees: ""
---
-
-**功能描述**
-简要描述你希望添加的功能和相关问题，1 个 ISSUE 只描述一个功能。
-
-**动机**
-为什么这个功能对项目有帮助？
-
-**替代方案**
-描述你已经考虑过的替代方案。
-
-**其他信息**
-在这里添加任何相关的附加信息或截图。
--- a/.github/workflows/push_image.yml
+++ b/.github/workflows/push_image.yml
@@ -32,8 +32,13 @@ jobs:
        uses: docker/metadata-action@v5
        with:
          images: |
-            usual2970/certimate
-            registry.cn-shanghai.aliyuncs.com/usual2970/certimate
+            certimate/certimate
+            registry.cn-shanghai.aliyuncs.com/certimate/certimate
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern=v{{version}}
+            type=semver,pattern=v{{major}}.{{minor}}

      - name: Log in to DOCKERHUB
        uses: docker/login-action@v3
--- a/.github/workflows/push_image_next.yml
+++ b/.github/workflows/push_image_next.yml
@@ -31,8 +31,8 @@ jobs:
        uses: docker/metadata-action@v5
        with:
          images: |
-            usual2970/certimate
-            registry.cn-shanghai.aliyuncs.com/usual2970/certimate
+            certimate/certimate
+            registry.cn-shanghai.aliyuncs.com/certimate/certimate
          tags: |
            type=ref,event=tag,pattern={{version}}
          flavor: |
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,4 +1,4 @@
-name: Base Build
+name: Release

 on:
  push:
@@ -6,7 +6,7 @@ on:
      - "v[0-9]*"

 jobs:
-  goreleaser:
+  prepare-ui:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@@ -19,19 +19,190 @@ jobs:
        with:
          node-version: 20.11.0

+      - name: Build WebUI
+        run: |
+          npm --prefix=./ui ci
+          npm --prefix=./ui run build
+
+      - name: Upload UI build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: ui-build
+          path: ./ui/dist
+          retention-days: 1
+
+  build-linux:
+    needs: prepare-ui
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: ">=1.23.0"
+          go-version-file: "go.mod"

-      - name: Build WebUI
-        run: npm --prefix=./ui ci && npm --prefix=./ui run build
-
-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v3
+      - name: Download UI build artifacts
+        uses: actions/download-artifact@v4
        with:
-          distribution: goreleaser
-          version: latest
-          args: release --clean
+          name: ui-build
+          path: ./ui/dist
+
+      - name: Build Linux binaries
+        env:
+          CGO_ENABLED: 0
+          GOOS: linux
+        run: |
+          mkdir -p dist/linux
+          for ARCH in amd64 arm64 armv7; do
+            if [ "$ARCH" == "armv7" ]; then
+              go env -w GOARCH=arm
+              go env -w GOARM=7
+            else
+              go env -w GOARCH=$ARCH
+              go env -u GOARM
+            fi
+            go build -ldflags="-s -w -X github.com/certimate-go/certimate.Version=${GITHUB_REF#refs/tags/}" -o dist/linux/certimate_${GITHUB_REF#refs/tags/}_linux_$ARCH
+          done
+
+      - name: Upload Linux binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: linux-binaries
+          path: dist/linux/
+          retention-days: 1
+
+  build-macos:
+    needs: prepare-ui
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+
+      - name: Download UI build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: ui-build
+          path: ./ui/dist
+
+      - name: Build macOS binaries
+        env:
+          CGO_ENABLED: 0
+          GOOS: darwin
+        run: |
+          mkdir -p dist/darwin
+          for ARCH in amd64 arm64; do
+            go env -w GOARCH=$ARCH
+            go build -ldflags="-s -w -X github.com/certimate-go/certimate.Version=${GITHUB_REF#refs/tags/}" -o dist/darwin/certimate_${GITHUB_REF#refs/tags/}_darwin_$ARCH
+          done
+
+      - name: Upload macOS binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: macos-binaries
+          path: dist/darwin/
+          retention-days: 1
+
+  build-windows:
+    needs: prepare-ui
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+
+      - name: Download UI build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: ui-build
+          path: ./ui/dist
+
+      - name: Build Windows binaries
+        env:
+          CGO_ENABLED: 0
+          GOOS: windows
+        run: |
+          mkdir -p dist/windows
+          for ARCH in amd64 arm64; do
+            go env -w GOARCH=$ARCH
+            go build -ldflags="-s -w -X github.com/certimate-go/certimate.Version=${GITHUB_REF#refs/tags/}" -o dist/windows/certimate_${GITHUB_REF#refs/tags/}_windows_$ARCH.exe
+          done
+
+      - name: Upload Windows binaries
+        uses: actions/upload-artifact@v4
+        with:
+          name: windows-binaries
+          path: dist/windows/
+          retention-days: 1
+
+  create-release:
+    needs: [build-linux, build-macos, build-windows]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Download all binaries
+        uses: actions/download-artifact@v4
+        with:
+          path: ./artifacts
+
+      - name: Prepare release assets
+        run: |
+          mkdir -p dist
+          cp -r artifacts/linux-binaries/* dist/
+          cp -r artifacts/macos-binaries/* dist/
+          cp -r artifacts/windows-binaries/* dist/
+
+          find dist -type f -not -name "*.exe" -exec chmod +x {} \;
+
+          cd dist
+          for bin in certimate_*; do
+            if [[ "$bin" == *".exe" ]]; then
+              entrypoint="certimate.exe"
+            else
+              entrypoint="certimate"
+            fi
+
+            tmpdir=$(mktemp -d)
+            cp "$bin" "${tmpdir}/${entrypoint}"
+            cp ../LICENSE ../README.md ../CHANGELOG.md "$tmpdir"
+
+            if [[ "$bin" == *".exe" ]]; then
+              zip -j "${bin%.exe}.zip" "$tmpdir"/*
+            else
+              zip -j -X "${bin}.zip" "$tmpdir"/*
+            fi
+
+            rm -rf "$tmpdir"
+          done
+
+          sha256sum *.zip > checksums.txt
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            dist/*.zip
+            dist/checksums.txt
+          draft: true
        env:
          GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -11,7 +11,7 @@ builds:
    main: ./
    binary: certimate
    ldflags:
-      - -s -w -X github.com/usual2970/certimate.Version={{ .Version }}
+      - -s -w -X github.com/certimate-go/certimate.Version={{ .Version }}
    env:
      - CGO_ENABLED=0
    goos:
@@ -30,17 +30,20 @@ builds:
      - goos: darwin
        goarch: arm

+# upx:
+#   - enabled: true
+
 release:
  draft: true

 archives:
  - id: archive_noncgo
    builds: [build_noncgo]
-    format: zip
+    format: "zip"
    files:
-      - CHANGELOG.md
-      - LICENSE.md
+      - LICENSE
      - README.md
+      - CHANGELOG.md

 checksum:
  name_template: "checksums.txt"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1 +1 @@
-A full changelog of past releases is available on [GitHub Releases](https://github.com/usual2970/certimate/releases) page.
+A full changelog of past releases is available on [GitHub Releases](https://github.com/certimate-go/certimate/releases) page.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,76 +1,106 @@
-# 向 Certimate 贡献代码
+# 贡献指南

-感谢你抽出时间来改进 Certimate！以下是向 Certimate 主仓库提交 PR（Pull Request）时的操作指南。
+非常感谢你抽出时间来帮助改进 Certimate！以下是向 Certimate 提交 Pull Request 时的操作指南。

- [向 Certimate 贡献代码](#向-certimate-贡献代码)
-  - [前提条件](#前提条件)
-  - [修改 Go 代码](#修改-go-代码)
-  - [修改管理页面 (Admin UI)](#修改管理页面-admin-ui)
+我们需要保持敏捷和快速迭代，同时也希望确保贡献者能获得尽可能流畅的参与体验。这份贡献指南旨在帮助你熟悉代码库和我们的工作方式，让你可以尽快进入有趣的开发环节。

-## 前提条件
+索引：

- Go 1.22+ (用于修改 Go 代码)
- Node 20+ (用于修改 UI)
+- [开发](#开发)
+  - [要求](#要求)
+  - [后端代码](#后端代码)
+  - [前端代码](#前端代码)
+- [提交 PR](#提交-pr)
+  - [提交流程](#提交流程)
+- [获取帮助](#获取帮助)

-如果还没有这样做，你可以 fork Certimate 的主仓库，并克隆到本地以便进行修改：
+---

-```bash
-git clone https://github.com/your_username/certimate.git
-```
+## 开发

-> **重要提示：**
-> 建议为每个 Bug 修复或新功能创建一个从 `main` 分支派生的新分支。如果你计划提交多个 PR，请保持不同的改动在独立分支中，以便更容易进行代码审查并最终合并。
-> 保持一个 PR 只实现一个功能。
+### 要求

-## 修改 Go 代码
+- Go 1.24+（用于修改后端代码）
+- Node.js 22.0+（用于修改前端代码）

-假设你已经对 Certimate 的 Go 代码做了一些修改，现在你想要运行它：
+### 后端代码

-1. 进入根目录
-2. 运行以下命令启动服务：
+Certimate 的后端代码是使用 Golang 开发的，是一个基于 [Pocketbase](https://github.com/pocketbase/pocketbase) 构建的单体应用。

+假设你已经对 Certimate 的后端代码做出了一些修改，现在你想要运行它，请遵循以下步骤：
+
+1. 进入根目录；
+2. 安装依赖：
+   ```bash
+   go mod vendor
+   ```
+3. 启动本地开发服务：
   ```bash
   go run main.go serve
   ```

-这将启动一个 Web 服务器，默认运行在 `http://localhost:8090`，并使用来自 `ui/dist` 的预构建管理页面。
+这将启动一个 Web 服务器，默认运行在 `http://localhost:8090`，并使用来自 `/ui/dist` 的预构建管理页面。

-**在向主仓库提交 PR 之前，建议你：**
+> 如果你遇到报错 `ui/embed.go: pattern all:dist: no matching files found`，请参考“[前端代码](#前端代码)”这一小节构建 WebUI。

- 使用 [gofumpt](https://github.com/mvdan/gofumpt) 对你的代码进行格式化。
+**在向主仓库提交 PR 之前，你应该：**

- 为你的改动添加单元测试或集成测试（Certimate 使用 Go 的标准 `testing` 包）。你可以通过以下命令运行测试（在项目根目录下）：
+- 使用 [gofumpt](https://github.com/mvdan/gofumpt) 格式化你的代码。推荐使用 VSCode，并安装 gofumpt 插件，以便在保存时自动格式化。
+- 为你的改动添加单元测试或集成测试（使用 Go 标准库中的 `testing` 包）。

-  ```bash
-  go test ./...
-  ```
+### 前端代码

-## 修改管理页面 (Admin UI)
+Certimate 的前端代码是使用 TypeScript 开发的，是一个基于 [React](https://github.com/facebook/react) 和 [Vite](https://github.com/vitejs/vite) 构建的单页应用。

-Certimate 的管理页面是一个基于 React 和 Vite 构建的单页应用（SPA）。
-
-要启动 Admin UI：
-
-1. 进入 `ui` 项目目录。
-
-2. 运行 `npm install` 安装依赖。
+假设你已经对 Certimate 的前端代码做出了一些修改，现在你想要运行它，请遵循以下步骤：

+1. 进入 `/ui` 目录；
+2. 安装依赖：
+   ```bash
+   npm install
+   ```
 3. 启动 Vite 开发服务器：
-
   ```bash
   npm run dev
   ```

-你可以通过浏览器访问 `http://localhost:5173` 来查看运行中的管理页面。
+这将启动一个 Web 服务器，默认运行在 `http://localhost:5173`，你可以通过浏览器访问来查看运行中的 WebUI。

-由于 Admin UI 只是一个客户端应用，运行时需要 Certimate 的后端服务作为支撑。你可以手动运行 Certimate，或者使用预构建的可执行文件。
-
-所有对 Admin UI 的修改将会自动反映在浏览器中，无需手动刷新页面。
-
-完成修改后，运行以下命令来构建 Admin UI，以便它能被嵌入到 Go 包中：
+完成修改后，运行以下命令来构建 WebUI，以便它能被嵌入到 Go 包中：

 ```bash
 npm run build
 ```

-完成所有步骤后，你可以将改动提交 PR 到 Certimate 主仓库。
+**在向主仓库提交 PR 之前，你应该：**
+
+- 使用 [ESLint](https://github.com/eslint/eslint) 格式化你的代码。推荐使用 VSCode，并安装 ESLint+Prettier 插件，以便在保存时自动格式化。
+
+## 提交 PR
+
+在提交 PR 之前，请先创建一个 Issue 来讨论你的修改方案，并等待来自项目维护者的反馈。这样做有助于：
+
+- 让我们充分理解你的修改内容；
+- 评估修改是否符合项目路线图；
+- 避免重复工作；
+- 防止你投入时间到可能无法被合并的修改中。
+
+### 提交流程
+
+1. Fork 本仓库；
+2. 在提交 PR 之前，请先发起 Issue 讨论你想要做的修改；
+3. 为你的修改创建一个新的分支；
+4. 请为你的修改添加相应的测试；
+5. 确保你的代码能通过现有的测试；
+6. 请在 PR 描述中关联相关 Issue；
+7. 等待合并！
+
+> [!IMPORTANT]
+>
+> 建议为每个新功能或 Bug 修复创建一个从 `main` 分支派生的新分支。如果你计划提交多个 PR，请保持不同的改动在独立分支中，以便更容易进行代码审查并最终合并。
+>
+> 保持一个 PR 只实现一个功能或修复。
+
+## 获取帮助
+
+如果你在贡献过程中遇到困难或问题，可以通过 GitHub Issues 向我们提问。
--- a/CONTRIBUTING_EN.md
+++ b/CONTRIBUTING_EN.md
@@ -1,81 +1,106 @@
-# Contributing to Certimate
+# Contribution Guide

-Thank you for taking the time to improve Certimate! Below is a guide for submitting a PR (Pull Request) to the main Certimate repository.
+Thank you for taking the time to improve Certimate! Below is a guide for submitting a PR (Pull Request) to the Certimate repository.

- [Contributing to Certimate](#contributing-to-certimate)
+We need to be nimble and ship fast given where we are, but we also want to make sure that contributors like you get as smooth an experience at contributing as possible. We've assembled this contribution guide for that purpose, aiming at getting you familiarized with the codebase & how we work with contributors, so you could quickly jump to the fun part.
+
+Index:
+
+- [Development](#development)
  - [Prerequisites](#prerequisites)
-  - [Making Changes in the Go Code](#making-changes-in-the-go-code)
-  - [Making Changes in the Admin UI](#making-changes-in-the-admin-ui)
+  - [Backend Code](#backend-code)
+  - [Frontend Code](#frontend-code)
+- [Submitting PR](#submitting-pr)
+  - [Pull Request Process](#pull-request-process)
+- [Getting Help](#getting-help)

-## Prerequisites
+---

- Go 1.22+ (for Go code changes)
- Node 20+ (for Admin UI changes)
+## Development

-If you haven't done so already, you can fork the Certimate repository and clone your fork to work locally:
+### Prerequisites

-```bash
-git clone https://github.com/your_username/certimate.git
-```
+- Go 1.24+ (for backend code changes)
+- Node.js 22.0+ (for frontend code changes)

-> **Important:**
-> It is recommended to create a new branch from `main` for each bug fix or feature. If you plan to submit multiple PRs, ensure the changes are in separate branches for easier review and eventual merge.
-> Keep each PR focused on a single feature or fix.
+### Backend Code

-## Making Changes in the Go Code
+The backend code of Certimate is developed using Golang. It is a monolithic application based on [Pocketbase](https://github.com/pocketbase/pocketbase).

-Once you have made changes to the Go code in Certimate, follow these steps to run the project:
+Once you have made changes to the backend code in Certimate, follow these steps to run the project:

 1. Navigate to the root directory.
-
-2. Start the service by running:
-
+2. Install dependencies:
+   ```bash
+   go mod vendor
+   ```
+3. Start the local development server:
   ```bash
   go run main.go serve
   ```

-This will start a web server at `http://localhost:8090` using the prebuilt Admin UI located in `ui/dist`.
+This will start a web server at `http://localhost:8090` using the prebuilt WebUI located in `/ui/dist`.

-**Before submitting a PR to the main repository, consider:**
+> If you encounter an error `ui/embed.go: pattern all:dist: no matching files found`, please refer to _[Frontend Code](#frontend-code)_ and build WebUI first.

- Format your source code by using [gofumpt](https://github.com/mvdan/gofumpt).
+**Before submitting a PR to the main repository, you should:**

- Adding unit or integration tests for your changes. Certimate uses Go’s standard `testing` package. You can run tests using the following command (while in the root project directory):
+- Format your source code by using [gofumpt](https://github.com/mvdan/gofumpt). Recommended using VSCode and installing the gofumpt plugin to automatically format when saving.
+- Adding unit or integration tests for your changes (with go standard library `testing` package).

-  ```bash
-  go test ./...
-  ```
+### Frontend Code

-## Making Changes in the Admin UI
+The frontend code of Certimate is developed using TypeScript. It is a SPA based on [React](https://github.com/facebook/react) and [Vite](https://github.com/vitejs/vite).

-Certimate’s Admin UI is a single-page application (SPA) built using React and Vite.
-
-To start the Admin UI:
-
-1. Navigate to the `ui` project directory.
-
-2. Install the necessary dependencies by running:
+Once you have made changes to the backend code in Certimate, follow these steps to run the project:

+1. Navigate to the `/ui` directory.
+2. Install dependencies:
   ```bash
   npm install
   ```
-
-3. Start the Vite development server:
-
+3. Start the local development server:
   ```bash
   npm run dev
   ```

-You can now access the running Admin UI at `http://localhost:5173` in your browser.
+This will start a web server at `http://localhost:5173`. You can now access the WebUI in your browser.

-Since the Admin UI is a client-side application, you will also need to have the Certimate backend running. You can either manually run Certimate or use a prebuilt executable.
-
-Any changes you make in the Admin UI will be automatically reflected in the browser without requiring a page reload.
-
-After completing your changes, build the Admin UI so it can be embedded into the Go package:
+After completing your changes, build the WebUI so it can be embedded into the Go package:

 ```bash
 npm run build
 ```

-Once all steps are completed, you are ready to submit a PR to the main Certimate repository.
+**Before submitting a PR to the main repository, you should:**
+
+- Format your source code by using [ESLint](https://github.com/eslint/eslint). Recommended using VSCode and installing the ESLint plugin to automatically format when saving.
+
+## Submitting PR
+
+Before opening a Pull Request, please open an issue to discuss the change and get feedback from the maintainers. This will helps us:
+
+- To understand the context of the change.
+- To ensure it fits into Certimate's roadmap.
+- To prevent us from duplicating work.
+- To prevent you from spending time on a change that we may not be able to accept.
+
+### Pull Request Process
+
+1. Fork the repository.
+2. Before you draft a PR, please open an issue to discuss the changes you want to make.
+3. Create a new branch for your changes.
+4. Please add tests for your changes accordingly.
+5. Ensure your code passes the existing tests.
+6. Please link the issue in the PR description.
+7. Get merged!
+
+> [!IMPORTANT]
+>
+> It is recommended to create a new branch from `main` for each bug fix or feature. If you plan to submit multiple PRs, ensure the changes are in separate branches for easier review and eventual merge.
+>
+> Keep each PR focused on a single feature or fix.
+
+## Getting Help
+
+If you ever get stuck or get a burning question while contributing, simply shoot your queries our way via the GitHub issues.
--- a/21
+++ b/21
@@ -1,33 +1,24 @@
-FROM node:20-alpine3.19 AS front-builder
-
+FROM node:20-alpine3.19 AS webui-builder
 WORKDIR /app
-
 COPY . /app/
-
 RUN \
  cd /app/ui && \
  npm install && \
  npm run build


-FROM golang:1.23-alpine AS builder

+FROM golang:1.24-alpine AS builder
 WORKDIR /app
-
 COPY ../. /app/
-
 RUN rm -rf /app/ui/dist
-
-COPY --from=front-builder /app/ui/dist /app/ui/dist
-
-RUN go build -o certimate
+COPY --from=webui-builder /app/ui/dist /app/ui/dist
+ENV CGO_ENABLED=0
+RUN go build -ldflags="-s -w" -o certimate



 FROM alpine:latest
-
 WORKDIR /app
-
 COPY --from=builder /app/certimate .
-
-ENTRYPOINT ["./certimate", "serve", "--http", "0.0.0.0:8090"]
+ENTRYPOINT ["./certimate", "serve", "--http", "0.0.0.0:8090"]
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,5 +1,6 @@
 MIT License

+Copyright (c) 2025 certimate-go
 Copyright (c) 2024 Yoan.Liu

 Permission is hereby granted, free of charge, to any person obtaining a copy
--- a/3
+++ b/3
@@ -21,7 +21,8 @@ $(OS_ARCH):
 	@mkdir -p $(BUILD_DIR)
 	GOOS=$(word 1,$(subst /, ,$@)) \
 	GOARCH=$(word 2,$(subst /, ,$@)) \
-	go build -o $(BUILD_DIR)/$(BINARY_NAME)_$(word 1,$(subst /, ,$@))_$(word 2,$(subst /, ,$@)) -ldflags="-X main.version=$(VERSION)" .
+	CGO_ENABLED=0 \
+	go build -o $(BUILD_DIR)/$(BINARY_NAME)_$(word 1,$(subst /, ,$@))_$(word 2,$(subst /, ,$@)) -ldflags="-X main.version=$(VERSION) -s -w" .

 # 清理构建文件
 clean:
--- a/README.md
+++ b/README.md
@@ -2,11 +2,11 @@

 <div align="center">

-[![Stars](https://img.shields.io/github/stars/usual2970/certimate?style=flat)](https://github.com/usual2970/certimate)
-[![Forks](https://img.shields.io/github/forks/usual2970/certimate?style=flat)](https://github.com/usual2970/certimate)
-[![Docker Pulls](https://img.shields.io/docker/pulls/usual2970/certimate?style=flat)](https://hub.docker.com/r/usual2970/certimate)
-[![Release](https://img.shields.io/github/v/release/usual2970/certimate?sort=semver)](https://github.com/usual2970/certimate/releases)
-[![License](https://img.shields.io/github/license/usual2970/certimate)](https://mit-license.org/)
+[![Stars](https://img.shields.io/github/stars/certimate-go/certimate?style=flat)](https://github.com/certimate-go/certimate)
+[![Forks](https://img.shields.io/github/forks/certimate-go/certimate?style=flat)](https://github.com/certimate-go/certimate)
+[![Docker Pulls](https://img.shields.io/docker/pulls/certimate/certimate?style=flat)](https://hub.docker.com/r/certimate/certimate)
+[![Release](https://img.shields.io/github/v/release/certimate-go/certimate?style=flat&sort=semver)](https://github.com/certimate-go/certimate/releases)
+[![License](https://img.shields.io/github/license/certimate-go/certimate?style=flat)](https://mit-license.org/)

 </div>

@@ -16,18 +16,13 @@

 </div>

-> [!WARNING]
-> 当前分支为 `next`，是 v0.3.x 的开发分支，目前还没有稳定，请勿在生产环境中使用。
->
-> 如需访问之前的版本，请切换至 `main` 分支。
-
 ---

 ## 🚩 项目简介

 做个人产品或者在中小企业里负责运维的同学，会遇到要管理多个域名的情况，需要给域名申请证书。但是手动申请证书有以下缺点：

- 😱 麻烦：申请证书并部署到服务的流程虽不复杂，但也挺麻烦的，犹其是你有多个域名需要维护的时候。
+- 😱 麻烦：申请证书并部署到服务的流程虽不复杂，但也挺麻烦的，尤其是你有多个域名需要维护的时候。
 - 😭 易忘：另外当前免费证书的有效期只有 90 天，这就要求你定期的操作，增加了工作量的同时，你也很容易忘掉续期，从而导致网站访问不了。

 Certimate 就是为了解决上述问题而产生的，它具有以下优势：
@@ -41,18 +36,19 @@ Certimate 旨在为用户提供一个安全、简便的 SSL 证书管理解决
 ## 💡 功能特性

 - 灵活的工作流编排方式，证书从申请到部署完全自动化；
- 支持泛域名、多域名证书，可选 RSA、ECC 签名算法；
- 支持 20+ 域名托管商（如阿里云、腾讯云、Cloudflare 等）；
- 支持 50+ 部署目标（如 Kubernetes、CDN、WAF、负载均衡等）；
+- 支持单域名、多域名、泛域名证书，可选 RSA、ECC 签名算法；
+- 支持 PEM、PFX、JKS 等多种格式输出证书；
+- 支持 30+ 域名托管商（如阿里云、腾讯云、Cloudflare 等，[点此查看完整清单](https://docs.certimate.me/docs/reference/providers#supported-dns-providers)）；
+- 支持 100+ 部署目标（如 Kubernetes、CDN、WAF、负载均衡等，[点此查看完整清单](https://docs.certimate.me/docs/reference/providers#supported-hosting-providers)）；
 - 支持邮件、钉钉、飞书、企业微信、Webhook 等多种通知渠道；
- 支持 Let's Encrypt、ZeroSSL、Google Trust Services 等多种 ACME 证书颁发机构；
+- 支持 Let's Encrypt、Buypass、Google Trust Services、SSL.com、ZeroSSL 等多种 ACME 证书颁发机构；
 - 更多特性等待探索。

 ## ⏱️ 快速启动

 **5 分钟部署 Certimate！**

-以二进制部署为例，从 [GitHub Releases](https://github.com/usual2970/certimate/releases) 页面下载预先编译好的二进制可执行文件压缩包，解压缩后在终端中执行：
+以二进制部署为例，从 [GitHub Releases](https://github.com/certimate-go/certimate/releases) 页面下载预先编译好的二进制可执行文件压缩包，解压缩后在终端中执行：

 ```bash
 ./certimate serve
@@ -69,15 +65,16 @@ Certimate 旨在为用户提供一个安全、简便的 SSL 证书管理解决

 如何使用 Docker 或其他部署方式请参考文档。

-## 📄 技术文档
+## 📄 使用手册

-请访问 [docs.certimate.me](https://docs.certimate.me/) 以阅读技术文档。
+请访问文档站 [docs.certimate.me](https://docs.certimate.me/) 以阅读使用手册。

 相关文章：

- [v0.3.0：第二个不向后兼容的大版本](https://docs.certimate.me/blog/v0.3.0)
- [v0.2.0：第一个不向后兼容的大版本](https://docs.certimate.me/blog/v0.2.0)
- [Why Certimate?](https://docs.certimate.me/blog/why-certimate)
+- [《使用 CNAME 完成 ACME DNS-01 质询》](https://docs.certimate.me/blog/cname)
+- [《v0.3.0：第二个不向后兼容的大版本》](https://docs.certimate.me/blog/v0.3.0)
+- [《v0.2.0：第一个不向后兼容的大版本》](https://docs.certimate.me/blog/v0.2.0)
+- [《Why Certimate?》](https://docs.certimate.me/blog/why-certimate)

 ## ⭐ 运行界面

@@ -85,18 +82,19 @@ Certimate 旨在为用户提供一个安全、简便的 SSL 证书管理解决

 ## 🤝 参与贡献

-Certimate 是一个免费且开源的项目，采用 [MIT License](./LICENSE.md)。你可以使用它做任何你想做的事，甚至把它当作一个付费服务提供给用户。
+Certimate 是一个免费且开源的项目。我们欢迎任何人为 Certimate 做出贡献，以帮助改善 Certimate。包括但不限于：提交代码、反馈缺陷、交流想法，或分享你基于 Certimate 的使用案例。同时，我们也欢迎用户在个人博客或社交媒体上分享 Certimate。

-你可以通过以下方式来支持 Certimate 的开发：
+如果你想要贡献代码，请先阅读我们的[贡献指南](./CONTRIBUTING.md)。

- 提交代码：如果你发现了 Bug 或有新的功能需求，而你又有相关经验，可以[提交代码](CONTRIBUTING.md)给我们。
- 提交 Issue：功能建议或者 Bug 可以[提交 Issue](https://github.com/usual2970/certimate/issues) 给我们。
+请在 https://github.com/certimate-go/certimate 提交 [Issues](https://github.com/certimate-go/certimate/issues) 和 [Pull Requests](https://github.com/certimate-go/certimate/pulls)。

-支持更多提供商、UI 的优化改进、Bug 修复、文档完善等，欢迎大家参与贡献。
+#### 感谢以下贡献者对 Certimate 做出的贡献：
+
+[![Contributors](https://contrib.rocks/image?repo=certimate-go/certimate)](https://github.com/certimate-go/certimate/graphs/contributors)

 ## ⛔ 免责声明

-Certimate 基于 [MIT License](https://opensource.org/licenses/MIT) 发布，完全免费提供，旨在“按现状”供用户使用。作者及贡献者不对使用本软件所产生的任何直接或间接后果承担责任，包括但不限于性能下降、数据丢失、服务中断、或任何其他类型的损害。
+Certimate 遵循 [MIT License](https://opensource.org/licenses/MIT) 开源协议，完全免费提供，旨在“按现状”供用户使用。作者及贡献者不对使用本软件所产生的任何直接或间接后果承担责任，包括但不限于性能下降、数据丢失、服务中断、或任何其他类型的损害。

 **无任何保证**：本软件不提供任何明示或暗示的保证，包括但不限于对特定用途的适用性、无侵权性、商用性及可靠性的保证。

@@ -107,8 +105,8 @@ Certimate 基于 [MIT License](https://opensource.org/licenses/MIT) 发布，完
 - [Telegram](https://t.me/+ZXphsppxUg41YmVl)
 - 微信群聊（超 200 人需邀请入群，可先加作者好友）

-  <img src="https://i.imgur.com/8xwsLTA.png" width="240"/>
+  <img src="https://i.imgur.com/8xwsLTA.png" width="200"/>

 ## 🚀 Star 趋势图

-[![Stargazers over time](https://starchart.cc/usual2970/certimate.svg?variant=adaptive)](https://starchart.cc/usual2970/certimate)
+[![Stargazers over time](https://starchart.cc/certimate-go/certimate.svg?variant=adaptive)](https://starchart.cc/certimate-go/certimate)
--- a/README_EN.md
+++ b/README_EN.md
@@ -2,11 +2,11 @@

 <div align="center">

-[![Stars](https://img.shields.io/github/stars/usual2970/certimate?style=flat)](https://github.com/usual2970/certimate)
-[![Forks](https://img.shields.io/github/forks/usual2970/certimate?style=flat)](https://github.com/usual2970/certimate)
-[![Docker Pulls](https://img.shields.io/docker/pulls/usual2970/certimate?style=flat)](https://hub.docker.com/r/usual2970/certimate)
-[![Release](https://img.shields.io/github/v/release/usual2970/certimate?style=flat&sort=semver)](https://github.com/usual2970/certimate/releases)
-[![License](https://img.shields.io/github/license/usual2970/certimate?style=flat)](https://mit-license.org/)
+[![Stars](https://img.shields.io/github/stars/certimate-go/certimate?style=flat)](https://github.com/certimate-go/certimate)
+[![Forks](https://img.shields.io/github/forks/certimate-go/certimate?style=flat)](https://github.com/certimate-go/certimate)
+[![Docker Pulls](https://img.shields.io/docker/pulls/certimate/certimate?style=flat)](https://hub.docker.com/r/certimate/certimate)
+[![Release](https://img.shields.io/github/v/release/certimate-go/certimate?style=flat&sort=semver)](https://github.com/certimate-go/certimate/releases)
+[![License](https://img.shields.io/github/license/certimate-go/certimate?style=flat)](https://mit-license.org/)

 </div>

@@ -16,11 +16,6 @@

 </div>

-> [!WARNING]
-> The current branch is `next`, which is the development branch for v0.3.x. It is currently unstable and should not be used in production environments.
->
-> To access the previous versions, please switch to the `main` branch.
-
 ---

 ## 🚩 Introduction
@@ -40,19 +35,20 @@ Certimate aims to provide users with a secure and user-friendly SSL certificate

 ## 💡 Features

- Flexible workflow orchestration, fully automated from certificate application to deployment;
- Supports wildcard, multi-domain certificates, with options for RSA or ECC.
- Supports more than 20+ domain registrars (e.g., Alibaba Cloud, Tencent Cloud, Cloudflare, etc.);
- Supports more than 50+ deployment targets (e.g., Kubernetes, CDN, WAF, load balancers, etc.);
+- Flexible workflow orchestration, fully automation from certificate application to deployment;
+- Supports single-domain, multi-domain, wildcard certificates, with options for RSA or ECC.
+- Supports various certificate formats such as PEM, PFX, JKS.
+- Supports more than 30+ domain registrars (e.g., Alibaba Cloud, Tencent Cloud, Cloudflare, etc. [Check out this link](https://docs.certimate.me/en/docs/reference/providers#supported-dns-providers));
+- Supports more than 100+ deployment targets (e.g., Kubernetes, CDN, WAF, load balancers, etc. [Check out this link](https://docs.certimate.me/en/docs/reference/providers#supported-hosting-providers));
 - Supports multiple notification channels including email, DingTalk, Feishu, WeCom, Webhook, and more;
- Supports multiple certificate authorities including Let's Encrypt, ZeroSSL, Google Trust Services, and more;
+- Supports multiple ACME CAs including Let's Encrypt, Buypass, Google Trust Services，SSL.com, ZeroSSL, and more;
 - More features waiting to be discovered.

 ## ⏱️ Fast Track

 **Deploy Certimate in 5 minutes!**

-Download the archived package of precompiled binary files directly from [GitHub Releases](https://github.com/usual2970/certimate/releases), extract and then execute:
+Download the archived package of precompiled binary files directly from [GitHub Releases](https://github.com/certimate-go/certimate/releases), extract and then execute:

 ```bash
 ./certimate serve
@@ -60,7 +56,7 @@ Download the archived package of precompiled binary files directly from [GitHub

 Visit `http://127.0.0.1:8090` in your browser.

-Initial administrator account:
+Default administrator account:

 - Username: `admin@certimate.fun`
 - Password: `1234567890`
@@ -69,13 +65,14 @@ Work with Certimate right now. Or read other content in the documentation to lea

 ## 📄 Documentation

-Please visit [docs.certimate.me](https://docs.certimate.me/en/).
+For full documentation, please visit [docs.certimate.me](https://docs.certimate.me/en/).

 Related articles:

- [v0.3.0：第二个不向后兼容的大版本](https://docs.certimate.me/blog/v0.3.0)
- [v0.2.0：第一个不向后兼容的大版本](https://docs.certimate.me/blog/v0.2.0)
- [Why Certimate?](https://docs.certimate.me/blog/why-certimate)
+- [_使用 CNAME 完成 ACME DNS-01 质询_](https://docs.certimate.me/blog/cname)
+- [_v0.3.0：第二个不向后兼容的大版本_](https://docs.certimate.me/blog/v0.3.0)
+- [_v0.2.0：第一个不向后兼容的大版本_](https://docs.certimate.me/blog/v0.2.0)
+- [_Why Certimate?_](https://docs.certimate.me/blog/why-certimate)

 ## ⭐ Screenshot

@@ -83,18 +80,19 @@ Related articles:

 ## 🤝 Contributing

-Certimate is a free and open-source project, licensed under the [MIT License](./LICENSE.md). You can use it for anything you want, even offering it as a paid service to users.
+Certimate is a free and open-source project, and your feedback and contributions are needed and always welcome. Contributions include but are not limited to: submitting code, reporting bugs, sharing ideas, or showcasing your use cases based on Certimate. We also encourage users to share Certimate on personal blogs or social media.

-You can support the development of Certimate in the following ways:
+For those who'd like to contribute code, see our [Contribution Guide](./CONTRIBUTING_EN.md).

- **Submit Code**: If you find a bug or have new feature requests, and you have relevant experience, [you can submit code to us](CONTRIBUTING_EN.md).
- **Submit an Issue**: For feature suggestions or bugs, you can [submit an issue](https://github.com/usual2970/certimate/issues) to us.
+[Issues](https://github.com/certimate-go/certimate/issues) and [Pull Requests](https://github.com/certimate-go/certimate/pulls) are opened at https://github.com/certimate-go/certimate.

-Support for more service providers, UI enhancements, bug fixes, and documentation improvements are all welcome. We encourage everyone to contribute.
+#### Contributors
+
+[![Contributors](https://contrib.rocks/image?repo=certimate-go/certimate)](https://github.com/certimate-go/certimate/graphs/contributors)

 ## ⛔ Disclaimer

-This software is provided under the [MIT License](https://opensource.org/licenses/MIT) and distributed “as-is” without any warranty of any kind. The authors and contributors are not responsible for any damages or losses resulting from the use or inability to use this software, including but not limited to data loss, business interruption, or any other potential harm.
+This repository is available under the [MIT License](https://opensource.org/licenses/MIT), and distributed “as-is” without any warranty of any kind. The authors and contributors are not responsible for any damages or losses resulting from the use or inability to use this software, including but not limited to data loss, business interruption, or any other potential harm.

 **No Warranties**: This software comes without any express or implied warranties, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

@@ -105,8 +103,8 @@ This software is provided under the [MIT License](https://opensource.org/license
 - [Telegram](https://t.me/+ZXphsppxUg41YmVl)
 - Wechat Group

-  <img src="https://i.imgur.com/zSHEoIm.png" width="240"/>
+  <img src="https://i.imgur.com/zSHEoIm.png" width="200"/>

 ## 🚀 Star History

-[![Stargazers over time](https://starchart.cc/usual2970/certimate.svg?variant=adaptive)](https://starchart.cc/usual2970/certimate)
+[![Stargazers over time](https://starchart.cc/certimate-go/certimate.svg?variant=adaptive)](https://starchart.cc/certimate-go/certimate)
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -1,10 +1,12 @@
 version: "3.0"
 services:
  certimate:
-    image: registry.cn-shanghai.aliyuncs.com/usual2970/certimate:latest
-    container_name: certimate_server
+    image: certimate/certimate:latest
+    container_name: certimate
    ports:
      - 8090:8090
    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /etc/timezone:/etc/timezone:ro
      - ./data:/app/pb_data
    restart: unless-stopped
--- a/go.mod
+++ b/go.mod
@@ -1,82 +1,98 @@
-module github.com/usual2970/certimate
+module github.com/certimate-go/certimate

-go 1.23.0
+go 1.24.0

-toolchain go1.23.2
+toolchain go1.24.3

 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0
-	github.com/alibabacloud-go/alb-20200616/v2 v2.2.7
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.0
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v1.3.1
+	github.com/Edgio/edgio-api v0.0.0-workspace
+	github.com/G-Core/gcorelabscdn-go v1.0.31
+	github.com/alibabacloud-go/alb-20200616/v2 v2.2.8
+	github.com/alibabacloud-go/apig-20240327/v3 v3.2.2
 	github.com/alibabacloud-go/cas-20200407/v3 v3.0.4
 	github.com/alibabacloud-go/cdn-20180510/v5 v5.2.2
-	github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.10
-	github.com/alibabacloud-go/esa-20240910/v2 v2.13.0
+	github.com/alibabacloud-go/cloudapi-20160714/v5 v5.7.4
+	github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.7
+	github.com/alibabacloud-go/ddoscoo-20200101/v4 v4.0.0
+	github.com/alibabacloud-go/esa-20240910/v2 v2.33.0
+	github.com/alibabacloud-go/fc-20230330/v4 v4.3.5
+	github.com/alibabacloud-go/fc-open-20210406/v2 v2.0.12
+	github.com/alibabacloud-go/ga-20191120/v3 v3.1.8
 	github.com/alibabacloud-go/live-20161101 v1.1.1
 	github.com/alibabacloud-go/nlb-20220430/v2 v2.0.3
 	github.com/alibabacloud-go/slb-20140515/v4 v4.0.10
-	github.com/alibabacloud-go/tea v1.2.2
-	github.com/alibabacloud-go/waf-openapi-20211001/v5 v5.0.4
+	github.com/alibabacloud-go/tea v1.3.9
+	github.com/alibabacloud-go/vod-20170321/v4 v4.8.4
+	github.com/alibabacloud-go/waf-openapi-20211001/v5 v5.1.3
 	github.com/aliyun/aliyun-oss-go-sdk v3.0.2+incompatible
-	github.com/aws/aws-sdk-go-v2/service/acm v1.30.18
-	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.44.10
-	github.com/baidubce/bce-sdk-go v0.9.217
-	github.com/byteplus-sdk/byteplus-sdk-golang v1.0.41
-	github.com/go-acme/lego/v4 v4.22.2
+	github.com/aws/aws-sdk-go-v2/service/acm v1.32.0
+	github.com/aws/aws-sdk-go-v2/service/cloudfront v1.46.1
+	github.com/aws/aws-sdk-go-v2/service/iam v1.42.0
+	github.com/baidubce/bce-sdk-go v0.9.228
+	github.com/blinkbean/dingtalk v1.1.3
+	github.com/byteplus-sdk/byteplus-sdk-golang v1.0.46
+	github.com/go-acme/lego/v4 v4.23.1
+	github.com/go-lark/lark v1.16.0
 	github.com/go-resty/resty/v2 v2.16.5
 	github.com/go-viper/mapstructure/v2 v2.2.1
-	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.136
-	github.com/nikoksr/notify v1.3.0
+	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.150
+	github.com/jdcloud-api/jdcloud-sdk-go v1.64.0
+	github.com/libdns/dynv6 v1.0.0
+	github.com/libdns/libdns v0.2.3
+	github.com/luthermonson/go-proxmox v0.2.2
 	github.com/pavlo-v-chernykh/keystore-go/v4 v4.5.0
-	github.com/pkg/sftp v1.13.7
+	github.com/pkg/sftp v1.13.9
 	github.com/pocketbase/dbx v1.11.0
-	github.com/pocketbase/pocketbase v0.25.4
-	github.com/povsister/scp v0.0.0-20240802064259-28781e87b246
-	github.com/qiniu/go-sdk/v7 v7.25.2
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cdn v1.0.1096
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/clb v1.0.1096
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1102
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/live v1.0.1096
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl v1.0.1096
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1096
-	github.com/ucloud/ucloud-sdk-go v0.22.31
-	github.com/volcengine/ve-tos-golang-sdk/v2 v2.7.9
-	github.com/volcengine/volc-sdk-golang v1.0.195
-	github.com/volcengine/volcengine-go-sdk v1.0.180
-	golang.org/x/crypto v0.33.0
-	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac
-	k8s.io/api v0.32.1
-	k8s.io/apimachinery v0.32.1
-	k8s.io/client-go v0.32.1
+	github.com/pocketbase/pocketbase v0.28.2
+	github.com/povsister/scp v0.0.0-20250504051308-e467f71ea63c
+	github.com/qiniu/go-sdk/v7 v7.25.3
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cdn v1.0.1155
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/clb v1.0.1166
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1173
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/gaap v1.0.1163
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/live v1.0.1150
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/scf v1.0.1172
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl v1.0.1169
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo v1.0.1166
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vod v1.0.1164
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.1170
+	github.com/ucloud/ucloud-sdk-go v0.22.41
+	github.com/volcengine/ve-tos-golang-sdk/v2 v2.7.12
+	github.com/volcengine/volc-sdk-golang v1.0.208
+	github.com/volcengine/volcengine-go-sdk v1.1.8
+	gitlab.ecloud.com/ecloud/ecloudsdkclouddns v1.0.1
+	gitlab.ecloud.com/ecloud/ecloudsdkcore v1.0.0
+	golang.org/x/crypto v0.38.0
+	golang.org/x/exp v0.0.0-20250506013437-ce4c2cf36ca6
+	k8s.io/api v0.33.1
+	k8s.io/apimachinery v0.33.1
+	k8s.io/client-go v0.33.1
 	software.sslmate.com/src/go-pkcs12 v0.5.0
 )

 require (
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azcertificates v0.9.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v1.3.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
-	github.com/G-Core/gcorelabscdn-go v1.0.26 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
+	github.com/alibabacloud-go/alibabacloud-gateway-fc-util v0.0.7 // indirect
 	github.com/alibabacloud-go/openplatform-20191219/v2 v2.0.1 // indirect
 	github.com/alibabacloud-go/tea-fileform v1.1.1 // indirect
-	github.com/alibabacloud-go/tea-oss-sdk v1.1.3 // indirect
+	github.com/alibabacloud-go/tea-oss-sdk v1.1.5 // indirect
 	github.com/alibabacloud-go/tea-oss-utils v1.1.0 // indirect
-	github.com/alibabacloud-go/tea-rpc v1.1.3 // indirect
-	github.com/alibabacloud-go/tea-rpc-utils v1.1.0 // indirect
 	github.com/alibabacloud-go/tea-utils/v2 v2.0.7 // indirect
-	github.com/alibabacloud-go/vod-20170321 v1.0.1 // indirect
-	github.com/alibabacloud-go/vod-20170321/v4 v4.6.1 // indirect
 	github.com/avast/retry-go v3.0.0+incompatible // indirect
-	github.com/aws/aws-sdk-go-v2/service/route53 v1.48.1 // indirect
-	github.com/blinkbean/dingtalk v1.1.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.50.0 // indirect
+	github.com/buger/goterm v1.0.4 // indirect
+	github.com/diskfs/go-diskfs v1.5.0 // indirect
+	github.com/djherbis/times v1.6.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.1 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/go-lark/lark v1.15.1 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
@@ -84,48 +100,50 @@ require (
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.16.0 // indirect
-	github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible // indirect
+	github.com/go-sql-driver/mysql v1.8.1 // indirect
 	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
-	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/jdcloud-api/jdcloud-sdk-go v1.62.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
+	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
+	github.com/jinzhu/copier v0.3.4 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
+	github.com/magefile/mage v1.14.0 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/namedotcom/go v0.0.0-20180403034216-08470befbe04 // indirect
+	github.com/nrdcg/bunny-go v0.0.0-20240207213615-dde5bf4577a3 // indirect
+	github.com/nrdcg/desec v0.10.0 // indirect
 	github.com/nrdcg/mailinabox v0.2.0 // indirect
+	github.com/nrdcg/porkbun v0.4.0 // indirect
+	github.com/peterhellberg/link v1.2.0 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/qiniu/dyn v1.3.0 // indirect
 	github.com/qiniu/x v1.10.5 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/technoweenie/multipartstreamer v1.0.1 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vod v1.0.1102 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf v1.0.1099 // indirect
+	github.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	gitlab.ecloud.com/ecloud/ecloudsdkclouddns v1.0.1 // indirect
-	gitlab.ecloud.com/ecloud/ecloudsdkcore v1.0.0 // indirect
 	go.mongodb.org/mongo-driver v1.17.2 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ns1/ns1-go.v2 v2.13.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 // indirect
+	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
 	k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.5.0 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )

 require (
-	github.com/BurntSushi/toml v1.4.0 // indirect
+	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
 	github.com/alibabacloud-go/dcdn-20180115/v3 v3.5.0
 	github.com/alibabacloud-go/debug v1.0.1 // indirect
@@ -133,91 +151,76 @@ require (
 	github.com/alibabacloud-go/openapi-util v0.1.1 // indirect
 	github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
 	github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
-	github.com/aliyun/alibaba-cloud-sdk-go v1.63.83 // indirect
-	github.com/aliyun/credentials-go v1.4.3 // indirect
+	github.com/aliyun/alibaba-cloud-sdk-go v1.63.100 // indirect
+	github.com/aliyun/credentials-go v1.4.6 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.36.1
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.8 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.29.5
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.58
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.28 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.58 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.32 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.32 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.32 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.6.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.75.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.24.15 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.14 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.33.14 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.3
+	github.com/aws/aws-sdk-go-v2/config v1.29.9
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.62
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect
 	github.com/aws/smithy-go v1.22.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/clbanning/mxj/v2 v2.7.0 // indirect
-	github.com/cloudflare/cloudflare-go v0.114.0 // indirect
+	github.com/cloudflare/cloudflare-go v0.115.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/disintegration/imaging v1.6.2 // indirect
 	github.com/domodwyer/mailyak/v3 v3.6.2
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/fatih/color v1.18.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
-	github.com/ganigeorgiev/fexpr v0.4.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
+	github.com/ganigeorgiev/fexpr v0.5.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-ozzo/ozzo-validation/v4 v4.3.0 // indirect
-	github.com/goccy/go-json v0.10.4 // indirect
-	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
+	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	github.com/google/uuid v1.6.0
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/miekg/dns v1.1.62 // indirect
+	github.com/miekg/dns v1.1.64 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/nrdcg/namesilo v0.2.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
-	github.com/pkg/errors v0.9.1
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/spf13/cast v1.7.1 // indirect
-	github.com/spf13/cobra v1.8.1 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/spf13/cast v1.8.0 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
-	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/stretchr/testify v1.10.0 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1084 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1128 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
-	go.opencensus.io v0.24.0 // indirect
-	gocloud.dev v0.40.0 // indirect
-	golang.org/x/image v0.24.0 // indirect
-	golang.org/x/mod v0.23.0 // indirect
-	golang.org/x/net v0.35.0 // indirect
-	golang.org/x/oauth2 v0.26.0 // indirect
-	golang.org/x/sync v0.11.0
-	golang.org/x/sys v0.30.0 // indirect
-	golang.org/x/term v0.29.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
-	golang.org/x/time v0.9.0
-	golang.org/x/tools v0.30.0 // indirect
-	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
-	google.golang.org/api v0.220.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250207221924-e9438ea467c6 // indirect
-	google.golang.org/grpc v1.70.0 // indirect
+	golang.org/x/image v0.27.0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sync v0.14.0
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/time v0.11.0
+	golang.org/x/tools v0.33.0 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	modernc.org/libc v1.61.11 // indirect
+	modernc.org/libc v1.65.7 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
-	modernc.org/memory v1.8.2 // indirect
-	modernc.org/sqlite v1.34.5 // indirect
+	modernc.org/memory v1.11.0 // indirect
+	modernc.org/sqlite v1.37.1 // indirect
 )

-replace gitlab.ecloud.com/ecloud/ecloudsdkcore v1.0.0 => ./internal/pkg/vendors/cmcc-sdk/ecloudsdkcore@v1.0.0
+replace github.com/Edgio/edgio-api v0.0.0-workspace => ./pkg/sdk3rd/edgio/edgio-api@v0.0.0-workspace

-replace gitlab.ecloud.com/ecloud/ecloudsdkclouddns v1.0.1 => ./internal/pkg/vendors/cmcc-sdk/ecloudsdkclouddns@v1.0.1
+replace gitlab.ecloud.com/ecloud/ecloudsdkcore v1.0.0 => ./pkg/sdk3rd/cmcc/ecloudsdkcore@v1.0.0
+
+replace gitlab.ecloud.com/ecloud/ecloudsdkclouddns v1.0.1 => ./pkg/sdk3rd/cmcc/ecloudsdkclouddns@v1.0.1
--- a/go.sum
+++ b/go.sum
--- a/internal/app/scheduler.go
+++ b/internal/app/scheduler.go
@@ -3,6 +3,7 @@ package app
 import (
 	"sync"
 	"time"
+	_ "time/tzdata"

 	"github.com/pocketbase/pocketbase/tools/cron"
 )
--- a/internal/applicant/acme_ca.go
+++ b/internal/applicant/acme_ca.go
@@ -1,38 +1,31 @@
-package applicant
+package applicant
+
+import "github.com/certimate-go/certimate/internal/domain"

 const (
-	sslProviderLetsEncrypt         = "letsencrypt"
-	sslProviderLetsEncryptStaging  = "letsencrypt_staging"
-	sslProviderZeroSSL             = "zerossl"
-	sslProviderGoogleTrustServices = "gts"
-)
-const defaultSSLProvider = sslProviderLetsEncrypt
+	caLetsEncrypt         = string(domain.CAProviderTypeLetsEncrypt)
+	caLetsEncryptStaging  = string(domain.CAProviderTypeLetsEncryptStaging)
+	caBuypass             = string(domain.CAProviderTypeBuypass)
+	caGoogleTrustServices = string(domain.CAProviderTypeGoogleTrustServices)
+	caSSLCom              = string(domain.CAProviderTypeSSLCom)
+	caZeroSSL             = string(domain.CAProviderTypeZeroSSL)
+	caCustom              = string(domain.CAProviderTypeACMECA)

-const (
-	letsencryptUrl        = "https://acme-v02.api.letsencrypt.org/directory"
-	letsencryptStagingUrl = "https://acme-staging-v02.api.letsencrypt.org/directory"
-	zerosslUrl            = "https://acme.zerossl.com/v2/DV90"
-	gtsUrl                = "https://dv.acme-v02.api.pki.goog/directory"
+	caDefault = caLetsEncrypt
 )

-var sslProviderUrls = map[string]string{
-	sslProviderLetsEncrypt:         letsencryptUrl,
-	sslProviderLetsEncryptStaging:  letsencryptStagingUrl,
-	sslProviderZeroSSL:             zerosslUrl,
-	sslProviderGoogleTrustServices: gtsUrl,
+var caDirUrls = map[string]string{
+	caLetsEncrypt:         "https://acme-v02.api.letsencrypt.org/directory",
+	caLetsEncryptStaging:  "https://acme-staging-v02.api.letsencrypt.org/directory",
+	caBuypass:             "https://api.buypass.com/acme/directory",
+	caGoogleTrustServices: "https://dv.acme-v02.api.pki.goog/directory",
+	caSSLCom:              "https://acme.ssl.com/sslcom-dv-rsa",
+	caSSLCom + "RSA":      "https://acme.ssl.com/sslcom-dv-rsa",
+	caSSLCom + "ECC":      "https://acme.ssl.com/sslcom-dv-ecc",
+	caZeroSSL:             "https://acme.zerossl.com/v2/DV90",
 }

 type acmeSSLProviderConfig struct {
-	Config   acmeSSLProviderConfigContent `json:"config"`
-	Provider string                       `json:"provider"`
-}
-
-type acmeSSLProviderConfigContent struct {
-	ZeroSSL             acmeSSLProviderEabConfig `json:"zerossl"`
-	GoogleTrustServices acmeSSLProviderEabConfig `json:"gts"`
-}
-
-type acmeSSLProviderEabConfig struct {
-	EabHmacKey string `json:"eabHmacKey"`
-	EabKid     string `json:"eabKid"`
+	Config   map[domain.CAProviderType]map[string]any `json:"config"`
+	Provider string                                   `json:"provider"`
 }
--- a/internal/applicant/acme_user.go
+++ b/internal/applicant/acme_user.go
@@ -1,4 +1,4 @@
-package applicant
+package applicant

 import (
 	"context"
@@ -7,40 +7,51 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"fmt"
+	"strings"

 	"github.com/go-acme/lego/v4/lego"
 	"github.com/go-acme/lego/v4/registration"
 	"golang.org/x/sync/singleflight"

-	"github.com/usual2970/certimate/internal/domain"
-	"github.com/usual2970/certimate/internal/pkg/utils/certs"
-	"github.com/usual2970/certimate/internal/repository"
+	"github.com/certimate-go/certimate/internal/domain"
+	"github.com/certimate-go/certimate/internal/repository"
+	xcert "github.com/certimate-go/certimate/pkg/utils/cert"
+	xmaps "github.com/certimate-go/certimate/pkg/utils/maps"
 )

 type acmeUser struct {
-	CA           string
-	Email        string
+	// 证书颁发机构标识。
+	// 通常等同于 [CAProviderType] 的值。
+	// 对于自定义 ACME CA，值为 "custom#{access_id}"。
+	CA string
+	// 邮箱。
+	Email string
+	// 注册信息。
 	Registration *registration.Resource

+	// CSR 私钥。
 	privkey string
 }

-func newAcmeUser(ca, email string) (*acmeUser, error) {
+func newAcmeUser(ca, caAccessId, email string) (*acmeUser, error) {
 	repo := repository.NewAcmeAccountRepository()

 	applyUser := &acmeUser{
 		CA:    ca,
 		Email: email,
 	}
+	if ca == caCustom {
+		applyUser.CA = fmt.Sprintf("%s#%s", ca, caAccessId)
+	}

-	acmeAccount, err := repo.GetByCAAndEmail(ca, email)
+	acmeAccount, err := repo.GetByCAAndEmail(applyUser.CA, applyUser.Email)
 	if err != nil {
 		key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 		if err != nil {
 			return nil, err
 		}

-		keyPEM, err := certs.ConvertECPrivateKeyToPEM(key)
+		keyPEM, err := xcert.ConvertECPrivateKeyToPEM(key)
 		if err != nil {
 			return nil, err
 		}
@@ -64,7 +75,7 @@ func (u acmeUser) GetRegistration() *registration.Resource {
 }

 func (u *acmeUser) GetPrivateKey() crypto.PrivateKey {
-	rs, _ := certs.ParseECPrivateKeyFromPEM(u.privkey)
+	rs, _ := xcert.ParseECPrivateKeyFromPEM(u.privkey)
 	return rs
 }

@@ -72,20 +83,19 @@ func (u *acmeUser) hasRegistration() bool {
 	return u.Registration != nil
 }

+func (u *acmeUser) getCAProvider() string {
+	return strings.Split(u.CA, "#")[0]
+}
+
 func (u *acmeUser) getPrivateKeyPEM() string {
 	return u.privkey
 }

-type acmeAccountRepository interface {
-	GetByCAAndEmail(ca, email string) (*domain.AcmeAccount, error)
-	Save(ca, email, key string, resource *registration.Resource) error
-}
-
 var registerGroup singleflight.Group

-func registerAcmeUserWithSingleFlight(client *lego.Client, sslProviderConfig *acmeSSLProviderConfig, user *acmeUser) (*registration.Resource, error) {
-	resp, err, _ := registerGroup.Do(fmt.Sprintf("register_acme_user_%s_%s", sslProviderConfig.Provider, user.GetEmail()), func() (interface{}, error) {
-		return registerAcmeUser(client, sslProviderConfig, user)
+func registerAcmeUserWithSingleFlight(client *lego.Client, user *acmeUser, userRegisterOptions map[string]any) (*registration.Resource, error) {
+	resp, err, _ := registerGroup.Do(fmt.Sprintf("register_acme_user_%s_%s", user.CA, user.Email), func() (interface{}, error) {
+		return registerAcmeUser(client, user, userRegisterOptions)
 	})

 	if err != nil {
@@ -95,45 +105,101 @@ func registerAcmeUserWithSingleFlight(client *lego.Client, sslProviderConfig *ac
 	return resp.(*registration.Resource), nil
 }

-func registerAcmeUser(client *lego.Client, sslProviderConfig *acmeSSLProviderConfig, user *acmeUser) (*registration.Resource, error) {
+func registerAcmeUser(client *lego.Client, user *acmeUser, userRegisterOptions map[string]any) (*registration.Resource, error) {
 	var reg *registration.Resource
 	var err error
-	switch sslProviderConfig.Provider {
-	case sslProviderZeroSSL:
-		reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
-			TermsOfServiceAgreed: true,
-			Kid:                  sslProviderConfig.Config.ZeroSSL.EabKid,
-			HmacEncoded:          sslProviderConfig.Config.ZeroSSL.EabHmacKey,
-		})
-	case sslProviderGoogleTrustServices:
-		reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
-			TermsOfServiceAgreed: true,
-			Kid:                  sslProviderConfig.Config.GoogleTrustServices.EabKid,
-			HmacEncoded:          sslProviderConfig.Config.GoogleTrustServices.EabHmacKey,
-		})
-	case sslProviderLetsEncrypt, sslProviderLetsEncryptStaging:
+	switch user.getCAProvider() {
+	case caLetsEncrypt, caLetsEncryptStaging:
 		reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+
+	case caBuypass:
+		{
+			reg, err = client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+		}
+
+	case caGoogleTrustServices:
+		{
+			access := domain.AccessConfigForGoogleTrustServices{}
+			if err := xmaps.Populate(userRegisterOptions, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+				TermsOfServiceAgreed: true,
+				Kid:                  access.EabKid,
+				HmacEncoded:          access.EabHmacKey,
+			})
+		}
+
+	case caSSLCom:
+		{
+			access := domain.AccessConfigForSSLCom{}
+			if err := xmaps.Populate(userRegisterOptions, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+				TermsOfServiceAgreed: true,
+				Kid:                  access.EabKid,
+				HmacEncoded:          access.EabHmacKey,
+			})
+		}
+
+	case caZeroSSL:
+		{
+			access := domain.AccessConfigForZeroSSL{}
+			if err := xmaps.Populate(userRegisterOptions, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+				TermsOfServiceAgreed: true,
+				Kid:                  access.EabKid,
+				HmacEncoded:          access.EabHmacKey,
+			})
+		}
+
+	case caCustom:
+		{
+			access := domain.AccessConfigForACMECA{}
+			if err := xmaps.Populate(userRegisterOptions, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			if access.EabKid == "" && access.EabHmacKey == "" {
+				reg, err = client.Registration.Register(registration.RegisterOptions{
+					TermsOfServiceAgreed: true,
+				})
+			} else {
+				reg, err = client.Registration.RegisterWithExternalAccountBinding(registration.RegisterEABOptions{
+					TermsOfServiceAgreed: true,
+					Kid:                  access.EabKid,
+					HmacEncoded:          access.EabHmacKey,
+				})
+			}
+		}
+
 	default:
-		err = fmt.Errorf("unsupported ssl provider: %s", sslProviderConfig.Provider)
+		err = fmt.Errorf("unsupported ca provider '%s'", user.CA)
 	}
 	if err != nil {
 		return nil, err
 	}

 	repo := repository.NewAcmeAccountRepository()
-	resp, err := repo.GetByCAAndEmail(sslProviderConfig.Provider, user.GetEmail())
+	resp, err := repo.GetByCAAndEmail(user.CA, user.Email)
 	if err == nil {
 		user.privkey = resp.Key
 		return resp.Resource, nil
 	}

 	if _, err := repo.Save(context.Background(), &domain.AcmeAccount{
-		CA:       sslProviderConfig.Provider,
-		Email:    user.GetEmail(),
+		CA:       user.CA,
+		Email:    user.Email,
 		Key:      user.getPrivateKeyPEM(),
 		Resource: reg,
 	}); err != nil {
-		return nil, fmt.Errorf("failed to save registration: %w", err)
+		return nil, fmt.Errorf("failed to save acme account registration: %w", err)
 	}

 	return reg, nil
--- a/internal/applicant/applicant.go
+++ b/internal/applicant/applicant.go
@@ -4,10 +4,12 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"log/slog"
 	"os"
 	"strconv"
 	"strings"
 	"sync"
+	"time"

 	"github.com/go-acme/lego/v4/certcrypto"
 	"github.com/go-acme/lego/v4/certificate"
@@ -17,73 +19,98 @@ import (
 	"golang.org/x/exp/slices"
 	"golang.org/x/time/rate"

-	"github.com/usual2970/certimate/internal/domain"
-	uslices "github.com/usual2970/certimate/internal/pkg/utils/slices"
-	"github.com/usual2970/certimate/internal/repository"
+	"github.com/certimate-go/certimate/internal/domain"
+	"github.com/certimate-go/certimate/internal/repository"
+	xmaps "github.com/certimate-go/certimate/pkg/utils/maps"
+	xslices "github.com/certimate-go/certimate/pkg/utils/slices"
 )

-type ApplyCertResult struct {
-	CertificateFullChain string
+type ApplyResult struct {
+	CSR                  string
+	FullChainCertificate string
 	IssuerCertificate    string
 	PrivateKey           string
 	ACMEAccountUrl       string
 	ACMECertUrl          string
 	ACMECertStableUrl    string
-	CSR                  string
+	ARIReplaced          bool
 }

 type Applicant interface {
-	Apply() (*ApplyCertResult, error)
+	Apply(ctx context.Context) (*ApplyResult, error)
 }

-type applicantOptions struct {
-	Domains               []string
-	ContactEmail          string
-	Provider              domain.ApplyDNSProviderType
-	ProviderAccessConfig  map[string]any
-	ProviderApplyConfig   map[string]any
-	KeyAlgorithm          string
-	Nameservers           []string
-	DnsPropagationTimeout int32
-	DnsTTL                int32
-	DisableFollowCNAME    bool
-	ReplacedARIAcctId     string
-	ReplacedARICertId     string
+type ApplicantWithWorkflowNodeConfig struct {
+	Node   *domain.WorkflowNode
+	Logger *slog.Logger
 }

-func NewWithApplyNode(node *domain.WorkflowNode) (Applicant, error) {
-	if node.Type != domain.WorkflowNodeTypeApply {
-		return nil, fmt.Errorf("node type is not apply")
+func NewWithWorkflowNode(config ApplicantWithWorkflowNodeConfig) (Applicant, error) {
+	if config.Node == nil {
+		return nil, fmt.Errorf("node is nil")
+	}
+	if config.Node.Type != domain.WorkflowNodeTypeApply {
+		return nil, fmt.Errorf("node type is not '%s'", string(domain.WorkflowNodeTypeApply))
 	}

-	nodeConfig := node.GetConfigForApply()
-	options := &applicantOptions{
-		Domains:               uslices.Filter(strings.Split(nodeConfig.Domains, ";"), func(s string) bool { return s != "" }),
-		ContactEmail:          nodeConfig.ContactEmail,
-		Provider:              domain.ApplyDNSProviderType(nodeConfig.Provider),
-		ProviderApplyConfig:   nodeConfig.ProviderConfig,
-		KeyAlgorithm:          nodeConfig.KeyAlgorithm,
-		Nameservers:           uslices.Filter(strings.Split(nodeConfig.Nameservers, ";"), func(s string) bool { return s != "" }),
-		DnsPropagationTimeout: nodeConfig.DnsPropagationTimeout,
-		DnsTTL:                nodeConfig.DnsTTL,
-		DisableFollowCNAME:    nodeConfig.DisableFollowCNAME,
+	nodeCfg := config.Node.GetConfigForApply()
+	options := &applicantProviderOptions{
+		Domains:                 xslices.Filter(strings.Split(nodeCfg.Domains, ";"), func(s string) bool { return s != "" }),
+		ContactEmail:            nodeCfg.ContactEmail,
+		Provider:                domain.ACMEDns01ProviderType(nodeCfg.Provider),
+		ProviderAccessConfig:    make(map[string]any),
+		ProviderServiceConfig:   nodeCfg.ProviderConfig,
+		CAProvider:              domain.CAProviderType(nodeCfg.CAProvider),
+		CAProviderAccessConfig:  make(map[string]any),
+		CAProviderServiceConfig: nodeCfg.CAProviderConfig,
+		KeyAlgorithm:            nodeCfg.KeyAlgorithm,
+		Nameservers:             xslices.Filter(strings.Split(nodeCfg.Nameservers, ";"), func(s string) bool { return s != "" }),
+		DnsPropagationWait:      nodeCfg.DnsPropagationWait,
+		DnsPropagationTimeout:   nodeCfg.DnsPropagationTimeout,
+		DnsTTL:                  nodeCfg.DnsTTL,
+		DisableFollowCNAME:      nodeCfg.DisableFollowCNAME,
 	}

 	accessRepo := repository.NewAccessRepository()
-	if access, err := accessRepo.GetById(context.Background(), nodeConfig.ProviderAccessId); err != nil {
-		return nil, fmt.Errorf("failed to get access #%s record: %w", nodeConfig.ProviderAccessId, err)
-	} else {
-		accessConfig, err := access.UnmarshalConfigToMap()
-		if err != nil {
-			return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
+	if nodeCfg.ProviderAccessId != "" {
+		if access, err := accessRepo.GetById(context.Background(), nodeCfg.ProviderAccessId); err != nil {
+			return nil, fmt.Errorf("failed to get access #%s record: %w", nodeCfg.ProviderAccessId, err)
+		} else {
+			options.ProviderAccessConfig = access.Config
+		}
+	}
+	if nodeCfg.CAProviderAccessId != "" {
+		if access, err := accessRepo.GetById(context.Background(), nodeCfg.CAProviderAccessId); err != nil {
+			return nil, fmt.Errorf("failed to get access #%s record: %w", nodeCfg.CAProviderAccessId, err)
+		} else {
+			options.CAProviderAccessId = access.Id
+			options.CAProviderAccessConfig = access.Config
+		}
+	}
+
+	settingsRepo := repository.NewSettingsRepository()
+	if string(options.CAProvider) == "" {
+		settings, _ := settingsRepo.GetByName(context.Background(), "sslProvider")
+
+		sslProviderConfig := &acmeSSLProviderConfig{
+			Config:   make(map[domain.CAProviderType]map[string]any),
+			Provider: caDefault,
+		}
+		if settings != nil {
+			if err := json.Unmarshal([]byte(settings.Content), sslProviderConfig); err != nil {
+				return nil, err
+			} else if sslProviderConfig.Provider == "" {
+				sslProviderConfig.Provider = caDefault
+			}
 		}

-		options.ProviderAccessConfig = accessConfig
+		options.CAProvider = domain.CAProviderType(sslProviderConfig.Provider)
+		options.CAProviderAccessConfig = sslProviderConfig.Config[options.CAProvider]
 	}

 	certRepo := repository.NewCertificateRepository()
-	lastCertificate, _ := certRepo.GetByWorkflowNodeId(context.Background(), node.Id)
-	if lastCertificate != nil {
+	lastCertificate, _ := certRepo.GetByWorkflowNodeId(context.Background(), config.Node.Id)
+	if lastCertificate != nil && !lastCertificate.ACMERenewed {
 		newCertSan := slices.Clone(options.Domains)
 		oldCertSan := strings.Split(lastCertificate.SubjectAltNames, ";")
 		slices.Sort(newCertSan)
@@ -93,42 +120,53 @@ func NewWithApplyNode(node *domain.WorkflowNode) (Applicant, error) {
 			lastCertX509, _ := certcrypto.ParsePEMCertificate([]byte(lastCertificate.Certificate))
 			if lastCertX509 != nil {
 				replacedARICertId, _ := certificate.MakeARICertID(lastCertX509)
-				options.ReplacedARIAcctId = lastCertificate.ACMEAccountUrl
-				options.ReplacedARICertId = replacedARICertId
+				options.ARIReplaceAcct = lastCertificate.ACMEAccountUrl
+				options.ARIReplaceCert = replacedARICertId
 			}
 		}
 	}

-	applicant, err := createApplicant(options)
+	applicant, err := createApplicantProvider(options)
 	if err != nil {
 		return nil, err
 	}

-	return &proxyApplicant{
+	return &applicantImpl{
 		applicant: applicant,
 		options:   options,
 	}, nil
 }

-func apply(challengeProvider challenge.Provider, options *applicantOptions) (*ApplyCertResult, error) {
-	settingsRepo := repository.NewSettingsRepository()
-	settings, _ := settingsRepo.GetByName(context.Background(), "sslProvider")
+type applicantImpl struct {
+	applicant challenge.Provider
+	options   *applicantProviderOptions
+}

-	sslProviderConfig := &acmeSSLProviderConfig{
-		Config:   acmeSSLProviderConfigContent{},
-		Provider: defaultSSLProvider,
-	}
-	if settings != nil {
-		if err := json.Unmarshal([]byte(settings.Content), sslProviderConfig); err != nil {
-			return nil, err
-		}
+var _ Applicant = (*applicantImpl)(nil)
+
+func (d *applicantImpl) Apply(ctx context.Context) (*ApplyResult, error) {
+	limiter := getLimiter(fmt.Sprintf("apply_%s", d.options.ContactEmail))
+	if err := limiter.Wait(ctx); err != nil {
+		return nil, err
 	}

-	if sslProviderConfig.Provider == "" {
-		sslProviderConfig.Provider = defaultSSLProvider
-	}
+	return applyUseLego(d.applicant, d.options)
+}

-	acmeUser, err := newAcmeUser(sslProviderConfig.Provider, options.ContactEmail)
+const (
+	limitBurst         = 300
+	limitRate  float64 = float64(1) / float64(36)
+)
+
+var limiters sync.Map
+
+func getLimiter(key string) *rate.Limiter {
+	limiter, _ := limiters.LoadOrStore(key, rate.NewLimiter(rate.Limit(limitRate), 300))
+	return limiter.(*rate.Limiter)
+}
+
+func applyUseLego(legoProvider challenge.Provider, options *applicantProviderOptions) (*ApplyResult, error) {
+	user, err := newAcmeUser(string(options.CAProvider), options.CAProviderAccessId, options.ContactEmail)
 	if err != nil {
 		return nil, err
 	}
@@ -138,9 +176,29 @@ func apply(challengeProvider challenge.Provider, options *applicantOptions) (*Ap
 	os.Setenv("LEGO_DISABLE_CNAME_SUPPORT", strconv.FormatBool(options.DisableFollowCNAME))

 	// Create an ACME client config
-	config := lego.NewConfig(acmeUser)
-	config.CADirURL = sslProviderUrls[sslProviderConfig.Provider]
-	config.Certificate.KeyType = parseKeyAlgorithm(domain.CertificateKeyAlgorithmType(options.KeyAlgorithm))
+	config := lego.NewConfig(user)
+	config.Certificate.KeyType = parseLegoKeyAlgorithm(domain.CertificateKeyAlgorithmType(options.KeyAlgorithm))
+	switch user.getCAProvider() {
+	case caSSLCom:
+		if strings.HasPrefix(options.KeyAlgorithm, "RSA") {
+			config.CADirURL = caDirUrls[caSSLCom+"RSA"]
+		} else if strings.HasPrefix(options.KeyAlgorithm, "EC") {
+			config.CADirURL = caDirUrls[caSSLCom+"ECC"]
+		} else {
+			config.CADirURL = caDirUrls[caSSLCom]
+		}
+
+	case caCustom:
+		caDirURL := xmaps.GetString(options.CAProviderAccessConfig, "endpoint")
+		if caDirURL != "" {
+			config.CADirURL = caDirURL
+		} else {
+			return nil, fmt.Errorf("invalid ca provider endpoint")
+		}
+
+	default:
+		config.CADirURL = caDirUrls[user.CA]
+	}

 	// Create an ACME client
 	client, err := lego.NewClient(config)
@@ -149,20 +207,28 @@ func apply(challengeProvider challenge.Provider, options *applicantOptions) (*Ap
 	}

 	// Set the DNS01 challenge provider
-	challengeOptions := make([]dns01.ChallengeOption, 0)
-	if len(options.Nameservers) > 0 {
-		challengeOptions = append(challengeOptions, dns01.AddRecursiveNameservers(dns01.ParseNameservers(options.Nameservers)))
-		challengeOptions = append(challengeOptions, dns01.DisableAuthoritativeNssPropagationRequirement())
-	}
-	client.Challenge.SetDNS01Provider(challengeProvider, challengeOptions...)
+	client.Challenge.SetDNS01Provider(legoProvider,
+		dns01.CondOption(
+			len(options.Nameservers) > 0,
+			dns01.AddRecursiveNameservers(dns01.ParseNameservers(options.Nameservers)),
+		),
+		dns01.CondOption(
+			options.DnsPropagationWait > 0,
+			dns01.PropagationWait(time.Duration(options.DnsPropagationWait)*time.Second, true),
+		),
+		dns01.CondOption(
+			len(options.Nameservers) > 0 || options.DnsPropagationWait > 0,
+			dns01.DisableAuthoritativeNssPropagationRequirement(),
+		),
+	)

 	// New users need to register first
-	if !acmeUser.hasRegistration() {
-		reg, err := registerAcmeUserWithSingleFlight(client, sslProviderConfig, acmeUser)
+	if !user.hasRegistration() {
+		reg, err := registerAcmeUserWithSingleFlight(client, user, options.CAProviderAccessConfig)
 		if err != nil {
-			return nil, fmt.Errorf("failed to register: %w", err)
+			return nil, fmt.Errorf("failed to register acme user: %w", err)
 		}
-		acmeUser.Registration = reg
+		user.Registration = reg
 	}

 	// Obtain a certificate
@@ -170,64 +236,41 @@ func apply(challengeProvider challenge.Provider, options *applicantOptions) (*Ap
 		Domains: options.Domains,
 		Bundle:  true,
 	}
-	if options.ReplacedARICertId != "" && options.ReplacedARIAcctId != acmeUser.Registration.URI {
-		certRequest.ReplacesCertID = options.ReplacedARICertId
+	if options.ARIReplaceAcct == user.Registration.URI {
+		certRequest.ReplacesCertID = options.ARIReplaceCert
 	}
+
 	certResource, err := client.Certificate.Obtain(certRequest)
 	if err != nil {
 		return nil, err
 	}

-	return &ApplyCertResult{
-		CertificateFullChain: strings.TrimSpace(string(certResource.Certificate)),
+	return &ApplyResult{
+		CSR:                  strings.TrimSpace(string(certResource.CSR)),
+		FullChainCertificate: strings.TrimSpace(string(certResource.Certificate)),
 		IssuerCertificate:    strings.TrimSpace(string(certResource.IssuerCertificate)),
 		PrivateKey:           strings.TrimSpace(string(certResource.PrivateKey)),
-		ACMEAccountUrl:       acmeUser.Registration.URI,
+		ACMEAccountUrl:       user.Registration.URI,
 		ACMECertUrl:          certResource.CertURL,
 		ACMECertStableUrl:    certResource.CertStableURL,
-		CSR:                  strings.TrimSpace(string(certResource.CSR)),
+		ARIReplaced:          certRequest.ReplacesCertID != "",
 	}, nil
 }

-func parseKeyAlgorithm(algo domain.CertificateKeyAlgorithmType) certcrypto.KeyType {
-	switch algo {
-	case domain.CertificateKeyAlgorithmTypeRSA2048:
-		return certcrypto.RSA2048
-	case domain.CertificateKeyAlgorithmTypeRSA3072:
-		return certcrypto.RSA3072
-	case domain.CertificateKeyAlgorithmTypeRSA4096:
-		return certcrypto.RSA4096
-	case domain.CertificateKeyAlgorithmTypeRSA8192:
-		return certcrypto.RSA8192
-	case domain.CertificateKeyAlgorithmTypeEC256:
-		return certcrypto.EC256
-	case domain.CertificateKeyAlgorithmTypeEC384:
-		return certcrypto.EC384
+func parseLegoKeyAlgorithm(algo domain.CertificateKeyAlgorithmType) certcrypto.KeyType {
+	alogMap := map[domain.CertificateKeyAlgorithmType]certcrypto.KeyType{
+		domain.CertificateKeyAlgorithmTypeRSA2048: certcrypto.RSA2048,
+		domain.CertificateKeyAlgorithmTypeRSA3072: certcrypto.RSA3072,
+		domain.CertificateKeyAlgorithmTypeRSA4096: certcrypto.RSA4096,
+		domain.CertificateKeyAlgorithmTypeRSA8192: certcrypto.RSA8192,
+		domain.CertificateKeyAlgorithmTypeEC256:   certcrypto.EC256,
+		domain.CertificateKeyAlgorithmTypeEC384:   certcrypto.EC384,
+		domain.CertificateKeyAlgorithmTypeEC512:   certcrypto.KeyType("P512"),
+	}
+
+	if keyType, ok := alogMap[algo]; ok {
+		return keyType
 	}

 	return certcrypto.RSA2048
 }
-
-// TODO: 暂时使用代理模式以兼容之前版本代码，后续重新实现此处逻辑
-type proxyApplicant struct {
-	applicant challenge.Provider
-	options   *applicantOptions
-}
-
-var limiters sync.Map
-
-const (
-	limitBurst         = 300
-	limitRate  float64 = float64(1) / float64(36)
-)
-
-func getLimiter(key string) *rate.Limiter {
-	limiter, _ := limiters.LoadOrStore(key, rate.NewLimiter(rate.Limit(limitRate), 300))
-	return limiter.(*rate.Limiter)
-}
-
-func (d *proxyApplicant) Apply() (*ApplyCertResult, error) {
-	limiter := getLimiter(fmt.Sprintf("apply_%s", d.options.ContactEmail))
-	limiter.Wait(context.Background())
-	return apply(d.applicant, d.options)
-}
--- a/internal/applicant/providers.go
+++ b/internal/applicant/providers.go
@@ -5,43 +5,78 @@ import (

 	"github.com/go-acme/lego/v4/challenge"

-	"github.com/usual2970/certimate/internal/domain"
-	pACMEHttpReq "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/acmehttpreq"
-	pAliyun "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/aliyun"
-	pAWSRoute53 "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/aws-route53"
-	pAzureDNS "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/azure-dns"
-	pBaiduCloud "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/baiducloud"
-	pCloudflare "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/cloudflare"
-	pClouDNS "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/cloudns"
-	pCMCCCloud "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/cmcccloud"
-	pDNSLA "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/dnsla"
-	pGcore "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/gcore"
-	pGname "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/gname"
-	pGoDaddy "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/godaddy"
-	pHuaweiCloud "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/huaweicloud"
-	pJDCloud "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/jdcloud"
-	pNamecheap "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/namecheap"
-	pNameDotCom "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/namedotcom"
-	pNameSilo "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/namesilo"
-	pNS1 "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/ns1"
-	pPowerDNS "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/powerdns"
-	pRainYun "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/rainyun"
-	pTencentCloud "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/tencentcloud"
-	pVolcEngine "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/volcengine"
-	pWestcn "github.com/usual2970/certimate/internal/pkg/core/applicant/acme-dns-01/lego-providers/westcn"
-	"github.com/usual2970/certimate/internal/pkg/utils/maps"
+	"github.com/certimate-go/certimate/internal/domain"
+	pACMEHttpReq "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/acmehttpreq"
+	pAliyun "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/aliyun"
+	pAliyunESA "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/aliyun-esa"
+	pAWSRoute53 "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/aws-route53"
+	pAzureDNS "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/azure-dns"
+	pBaiduCloud "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/baiducloud"
+	pBunny "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/bunny"
+	pCloudflare "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/cloudflare"
+	pClouDNS "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/cloudns"
+	pCMCCCloud "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/cmcccloud"
+	pConstellix "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/constellix"
+	pCTCCCloud "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/ctcccloud"
+	pDeSEC "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/desec"
+	pDigitalOcean "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/digitalocean"
+	pDNSLA "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/dnsla"
+	pDuckDNS "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/duckdns"
+	pDynv6 "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/dynv6"
+	pGcore "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/gcore"
+	pGname "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/gname"
+	pGoDaddy "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/godaddy"
+	pHetzner "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/hetzner"
+	pHuaweiCloud "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/huaweicloud"
+	pJDCloud "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/jdcloud"
+	pNamecheap "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/namecheap"
+	pNameDotCom "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/namedotcom"
+	pNameSilo "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/namesilo"
+	pNetcup "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/netcup"
+	pNetlify "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/netlify"
+	pNS1 "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/ns1"
+	pPorkbun "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/porkbun"
+	pPowerDNS "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/powerdns"
+	pRainYun "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/rainyun"
+	pTencentCloud "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/tencentcloud"
+	pTencentCloudEO "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/tencentcloud-eo"
+	pUCloudUDNR "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/ucloud-udnr"
+	pVercel "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/vercel"
+	pVolcEngine "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/volcengine"
+	pWestcn "github.com/certimate-go/certimate/pkg/core/ssl-applicator/acme-dns01/providers/westcn"
+	xmaps "github.com/certimate-go/certimate/pkg/utils/maps"
 )

-func createApplicant(options *applicantOptions) (challenge.Provider, error) {
+type applicantProviderOptions struct {
+	Domains                 []string
+	ContactEmail            string
+	Provider                domain.ACMEDns01ProviderType
+	ProviderAccessConfig    map[string]any
+	ProviderServiceConfig   map[string]any
+	CAProvider              domain.CAProviderType
+	CAProviderAccessId      string
+	CAProviderAccessConfig  map[string]any
+	CAProviderServiceConfig map[string]any
+	KeyAlgorithm            string
+	Nameservers             []string
+	DnsPropagationWait      int32
+	DnsPropagationTimeout   int32
+	DnsTTL                  int32
+	DisableFollowCNAME      bool
+	ARIReplaceAcct          string
+	ARIReplaceCert          string
+}
+
+func createApplicantProvider(options *applicantProviderOptions) (challenge.Provider, error) {
 	/*
 	  注意：如果追加新的常量值，请保持以 ASCII 排序。
 	  NOTICE: If you add new constant, please keep ASCII order.
 	*/
 	switch options.Provider {
-	case domain.ApplyDNSProviderTypeACMEHttpReq:
+	case domain.ACMEDns01ProviderTypeACMEHttpReq:
 		{
 			access := domain.AccessConfigForACMEHttpReq{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -55,44 +90,60 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeAliyun, domain.ApplyDNSProviderTypeAliyunDNS:
+	case domain.ACMEDns01ProviderTypeAliyun, domain.ACMEDns01ProviderTypeAliyunDNS, domain.ACMEDns01ProviderTypeAliyunESA:
 		{
 			access := domain.AccessConfigForAliyun{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

-			applicant, err := pAliyun.NewChallengeProvider(&pAliyun.ChallengeProviderConfig{
-				AccessKeyId:           access.AccessKeyId,
-				AccessKeySecret:       access.AccessKeySecret,
-				DnsPropagationTimeout: options.DnsPropagationTimeout,
-				DnsTTL:                options.DnsTTL,
-			})
-			return applicant, err
+			switch options.Provider {
+			case domain.ACMEDns01ProviderTypeAliyun, domain.ACMEDns01ProviderTypeAliyunDNS:
+				applicant, err := pAliyun.NewChallengeProvider(&pAliyun.ChallengeProviderConfig{
+					AccessKeyId:           access.AccessKeyId,
+					AccessKeySecret:       access.AccessKeySecret,
+					DnsPropagationTimeout: options.DnsPropagationTimeout,
+					DnsTTL:                options.DnsTTL,
+				})
+				return applicant, err
+
+			case domain.ACMEDns01ProviderTypeAliyunESA:
+				applicant, err := pAliyunESA.NewChallengeProvider(&pAliyunESA.ChallengeProviderConfig{
+					AccessKeyId:           access.AccessKeyId,
+					AccessKeySecret:       access.AccessKeySecret,
+					Region:                xmaps.GetString(options.ProviderServiceConfig, "region"),
+					DnsPropagationTimeout: options.DnsPropagationTimeout,
+					DnsTTL:                options.DnsTTL,
+				})
+				return applicant, err
+
+			default:
+				break
+			}
 		}

-	case domain.ApplyDNSProviderTypeAWS, domain.ApplyDNSProviderTypeAWSRoute53:
+	case domain.ACMEDns01ProviderTypeAWS, domain.ACMEDns01ProviderTypeAWSRoute53:
 		{
 			access := domain.AccessConfigForAWS{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

 			applicant, err := pAWSRoute53.NewChallengeProvider(&pAWSRoute53.ChallengeProviderConfig{
 				AccessKeyId:           access.AccessKeyId,
 				SecretAccessKey:       access.SecretAccessKey,
-				Region:                maps.GetValueAsString(options.ProviderApplyConfig, "region"),
-				HostedZoneId:          maps.GetValueAsString(options.ProviderApplyConfig, "hostedZoneId"),
+				Region:                xmaps.GetString(options.ProviderServiceConfig, "region"),
+				HostedZoneId:          xmaps.GetString(options.ProviderServiceConfig, "hostedZoneId"),
 				DnsPropagationTimeout: options.DnsPropagationTimeout,
 				DnsTTL:                options.DnsTTL,
 			})
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeAzure, domain.ApplyDNSProviderTypeAzureDNS:
+	case domain.ACMEDns01ProviderTypeAzure, domain.ACMEDns01ProviderTypeAzureDNS:
 		{
 			access := domain.AccessConfigForAzure{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -107,10 +158,10 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeBaiduCloud, domain.ApplyDNSProviderTypeBaiduCloudDNS:
+	case domain.ACMEDns01ProviderTypeBaiduCloud, domain.ACMEDns01ProviderTypeBaiduCloudDNS:
 		{
 			access := domain.AccessConfigForBaiduCloud{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -123,25 +174,41 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeCloudflare:
+	case domain.ACMEDns01ProviderTypeBunny:
 		{
-			access := domain.AccessConfigForCloudflare{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			access := domain.AccessConfigForBunny{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

-			applicant, err := pCloudflare.NewChallengeProvider(&pCloudflare.ChallengeProviderConfig{
-				DnsApiToken:           access.DnsApiToken,
+			applicant, err := pBunny.NewChallengeProvider(&pBunny.ChallengeProviderConfig{
+				ApiKey:                access.ApiKey,
 				DnsPropagationTimeout: options.DnsPropagationTimeout,
 				DnsTTL:                options.DnsTTL,
 			})
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeClouDNS:
+	case domain.ACMEDns01ProviderTypeCloudflare:
+		{
+			access := domain.AccessConfigForCloudflare{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pCloudflare.NewChallengeProvider(&pCloudflare.ChallengeProviderConfig{
+				DnsApiToken:           access.DnsApiToken,
+				ZoneApiToken:          access.ZoneApiToken,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ACMEDns01ProviderTypeClouDNS:
 		{
 			access := domain.AccessConfigForClouDNS{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -154,10 +221,10 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeCMCCCloud:
+	case domain.ACMEDns01ProviderTypeCMCCCloud, domain.ACMEDns01ProviderTypeCMCCCloudDNS:
 		{
 			access := domain.AccessConfigForCMCCCloud{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -170,10 +237,72 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeDNSLA:
+	case domain.ACMEDns01ProviderTypeConstellix:
+		{
+			access := domain.AccessConfigForConstellix{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pConstellix.NewChallengeProvider(&pConstellix.ChallengeProviderConfig{
+				ApiKey:                access.ApiKey,
+				SecretKey:             access.SecretKey,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ACMEDns01ProviderTypeCTCCCloud, domain.ACMEDns01ProviderTypeCTCCCloudSmartDNS:
+		{
+			access := domain.AccessConfigForCTCCCloud{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pCTCCCloud.NewChallengeProvider(&pCTCCCloud.ChallengeProviderConfig{
+				AccessKeyId:           access.AccessKeyId,
+				SecretAccessKey:       access.SecretAccessKey,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ACMEDns01ProviderTypeDeSEC:
+		{
+			access := domain.AccessConfigForDeSEC{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pDeSEC.NewChallengeProvider(&pDeSEC.ChallengeProviderConfig{
+				Token:                 access.Token,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ACMEDns01ProviderTypeDigitalOcean:
+		{
+			access := domain.AccessConfigForDigitalOcean{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pDigitalOcean.NewChallengeProvider(&pDigitalOcean.ChallengeProviderConfig{
+				AccessToken:           access.AccessToken,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ACMEDns01ProviderTypeDNSLA:
 		{
 			access := domain.AccessConfigForDNSLA{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -186,10 +315,39 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeGcore:
+	case domain.ACMEDns01ProviderTypeDuckDNS:
+		{
+			access := domain.AccessConfigForDuckDNS{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pDuckDNS.NewChallengeProvider(&pDuckDNS.ChallengeProviderConfig{
+				Token:                 access.Token,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+			})
+			return applicant, err
+		}
+
+	case domain.ACMEDns01ProviderTypeDynv6:
+		{
+			access := domain.AccessConfigForDynv6{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pDynv6.NewChallengeProvider(&pDynv6.ChallengeProviderConfig{
+				HttpToken:             access.HttpToken,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ACMEDns01ProviderTypeGcore:
 		{
 			access := domain.AccessConfigForGcore{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -201,10 +359,10 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeGname:
+	case domain.ACMEDns01ProviderTypeGname:
 		{
 			access := domain.AccessConfigForGname{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -217,10 +375,10 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeGoDaddy:
+	case domain.ACMEDns01ProviderTypeGoDaddy:
 		{
 			access := domain.AccessConfigForGoDaddy{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -233,44 +391,59 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeHuaweiCloud, domain.ApplyDNSProviderTypeHuaweiCloudDNS:
+	case domain.ACMEDns01ProviderTypeHetzner:
+		{
+			access := domain.AccessConfigForHetzner{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pHetzner.NewChallengeProvider(&pHetzner.ChallengeProviderConfig{
+				ApiToken:              access.ApiToken,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ACMEDns01ProviderTypeHuaweiCloud, domain.ACMEDns01ProviderTypeHuaweiCloudDNS:
 		{
 			access := domain.AccessConfigForHuaweiCloud{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

 			applicant, err := pHuaweiCloud.NewChallengeProvider(&pHuaweiCloud.ChallengeProviderConfig{
 				AccessKeyId:           access.AccessKeyId,
 				SecretAccessKey:       access.SecretAccessKey,
-				Region:                maps.GetValueAsString(options.ProviderApplyConfig, "region"),
+				Region:                xmaps.GetString(options.ProviderServiceConfig, "region"),
 				DnsPropagationTimeout: options.DnsPropagationTimeout,
 				DnsTTL:                options.DnsTTL,
 			})
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeJDCloud, domain.ApplyDNSProviderTypeJDCloudDNS:
+	case domain.ACMEDns01ProviderTypeJDCloud, domain.ACMEDns01ProviderTypeJDCloudDNS:
 		{
 			access := domain.AccessConfigForJDCloud{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

 			applicant, err := pJDCloud.NewChallengeProvider(&pJDCloud.ChallengeProviderConfig{
 				AccessKeyId:           access.AccessKeyId,
 				AccessKeySecret:       access.AccessKeySecret,
-				RegionId:              maps.GetValueAsString(options.ProviderApplyConfig, "region_id"),
+				RegionId:              xmaps.GetString(options.ProviderServiceConfig, "regionId"),
 				DnsPropagationTimeout: options.DnsPropagationTimeout,
 				DnsTTL:                options.DnsTTL,
 			})
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeNamecheap:
+	case domain.ACMEDns01ProviderTypeNamecheap:
 		{
 			access := domain.AccessConfigForNamecheap{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -283,10 +456,10 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeNameDotCom:
+	case domain.ACMEDns01ProviderTypeNameDotCom:
 		{
 			access := domain.AccessConfigForNameDotCom{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -299,10 +472,10 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeNameSilo:
+	case domain.ACMEDns01ProviderTypeNameSilo:
 		{
 			access := domain.AccessConfigForNameSilo{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -314,10 +487,42 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeNS1:
+	case domain.ACMEDns01ProviderTypeNetcup:
+		{
+			access := domain.AccessConfigForNetcup{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pNetcup.NewChallengeProvider(&pNetcup.ChallengeProviderConfig{
+				CustomerNumber:        access.CustomerNumber,
+				ApiKey:                access.ApiKey,
+				ApiPassword:           access.ApiPassword,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ACMEDns01ProviderTypeNetlify:
+		{
+			access := domain.AccessConfigForNetlify{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pNetlify.NewChallengeProvider(&pNetlify.ChallengeProviderConfig{
+				ApiToken:              access.ApiToken,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ACMEDns01ProviderTypeNS1:
 		{
 			access := domain.AccessConfigForNS1{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -329,26 +534,43 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypePowerDNS:
+	case domain.ACMEDns01ProviderTypePorkbun:
 		{
-			access := domain.AccessConfigForPowerDNS{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			access := domain.AccessConfigForPorkbun{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

-			applicant, err := pPowerDNS.NewChallengeProvider(&pPowerDNS.ChallengeProviderConfig{
-				ApiUrl:                access.ApiUrl,
+			applicant, err := pPorkbun.NewChallengeProvider(&pPorkbun.ChallengeProviderConfig{
 				ApiKey:                access.ApiKey,
+				SecretApiKey:          access.SecretApiKey,
 				DnsPropagationTimeout: options.DnsPropagationTimeout,
 				DnsTTL:                options.DnsTTL,
 			})
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeRainYun:
+	case domain.ACMEDns01ProviderTypePowerDNS:
+		{
+			access := domain.AccessConfigForPowerDNS{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pPowerDNS.NewChallengeProvider(&pPowerDNS.ChallengeProviderConfig{
+				ServerUrl:                access.ServerUrl,
+				ApiKey:                   access.ApiKey,
+				AllowInsecureConnections: access.AllowInsecureConnections,
+				DnsPropagationTimeout:    options.DnsPropagationTimeout,
+				DnsTTL:                   options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ACMEDns01ProviderTypeRainYun:
 		{
 			access := domain.AccessConfigForRainYun{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -360,26 +582,74 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeTencentCloud, domain.ApplyDNSProviderTypeTencentCloudDNS:
+	case domain.ACMEDns01ProviderTypeTencentCloud, domain.ACMEDns01ProviderTypeTencentCloudDNS, domain.ACMEDns01ProviderTypeTencentCloudEO:
 		{
 			access := domain.AccessConfigForTencentCloud{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

-			applicant, err := pTencentCloud.NewChallengeProvider(&pTencentCloud.ChallengeProviderConfig{
-				SecretId:              access.SecretId,
-				SecretKey:             access.SecretKey,
+			switch options.Provider {
+			case domain.ACMEDns01ProviderTypeTencentCloud, domain.ACMEDns01ProviderTypeTencentCloudDNS:
+				applicant, err := pTencentCloud.NewChallengeProvider(&pTencentCloud.ChallengeProviderConfig{
+					SecretId:              access.SecretId,
+					SecretKey:             access.SecretKey,
+					DnsPropagationTimeout: options.DnsPropagationTimeout,
+					DnsTTL:                options.DnsTTL,
+				})
+				return applicant, err
+
+			case domain.ACMEDns01ProviderTypeTencentCloudEO:
+				applicant, err := pTencentCloudEO.NewChallengeProvider(&pTencentCloudEO.ChallengeProviderConfig{
+					SecretId:              access.SecretId,
+					SecretKey:             access.SecretKey,
+					ZoneId:                xmaps.GetString(options.ProviderServiceConfig, "zoneId"),
+					DnsPropagationTimeout: options.DnsPropagationTimeout,
+					DnsTTL:                options.DnsTTL,
+				})
+				return applicant, err
+
+			default:
+				break
+			}
+		}
+
+	case domain.ACMEDns01ProviderTypeUCloudUDNR:
+		{
+			access := domain.AccessConfigForUCloud{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pUCloudUDNR.NewChallengeProvider(&pUCloudUDNR.ChallengeProviderConfig{
+				PrivateKey:            access.PrivateKey,
+				PublicKey:             access.PublicKey,
 				DnsPropagationTimeout: options.DnsPropagationTimeout,
 				DnsTTL:                options.DnsTTL,
 			})
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeVolcEngine, domain.ApplyDNSProviderTypeVolcEngineDNS:
+	case domain.ACMEDns01ProviderTypeVercel:
+		{
+			access := domain.AccessConfigForVercel{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			applicant, err := pVercel.NewChallengeProvider(&pVercel.ChallengeProviderConfig{
+				ApiAccessToken:        access.ApiAccessToken,
+				TeamId:                access.TeamId,
+				DnsPropagationTimeout: options.DnsPropagationTimeout,
+				DnsTTL:                options.DnsTTL,
+			})
+			return applicant, err
+		}
+
+	case domain.ACMEDns01ProviderTypeVolcEngine, domain.ACMEDns01ProviderTypeVolcEngineDNS:
 		{
 			access := domain.AccessConfigForVolcEngine{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -392,10 +662,10 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 			return applicant, err
 		}

-	case domain.ApplyDNSProviderTypeWestcn:
+	case domain.ACMEDns01ProviderTypeWestcn:
 		{
 			access := domain.AccessConfigForWestcn{}
-			if err := maps.Populate(options.ProviderAccessConfig, &access); err != nil {
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
 				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
 			}

@@ -409,5 +679,5 @@ func createApplicant(options *applicantOptions) (challenge.Provider, error) {
 		}
 	}

-	return nil, fmt.Errorf("unsupported applicant provider: %s", string(options.Provider))
+	return nil, fmt.Errorf("unsupported applicant provider '%s'", string(options.Provider))
 }
--- a/internal/certificate/service.go
+++ b/internal/certificate/service.go
@@ -11,12 +11,14 @@ import (
 	"time"

 	"github.com/go-acme/lego/v4/certcrypto"
-	"github.com/usual2970/certimate/internal/app"
-	"github.com/usual2970/certimate/internal/domain"
-	"github.com/usual2970/certimate/internal/domain/dtos"
-	"github.com/usual2970/certimate/internal/notify"
-	"github.com/usual2970/certimate/internal/pkg/utils/certs"
-	"github.com/usual2970/certimate/internal/repository"
+	"github.com/pocketbase/dbx"
+
+	"github.com/certimate-go/certimate/internal/app"
+	"github.com/certimate-go/certimate/internal/domain"
+	"github.com/certimate-go/certimate/internal/domain/dtos"
+	"github.com/certimate-go/certimate/internal/notify"
+	"github.com/certimate-go/certimate/internal/repository"
+	xcert "github.com/certimate-go/certimate/pkg/utils/cert"
 )

 const (
@@ -27,21 +29,29 @@ const (
 type certificateRepository interface {
 	ListExpireSoon(ctx context.Context) ([]*domain.Certificate, error)
 	GetById(ctx context.Context, id string) (*domain.Certificate, error)
+	DeleteWhere(ctx context.Context, exprs ...dbx.Expression) (int, error)
+}
+
+type settingsRepository interface {
+	GetByName(ctx context.Context, name string) (*domain.Settings, error)
 }

 type CertificateService struct {
-	certRepo certificateRepository
+	certificateRepo certificateRepository
+	settingsRepo    settingsRepository
 }

-func NewCertificateService(certRepo certificateRepository) *CertificateService {
+func NewCertificateService(certificateRepo certificateRepository, settingsRepo settingsRepository) *CertificateService {
 	return &CertificateService{
-		certRepo: certRepo,
+		certificateRepo: certificateRepo,
+		settingsRepo:    settingsRepo,
 	}
 }

 func (s *CertificateService) InitSchedule(ctx context.Context) error {
+	// 每日发送过期证书提醒
 	app.GetScheduler().MustAdd("certificateExpireSoonNotify", "0 0 * * *", func() {
-		certificates, err := s.certRepo.ListExpireSoon(context.Background())
+		certificates, err := s.certificateRepo.ListExpireSoon(context.Background())
 		if err != nil {
 			app.GetLogger().Error("failed to get certificates which expire soon", "err", err)
 			return
@@ -56,11 +66,37 @@ func (s *CertificateService) InitSchedule(ctx context.Context) error {
 			app.GetLogger().Error("failed to send notification", "err", err)
 		}
 	})
+
+	// 每日清理过期证书
+	app.GetScheduler().MustAdd("certificateExpiredCleanup", "0 0 * * *", func() {
+		settings, err := s.settingsRepo.GetByName(ctx, "persistence")
+		if err != nil {
+			app.GetLogger().Error("failed to get persistence settings", "err", err)
+			return
+		}
+
+		var settingsContent *domain.PersistenceSettingsContent
+		json.Unmarshal([]byte(settings.Content), &settingsContent)
+		if settingsContent != nil && settingsContent.ExpiredCertificatesMaxDaysRetention != 0 {
+			ret, err := s.certificateRepo.DeleteWhere(
+				context.Background(),
+				dbx.NewExp(fmt.Sprintf("expireAt<DATETIME('now', '-%d days')", settingsContent.ExpiredCertificatesMaxDaysRetention)),
+			)
+			if err != nil {
+				app.GetLogger().Error("failed to delete expired certificates", "err", err)
+			}
+
+			if ret > 0 {
+				app.GetLogger().Info(fmt.Sprintf("cleanup %d expired certificates", ret))
+			}
+		}
+	})
+
 	return nil
 }

 func (s *CertificateService) ArchiveFile(ctx context.Context, req *dtos.CertificateArchiveFileReq) (*dtos.CertificateArchiveFileResp, error) {
-	certificate, err := s.certRepo.GetById(ctx, req.CertificateId)
+	certificate, err := s.certificateRepo.GetById(ctx, req.CertificateId)
 	if err != nil {
 		return nil, err
 	}
@@ -109,7 +145,7 @@ func (s *CertificateService) ArchiveFile(ctx context.Context, req *dtos.Certific
 		{
 			const pfxPassword = "certimate"

-			certPFX, err := certs.TransformCertificateFromPEMToPFX(certificate.Certificate, certificate.PrivateKey, pfxPassword)
+			certPFX, err := xcert.TransformCertificateFromPEMToPFX(certificate.Certificate, certificate.PrivateKey, pfxPassword)
 			if err != nil {
 				return nil, err
 			}
@@ -147,7 +183,7 @@ func (s *CertificateService) ArchiveFile(ctx context.Context, req *dtos.Certific
 		{
 			const jksPassword = "certimate"

-			certJKS, err := certs.TransformCertificateFromPEMToJKS(certificate.Certificate, certificate.PrivateKey, jksPassword, jksPassword, jksPassword)
+			certJKS, err := xcert.TransformCertificateFromPEMToJKS(certificate.Certificate, certificate.PrivateKey, jksPassword, jksPassword, jksPassword)
 			if err != nil {
 				return nil, err
 			}
@@ -187,7 +223,7 @@ func (s *CertificateService) ArchiveFile(ctx context.Context, req *dtos.Certific
 }

 func (s *CertificateService) ValidateCertificate(ctx context.Context, req *dtos.CertificateValidateCertificateReq) (*dtos.CertificateValidateCertificateResp, error) {
-	certX509, err := certs.ParseCertificateFromPEM(req.Certificate)
+	certX509, err := xcert.ParseCertificateFromPEM(req.Certificate)
 	if err != nil {
 		return nil, err
 	} else if time.Now().After(certX509.NotAfter) {
--- a/internal/deployer/deployer.go
+++ b/internal/deployer/deployer.go
@@ -3,71 +3,72 @@ package deployer
 import (
 	"context"
 	"fmt"
+	"log/slog"

-	"github.com/usual2970/certimate/internal/domain"
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/repository"
+	"github.com/certimate-go/certimate/internal/domain"
+	"github.com/certimate-go/certimate/internal/repository"
+	"github.com/certimate-go/certimate/pkg/core"
 )

 type Deployer interface {
 	Deploy(ctx context.Context) error
 }

-type deployerOptions struct {
-	Provider             domain.DeployProviderType
-	ProviderAccessConfig map[string]any
-	ProviderDeployConfig map[string]any
+type DeployerWithWorkflowNodeConfig struct {
+	Node           *domain.WorkflowNode
+	Logger         *slog.Logger
+	CertificatePEM string
+	PrivateKeyPEM  string
 }

-func NewWithDeployNode(node *domain.WorkflowNode, certdata struct {
-	Certificate string
-	PrivateKey  string
-},
-) (Deployer, error) {
-	if node.Type != domain.WorkflowNodeTypeDeploy {
-		return nil, fmt.Errorf("node type is not deploy")
+func NewWithWorkflowNode(config DeployerWithWorkflowNodeConfig) (Deployer, error) {
+	if config.Node == nil {
+		return nil, fmt.Errorf("node is nil")
+	}
+	if config.Node.Type != domain.WorkflowNodeTypeDeploy {
+		return nil, fmt.Errorf("node type is not '%s'", string(domain.WorkflowNodeTypeDeploy))
 	}

-	nodeConfig := node.GetConfigForDeploy()
+	nodeCfg := config.Node.GetConfigForDeploy()
+	options := &deployerProviderOptions{
+		Provider:              domain.DeploymentProviderType(nodeCfg.Provider),
+		ProviderAccessConfig:  make(map[string]any),
+		ProviderServiceConfig: nodeCfg.ProviderConfig,
+	}

 	accessRepo := repository.NewAccessRepository()
-	access, err := accessRepo.GetById(context.Background(), nodeConfig.ProviderAccessId)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get access #%s record: %w", nodeConfig.ProviderAccessId, err)
+	if nodeCfg.ProviderAccessId != "" {
+		access, err := accessRepo.GetById(context.Background(), nodeCfg.ProviderAccessId)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get access #%s record: %w", nodeCfg.ProviderAccessId, err)
+		} else {
+			options.ProviderAccessConfig = access.Config
+		}
 	}

-	accessConfig, err := access.UnmarshalConfigToMap()
-	if err != nil {
-		return nil, fmt.Errorf("failed to unmarshal access config: %w", err)
-	}
-
-	deployer, err := createDeployer(&deployerOptions{
-		Provider:             domain.DeployProviderType(nodeConfig.Provider),
-		ProviderAccessConfig: accessConfig,
-		ProviderDeployConfig: nodeConfig.ProviderConfig,
-	})
+	deployer, err := createSSLDeployerProvider(options)
 	if err != nil {
 		return nil, err
+	} else {
+		deployer.SetLogger(config.Logger)
 	}

-	return &proxyDeployer{
-		logger:            logger.NewNilLogger(),
-		deployer:          deployer,
-		deployCertificate: certdata.Certificate,
-		deployPrivateKey:  certdata.PrivateKey,
+	return &deployerImpl{
+		provider:   deployer,
+		certPEM:    config.CertificatePEM,
+		privkeyPEM: config.PrivateKeyPEM,
 	}, nil
 }

-// TODO: 暂时使用代理模式以兼容之前版本代码，后续重新实现此处逻辑
-type proxyDeployer struct {
-	logger            logger.Logger
-	deployer          deployer.Deployer
-	deployCertificate string
-	deployPrivateKey  string
+type deployerImpl struct {
+	provider   core.SSLDeployer
+	certPEM    string
+	privkeyPEM string
 }

-func (d *proxyDeployer) Deploy(ctx context.Context) error {
-	_, err := d.deployer.Deploy(ctx, d.deployCertificate, d.deployPrivateKey)
+var _ Deployer = (*deployerImpl)(nil)
+
+func (d *deployerImpl) Deploy(ctx context.Context) error {
+	_, err := d.provider.Deploy(ctx, d.certPEM, d.privkeyPEM)
 	return err
 }
--- a/internal/deployer/providers.go
+++ b/internal/deployer/providers.go
--- a/internal/domain/access.go
+++ b/internal/domain/access.go
@@ -1,7 +1,6 @@
 package domain

 import (
-	"encoding/json"
 	"time"
 )

@@ -9,19 +8,24 @@ const CollectionNameAccess = "access"

 type Access struct {
 	Meta
-	Name      string     `json:"name" db:"name"`
-	Provider  string     `json:"provider" db:"provider"`
-	Config    string     `json:"config" db:"config"`
-	DeletedAt *time.Time `json:"deleted" db:"deleted"`
+	Name      string         `json:"name" db:"name"`
+	Provider  string         `json:"provider" db:"provider"`
+	Config    map[string]any `json:"config" db:"config"`
+	Reserve   string         `json:"reserve,omitempty" db:"reserve"`
+	DeletedAt *time.Time     `json:"deleted" db:"deleted"`
 }

-func (a *Access) UnmarshalConfigToMap() (map[string]any, error) {
-	config := make(map[string]any)
-	if err := json.Unmarshal([]byte(a.Config), &config); err != nil {
-		return nil, err
-	}
+type AccessConfigFor1Panel struct {
+	ServerUrl                string `json:"serverUrl"`
+	ApiVersion               string `json:"apiVersion"`
+	ApiKey                   string `json:"apiKey"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
+}

-	return config, nil
+type AccessConfigForACMECA struct {
+	Endpoint   string `json:"endpoint"`
+	EabKid     string `json:"eabKid,omitempty"`
+	EabHmacKey string `json:"eabHmacKey,omitempty"`
 }

 type AccessConfigForACMEHttpReq struct {
@@ -34,6 +38,13 @@ type AccessConfigForACMEHttpReq struct {
 type AccessConfigForAliyun struct {
 	AccessKeyId     string `json:"accessKeyId"`
 	AccessKeySecret string `json:"accessKeySecret"`
+	ResourceGroupId string `json:"resourceGroupId,omitempty"`
+}
+
+type AccessConfigForAPISIX struct {
+	ServerUrl                string `json:"serverUrl"`
+	ApiKey                   string `json:"apiKey"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
 }

 type AccessConfigForAWS struct {
@@ -58,8 +69,15 @@ type AccessConfigForBaishan struct {
 }

 type AccessConfigForBaotaPanel struct {
-	ApiUrl string `json:"apiUrl"`
-	ApiKey string `json:"apiKey"`
+	ServerUrl                string `json:"serverUrl"`
+	ApiKey                   string `json:"apiKey"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
+}
+
+type AccessConfigForBaotaWAF struct {
+	ServerUrl                string `json:"serverUrl"`
+	ApiKey                   string `json:"apiKey"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
 }

 type AccessConfigForBytePlus struct {
@@ -67,18 +85,24 @@ type AccessConfigForBytePlus struct {
 	SecretKey string `json:"secretKey"`
 }

+type AccessConfigForBunny struct {
+	ApiKey string `json:"apiKey"`
+}
+
 type AccessConfigForCacheFly struct {
 	ApiToken string `json:"apiToken"`
 }

 type AccessConfigForCdnfly struct {
-	ApiUrl    string `json:"apiUrl"`
-	ApiKey    string `json:"apiKey"`
-	ApiSecret string `json:"apiSecret"`
+	ServerUrl                string `json:"serverUrl"`
+	ApiKey                   string `json:"apiKey"`
+	ApiSecret                string `json:"apiSecret"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
 }

 type AccessConfigForCloudflare struct {
-	DnsApiToken string `json:"dnsApiToken"`
+	DnsApiToken  string `json:"dnsApiToken"`
+	ZoneApiToken string `json:"zoneApiToken,omitempty"`
 }

 type AccessConfigForClouDNS struct {
@@ -91,6 +115,34 @@ type AccessConfigForCMCCCloud struct {
 	AccessKeySecret string `json:"accessKeySecret"`
 }

+type AccessConfigForConstellix struct {
+	ApiKey    string `json:"apiKey"`
+	SecretKey string `json:"secretKey"`
+}
+
+type AccessConfigForCTCCCloud struct {
+	AccessKeyId     string `json:"accessKeyId"`
+	SecretAccessKey string `json:"secretAccessKey"`
+}
+
+type AccessConfigForDeSEC struct {
+	Token string `json:"token"`
+}
+
+type AccessConfigForDigitalOcean struct {
+	AccessToken string `json:"accessToken"`
+}
+
+type AccessConfigForDingTalkBot struct {
+	WebhookUrl string `json:"webhookUrl"`
+	Secret     string `json:"secret"`
+}
+
+type AccessConfigForDiscordBot struct {
+	BotToken         string `json:"botToken"`
+	DefaultChannelId string `json:"defaultChannelId,omitempty"`
+}
+
 type AccessConfigForDNSLA struct {
 	ApiId     string `json:"apiId"`
 	ApiSecret string `json:"apiSecret"`
@@ -101,11 +153,38 @@ type AccessConfigForDogeCloud struct {
 	SecretKey string `json:"secretKey"`
 }

+type AccessConfigForDuckDNS struct {
+	Token string `json:"token"`
+}
+
+type AccessConfigForDynv6 struct {
+	HttpToken string `json:"httpToken"`
+}
+
 type AccessConfigForEdgio struct {
 	ClientId     string `json:"clientId"`
 	ClientSecret string `json:"clientSecret"`
 }

+type AccessConfigForEmail struct {
+	SmtpHost               string `json:"smtpHost"`
+	SmtpPort               int32  `json:"smtpPort"`
+	SmtpTls                bool   `json:"smtpTls"`
+	Username               string `json:"username"`
+	Password               string `json:"password"`
+	DefaultSenderAddress   string `json:"defaultSenderAddress,omitempty"`
+	DefaultSenderName      string `json:"defaultSenderName,omitempty"`
+	DefaultReceiverAddress string `json:"defaultReceiverAddress,omitempty"`
+}
+
+type AccessConfigForFlexCDN struct {
+	ServerUrl                string `json:"serverUrl"`
+	ApiRole                  string `json:"apiRole"`
+	AccessKeyId              string `json:"accessKeyId"`
+	AccessKey                string `json:"accessKey"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
+}
+
 type AccessConfigForGcore struct {
 	ApiToken string `json:"apiToken"`
 }
@@ -120,9 +199,27 @@ type AccessConfigForGoDaddy struct {
 	ApiSecret string `json:"apiSecret"`
 }

+type AccessConfigForGoEdge struct {
+	ServerUrl                string `json:"serverUrl"`
+	ApiRole                  string `json:"apiRole"`
+	AccessKeyId              string `json:"accessKeyId"`
+	AccessKey                string `json:"accessKey"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
+}
+
+type AccessConfigForGoogleTrustServices struct {
+	EabKid     string `json:"eabKid"`
+	EabHmacKey string `json:"eabHmacKey"`
+}
+
+type AccessConfigForHetzner struct {
+	ApiToken string `json:"apiToken"`
+}
+
 type AccessConfigForHuaweiCloud struct {
-	AccessKeyId     string `json:"accessKeyId"`
-	SecretAccessKey string `json:"secretAccessKey"`
+	AccessKeyId         string `json:"accessKeyId"`
+	SecretAccessKey     string `json:"secretAccessKey"`
+	EnterpriseProjectId string `json:"enterpriseProjectId,omitempty"`
 }

 type AccessConfigForJDCloud struct {
@@ -134,7 +231,25 @@ type AccessConfigForKubernetes struct {
 	KubeConfig string `json:"kubeConfig,omitempty"`
 }

-type AccessConfigForLocal struct{}
+type AccessConfigForLarkBot struct {
+	WebhookUrl string `json:"webhookUrl"`
+}
+
+type AccessConfigForLeCDN struct {
+	ServerUrl                string `json:"serverUrl"`
+	ApiVersion               string `json:"apiVersion"`
+	ApiRole                  string `json:"apiRole"`
+	Username                 string `json:"username"`
+	Password                 string `json:"password"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
+}
+
+type AccessConfigForMattermost struct {
+	ServerUrl        string `json:"serverUrl"`
+	Username         string `json:"username"`
+	Password         string `json:"password"`
+	DefaultChannelId string `json:"defaultChannelId,omitempty"`
+}

 type AccessConfigForNamecheap struct {
 	Username string `json:"username"`
@@ -150,13 +265,36 @@ type AccessConfigForNameSilo struct {
 	ApiKey string `json:"apiKey"`
 }

+type AccessConfigForNetcup struct {
+	CustomerNumber string `json:"customerNumber"`
+	ApiKey         string `json:"apiKey"`
+	ApiPassword    string `json:"apiPassword"`
+}
+
+type AccessConfigForNetlify struct {
+	ApiToken string `json:"apiToken"`
+}
+
 type AccessConfigForNS1 struct {
 	ApiKey string `json:"apiKey"`
 }

+type AccessConfigForPorkbun struct {
+	ApiKey       string `json:"apiKey"`
+	SecretApiKey string `json:"secretApiKey"`
+}
+
 type AccessConfigForPowerDNS struct {
-	ApiUrl string `json:"apiUrl"`
-	ApiKey string `json:"apiKey"`
+	ServerUrl                string `json:"serverUrl"`
+	ApiKey                   string `json:"apiKey"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
+}
+
+type AccessConfigForProxmoxVE struct {
+	ServerUrl                string `json:"serverUrl"`
+	ApiToken                 string `json:"apiToken"`
+	ApiTokenSecret           string `json:"apiTokenSecret,omitempty"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
 }

 type AccessConfigForQiniu struct {
@@ -168,18 +306,51 @@ type AccessConfigForRainYun struct {
 	ApiKey string `json:"apiKey"`
 }

+type AccessConfigForRatPanel struct {
+	ServerUrl                string `json:"serverUrl"`
+	AccessTokenId            int32  `json:"accessTokenId"`
+	AccessToken              string `json:"accessToken"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
+}
+
 type AccessConfigForSafeLine struct {
-	ApiUrl   string `json:"apiUrl"`
-	ApiToken string `json:"apiToken"`
+	ServerUrl                string `json:"serverUrl"`
+	ApiToken                 string `json:"apiToken"`
+	AllowInsecureConnections bool   `json:"allowInsecureConnections,omitempty"`
+}
+
+type AccessConfigForSlackBot struct {
+	BotToken         string `json:"botToken"`
+	DefaultChannelId string `json:"defaultChannelId,omitempty"`
 }

 type AccessConfigForSSH struct {
 	Host          string `json:"host"`
 	Port          int32  `json:"port"`
-	Username      string `json:"username"`
+	AuthMethod    string `json:"authMethod,omitempty"`
+	Username      string `json:"username,omitempty"`
 	Password      string `json:"password,omitempty"`
 	Key           string `json:"key,omitempty"`
 	KeyPassphrase string `json:"keyPassphrase,omitempty"`
+	JumpServers   []struct {
+		Host          string `json:"host"`
+		Port          int32  `json:"port"`
+		AuthMethod    string `json:"authMethod,omitempty"`
+		Username      string `json:"username,omitempty"`
+		Password      string `json:"password,omitempty"`
+		Key           string `json:"key,omitempty"`
+		KeyPassphrase string `json:"keyPassphrase,omitempty"`
+	} `json:"jumpServers,omitempty"`
+}
+
+type AccessConfigForSSLCom struct {
+	EabKid     string `json:"eabKid"`
+	EabHmacKey string `json:"eabHmacKey"`
+}
+
+type AccessConfigForTelegramBot struct {
+	BotToken      string `json:"botToken"`
+	DefaultChatId int64  `json:"defaultChatId,omitempty"`
 }

 type AccessConfigForTencentCloud struct {
@@ -193,16 +364,51 @@ type AccessConfigForUCloud struct {
 	ProjectId  string `json:"projectId,omitempty"`
 }

+type AccessConfigForUniCloud struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+type AccessConfigForUpyun struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+type AccessConfigForVercel struct {
+	ApiAccessToken string `json:"apiAccessToken"`
+	TeamId         string `json:"teamId,omitempty"`
+}
+
 type AccessConfigForVolcEngine struct {
 	AccessKeyId     string `json:"accessKeyId"`
 	SecretAccessKey string `json:"secretAccessKey"`
 }

+type AccessConfigForWangsu struct {
+	AccessKeyId     string `json:"accessKeyId"`
+	AccessKeySecret string `json:"accessKeySecret"`
+	ApiKey          string `json:"apiKey"`
+}
+
 type AccessConfigForWebhook struct {
-	Url string `json:"url"`
+	Url                        string `json:"url"`
+	Method                     string `json:"method,omitempty"`
+	HeadersString              string `json:"headers,omitempty"`
+	AllowInsecureConnections   bool   `json:"allowInsecureConnections,omitempty"`
+	DefaultDataForDeployment   string `json:"defaultDataForDeployment,omitempty"`
+	DefaultDataForNotification string `json:"defaultDataForNotification,omitempty"`
+}
+
+type AccessConfigForWeComBot struct {
+	WebhookUrl string `json:"webhookUrl"`
 }

 type AccessConfigForWestcn struct {
 	Username    string `json:"username"`
-	ApiPassword string `json:"password"`
+	ApiPassword string `json:"apiPassword"`
+}
+
+type AccessConfigForZeroSSL struct {
+	EabKid     string `json:"eabKid"`
+	EabHmacKey string `json:"eabHmacKey"`
 }
--- a/internal/domain/certificate.go
+++ b/internal/domain/certificate.go
@@ -1,11 +1,14 @@
 package domain

 import (
+	"crypto/ecdsa"
+	"crypto/rsa"
 	"crypto/x509"
+	"fmt"
 	"strings"
 	"time"

-	"github.com/usual2970/certimate/internal/pkg/utils/certs"
+	xcert "github.com/certimate-go/certimate/pkg/utils/cert"
 )

 const CollectionNameCertificate = "certificate"
@@ -17,7 +20,7 @@ type Certificate struct {
 	SerialNumber      string                      `json:"serialNumber" db:"serialNumber"`
 	Certificate       string                      `json:"certificate" db:"certificate"`
 	PrivateKey        string                      `json:"privateKey" db:"privateKey"`
-	Issuer            string                      `json:"issuer" db:"issuer"`
+	IssuerOrg         string                      `json:"issuerOrg" db:"issuerOrg"`
 	IssuerCertificate string                      `json:"issuerCertificate" db:"issuerCertificate"`
 	KeyAlgorithm      CertificateKeyAlgorithmType `json:"keyAlgorithm" db:"keyAlgorithm"`
 	EffectAt          time.Time                   `json:"effectAt" db:"effectAt"`
@@ -25,6 +28,7 @@ type Certificate struct {
 	ACMEAccountUrl    string                      `json:"acmeAccountUrl" db:"acmeAccountUrl"`
 	ACMECertUrl       string                      `json:"acmeCertUrl" db:"acmeCertUrl"`
 	ACMECertStableUrl string                      `json:"acmeCertStableUrl" db:"acmeCertStableUrl"`
+	ACMERenewed       bool                        `json:"acmeRenewed" db:"acmeRenewed"`
 	WorkflowId        string                      `json:"workflowId" db:"workflowId"`
 	WorkflowNodeId    string                      `json:"workflowNodeId" db:"workflowNodeId"`
 	WorkflowRunId     string                      `json:"workflowRunId" db:"workflowRunId"`
@@ -35,23 +39,62 @@ type Certificate struct {
 func (c *Certificate) PopulateFromX509(certX509 *x509.Certificate) *Certificate {
 	c.SubjectAltNames = strings.Join(certX509.DNSNames, ";")
 	c.SerialNumber = strings.ToUpper(certX509.SerialNumber.Text(16))
-	c.Issuer = strings.Join(certX509.Issuer.Organization, ";")
+	c.IssuerOrg = strings.Join(certX509.Issuer.Organization, ";")
 	c.EffectAt = certX509.NotBefore
 	c.ExpireAt = certX509.NotAfter

-	switch certX509.SignatureAlgorithm {
-	case x509.SHA256WithRSA, x509.SHA256WithRSAPSS:
-		c.KeyAlgorithm = CertificateKeyAlgorithmTypeRSA2048
-	case x509.SHA384WithRSA, x509.SHA384WithRSAPSS:
-		c.KeyAlgorithm = CertificateKeyAlgorithmTypeRSA3072
-	case x509.SHA512WithRSA, x509.SHA512WithRSAPSS:
-		c.KeyAlgorithm = CertificateKeyAlgorithmTypeRSA4096
-	case x509.ECDSAWithSHA256:
-		c.KeyAlgorithm = CertificateKeyAlgorithmTypeEC256
-	case x509.ECDSAWithSHA384:
-		c.KeyAlgorithm = CertificateKeyAlgorithmTypeEC384
-	case x509.ECDSAWithSHA512:
-		c.KeyAlgorithm = CertificateKeyAlgorithmTypeEC512
+	switch certX509.PublicKeyAlgorithm {
+	case x509.RSA:
+		{
+			len := 0
+			if pubkey, ok := certX509.PublicKey.(*rsa.PublicKey); ok {
+				len = pubkey.N.BitLen()
+			}
+
+			switch len {
+			case 0:
+				c.KeyAlgorithm = CertificateKeyAlgorithmType("RSA")
+			case 2048:
+				c.KeyAlgorithm = CertificateKeyAlgorithmTypeRSA2048
+			case 3072:
+				c.KeyAlgorithm = CertificateKeyAlgorithmTypeRSA3072
+			case 4096:
+				c.KeyAlgorithm = CertificateKeyAlgorithmTypeRSA4096
+			case 8192:
+				c.KeyAlgorithm = CertificateKeyAlgorithmTypeRSA8192
+			default:
+				c.KeyAlgorithm = CertificateKeyAlgorithmType(fmt.Sprintf("RSA%d", len))
+			}
+		}
+
+	case x509.ECDSA:
+		{
+			len := 0
+			if pubkey, ok := certX509.PublicKey.(*ecdsa.PublicKey); ok {
+				if pubkey.Curve != nil && pubkey.Curve.Params() != nil {
+					len = pubkey.Curve.Params().BitSize
+				}
+			}
+
+			switch len {
+			case 0:
+				c.KeyAlgorithm = CertificateKeyAlgorithmType("EC")
+			case 256:
+				c.KeyAlgorithm = CertificateKeyAlgorithmTypeEC256
+			case 384:
+				c.KeyAlgorithm = CertificateKeyAlgorithmTypeEC384
+			case 521:
+				c.KeyAlgorithm = CertificateKeyAlgorithmTypeEC512
+			default:
+				c.KeyAlgorithm = CertificateKeyAlgorithmType(fmt.Sprintf("EC%d", len))
+			}
+		}
+
+	case x509.Ed25519:
+		{
+			c.KeyAlgorithm = CertificateKeyAlgorithmType("ED25519")
+		}
+
 	default:
 		c.KeyAlgorithm = CertificateKeyAlgorithmType("")
 	}
@@ -63,10 +106,10 @@ func (c *Certificate) PopulateFromPEM(certPEM, privkeyPEM string) *Certificate {
 	c.Certificate = certPEM
 	c.PrivateKey = privkeyPEM

-	_, issuerCertPEM, _ := certs.ExtractCertificatesFromPEM(certPEM)
+	_, issuerCertPEM, _ := xcert.ExtractCertificatesFromPEM(certPEM)
 	c.IssuerCertificate = issuerCertPEM

-	certX509, _ := certs.ParseCertificateFromPEM(certPEM)
+	certX509, _ := xcert.ParseCertificateFromPEM(certPEM)
 	if certX509 != nil {
 		c.PopulateFromX509(certX509)
 	}
--- a/internal/domain/dtos/certificate.go
+++ b/internal/domain/dtos/certificate.go
@@ -1,4 +1,4 @@
-package dtos
+package dtos

 type CertificateArchiveFileReq struct {
 	CertificateId string `json:"-"`
--- a/internal/domain/dtos/notify.go
+++ b/internal/domain/dtos/notify.go
@@ -1,6 +1,6 @@
-package dtos
+package dtos

-import "github.com/usual2970/certimate/internal/domain"
+import "github.com/certimate-go/certimate/internal/domain"

 type NotifyTestPushReq struct {
 	Channel domain.NotifyChannelType `json:"channel"`
--- a/internal/domain/dtos/workflow.go
+++ b/internal/domain/dtos/workflow.go
@@ -1,6 +1,6 @@
-package dtos
+package dtos

-import "github.com/usual2970/certimate/internal/domain"
+import "github.com/certimate-go/certimate/internal/domain"

 type WorkflowStartRunReq struct {
 	WorkflowId string                     `json:"-"`
--- a/internal/domain/expr/expr.go
+++ b/internal/domain/expr/expr.go
@@ -0,0 +1,630 @@
+package expr
+
+import (
+	"encoding/json"
+	"fmt"
+	"strconv"
+)
+
+type (
+	ExprType               string
+	ExprComparisonOperator string
+	ExprLogicalOperator    string
+	ExprValueType          string
+)
+
+const (
+	GreaterThan    ExprComparisonOperator = "gt"
+	GreaterOrEqual ExprComparisonOperator = "gte"
+	LessThan       ExprComparisonOperator = "lt"
+	LessOrEqual    ExprComparisonOperator = "lte"
+	Equal          ExprComparisonOperator = "eq"
+	NotEqual       ExprComparisonOperator = "neq"
+
+	And ExprLogicalOperator = "and"
+	Or  ExprLogicalOperator = "or"
+	Not ExprLogicalOperator = "not"
+
+	Number  ExprValueType = "number"
+	String  ExprValueType = "string"
+	Boolean ExprValueType = "boolean"
+
+	ConstantExprType   ExprType = "const"
+	VariantExprType    ExprType = "var"
+	ComparisonExprType ExprType = "comparison"
+	LogicalExprType    ExprType = "logical"
+	NotExprType        ExprType = "not"
+)
+
+type EvalResult struct {
+	Type  ExprValueType
+	Value any
+}
+
+func (e *EvalResult) GetFloat64() (float64, error) {
+	if e.Type != Number {
+		return 0, fmt.Errorf("type mismatch: %s", e.Type)
+	}
+
+	stringValue, ok := e.Value.(string)
+	if !ok {
+		return 0, fmt.Errorf("value is not a string: %v", e.Value)
+	}
+
+	floatValue, err := strconv.ParseFloat(stringValue, 64)
+	if err != nil {
+		return 0, fmt.Errorf("failed to parse float64: %v", err)
+	}
+	return floatValue, nil
+}
+
+func (e *EvalResult) GetBool() (bool, error) {
+	if e.Type != Boolean {
+		return false, fmt.Errorf("type mismatch: %s", e.Type)
+	}
+
+	strValue, ok := e.Value.(string)
+	if ok {
+		if strValue == "true" {
+			return true, nil
+		} else if strValue == "false" {
+			return false, nil
+		}
+		return false, fmt.Errorf("value is not a boolean: %v", e.Value)
+	}
+
+	boolValue, ok := e.Value.(bool)
+	if !ok {
+		return false, fmt.Errorf("value is not a boolean: %v", e.Value)
+	}
+
+	return boolValue, nil
+}
+
+func (e *EvalResult) GreaterThan(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case String:
+		return &EvalResult{
+			Type:  Boolean,
+			Value: e.Value.(string) > other.Value.(string),
+		}, nil
+
+	case Number:
+		left, err := e.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left > right,
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) GreaterOrEqual(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case String:
+		return &EvalResult{
+			Type:  Boolean,
+			Value: e.Value.(string) >= other.Value.(string),
+		}, nil
+
+	case Number:
+		left, err := e.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left >= right,
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) LessThan(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case String:
+		return &EvalResult{
+			Type:  Boolean,
+			Value: e.Value.(string) < other.Value.(string),
+		}, nil
+
+	case Number:
+		left, err := e.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left < right,
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) LessOrEqual(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case String:
+		return &EvalResult{
+			Type:  Boolean,
+			Value: e.Value.(string) <= other.Value.(string),
+		}, nil
+
+	case Number:
+		left, err := e.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left <= right,
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) Equal(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case String:
+		return &EvalResult{
+			Type:  Boolean,
+			Value: e.Value.(string) == other.Value.(string),
+		}, nil
+
+	case Number:
+		left, err := e.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left == right,
+		}, nil
+
+	case Boolean:
+		left, err := e.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left == right,
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) NotEqual(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case String:
+		return &EvalResult{
+			Type:  Boolean,
+			Value: e.Value.(string) != other.Value.(string),
+		}, nil
+
+	case Number:
+		left, err := e.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetFloat64()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left != right,
+		}, nil
+
+	case Boolean:
+		left, err := e.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left != right,
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) And(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case Boolean:
+		left, err := e.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left && right,
+		}, nil
+
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) Or(other *EvalResult) (*EvalResult, error) {
+	if e.Type != other.Type {
+		return nil, fmt.Errorf("type mismatch: %s vs %s", e.Type, other.Type)
+	}
+
+	switch e.Type {
+	case Boolean:
+		left, err := e.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		right, err := other.GetBool()
+		if err != nil {
+			return nil, err
+		}
+
+		return &EvalResult{
+			Type:  Boolean,
+			Value: left || right,
+		}, nil
+	default:
+		return nil, fmt.Errorf("unsupported value type: %s", e.Type)
+	}
+}
+
+func (e *EvalResult) Not() (*EvalResult, error) {
+	if e.Type != Boolean {
+		return nil, fmt.Errorf("type mismatch: %s", e.Type)
+	}
+
+	boolValue, err := e.GetBool()
+	if err != nil {
+		return nil, err
+	}
+
+	return &EvalResult{
+		Type:  Boolean,
+		Value: !boolValue,
+	}, nil
+}
+
+type Expr interface {
+	GetType() ExprType
+	Eval(variables map[string]map[string]any) (*EvalResult, error)
+}
+
+type ExprValueSelector struct {
+	Id   string        `json:"id"`
+	Name string        `json:"name"`
+	Type ExprValueType `json:"type"`
+}
+
+type ConstantExpr struct {
+	Type      ExprType      `json:"type"`
+	Value     string        `json:"value"`
+	ValueType ExprValueType `json:"valueType"`
+}
+
+func (c ConstantExpr) GetType() ExprType { return c.Type }
+
+func (c ConstantExpr) Eval(variables map[string]map[string]any) (*EvalResult, error) {
+	return &EvalResult{
+		Type:  c.ValueType,
+		Value: c.Value,
+	}, nil
+}
+
+type VariantExpr struct {
+	Type     ExprType          `json:"type"`
+	Selector ExprValueSelector `json:"selector"`
+}
+
+func (v VariantExpr) GetType() ExprType { return v.Type }
+
+func (v VariantExpr) Eval(variables map[string]map[string]any) (*EvalResult, error) {
+	if v.Selector.Id == "" {
+		return nil, fmt.Errorf("node id is empty")
+	}
+	if v.Selector.Name == "" {
+		return nil, fmt.Errorf("name is empty")
+	}
+
+	if _, ok := variables[v.Selector.Id]; !ok {
+		return nil, fmt.Errorf("node %s not found", v.Selector.Id)
+	}
+
+	if _, ok := variables[v.Selector.Id][v.Selector.Name]; !ok {
+		return nil, fmt.Errorf("variable %s not found in node %s", v.Selector.Name, v.Selector.Id)
+	}
+	return &EvalResult{
+		Type:  v.Selector.Type,
+		Value: variables[v.Selector.Id][v.Selector.Name],
+	}, nil
+}
+
+type ComparisonExpr struct {
+	Type     ExprType               `json:"type"` // compare
+	Operator ExprComparisonOperator `json:"operator"`
+	Left     Expr                   `json:"left"`
+	Right    Expr                   `json:"right"`
+}
+
+func (c ComparisonExpr) GetType() ExprType { return c.Type }
+
+func (c ComparisonExpr) Eval(variables map[string]map[string]any) (*EvalResult, error) {
+	left, err := c.Left.Eval(variables)
+	if err != nil {
+		return nil, err
+	}
+	right, err := c.Right.Eval(variables)
+	if err != nil {
+		return nil, err
+	}
+
+	switch c.Operator {
+	case GreaterThan:
+		return left.GreaterThan(right)
+	case LessThan:
+		return left.LessThan(right)
+	case GreaterOrEqual:
+		return left.GreaterOrEqual(right)
+	case LessOrEqual:
+		return left.LessOrEqual(right)
+	case Equal:
+		return left.Equal(right)
+	case NotEqual:
+		return left.NotEqual(right)
+	default:
+		return nil, fmt.Errorf("unknown expression operator: %s", c.Operator)
+	}
+}
+
+type LogicalExpr struct {
+	Type     ExprType            `json:"type"` // logical
+	Operator ExprLogicalOperator `json:"operator"`
+	Left     Expr                `json:"left"`
+	Right    Expr                `json:"right"`
+}
+
+func (l LogicalExpr) GetType() ExprType { return l.Type }
+
+func (l LogicalExpr) Eval(variables map[string]map[string]any) (*EvalResult, error) {
+	left, err := l.Left.Eval(variables)
+	if err != nil {
+		return nil, err
+	}
+	right, err := l.Right.Eval(variables)
+	if err != nil {
+		return nil, err
+	}
+
+	switch l.Operator {
+	case And:
+		return left.And(right)
+	case Or:
+		return left.Or(right)
+	default:
+		return nil, fmt.Errorf("unknown expression operator: %s", l.Operator)
+	}
+}
+
+type NotExpr struct {
+	Type ExprType `json:"type"` // not
+	Expr Expr     `json:"expr"`
+}
+
+func (n NotExpr) GetType() ExprType { return n.Type }
+
+func (n NotExpr) Eval(variables map[string]map[string]any) (*EvalResult, error) {
+	inner, err := n.Expr.Eval(variables)
+	if err != nil {
+		return nil, err
+	}
+	return inner.Not()
+}
+
+type rawExpr struct {
+	Type ExprType `json:"type"`
+}
+
+func MarshalExpr(e Expr) ([]byte, error) {
+	return json.Marshal(e)
+}
+
+func UnmarshalExpr(data []byte) (Expr, error) {
+	var typ rawExpr
+	if err := json.Unmarshal(data, &typ); err != nil {
+		return nil, err
+	}
+
+	switch typ.Type {
+	case ConstantExprType:
+		var e ConstantExpr
+		if err := json.Unmarshal(data, &e); err != nil {
+			return nil, err
+		}
+		return e, nil
+	case VariantExprType:
+		var e VariantExpr
+		if err := json.Unmarshal(data, &e); err != nil {
+			return nil, err
+		}
+		return e, nil
+	case ComparisonExprType:
+		var e ComparisonExprRaw
+		if err := json.Unmarshal(data, &e); err != nil {
+			return nil, err
+		}
+		return e.ToComparisonExpr()
+	case LogicalExprType:
+		var e LogicalExprRaw
+		if err := json.Unmarshal(data, &e); err != nil {
+			return nil, err
+		}
+		return e.ToLogicalExpr()
+	case NotExprType:
+		var e NotExprRaw
+		if err := json.Unmarshal(data, &e); err != nil {
+			return nil, err
+		}
+		return e.ToNotExpr()
+	default:
+		return nil, fmt.Errorf("unknown expression type: %s", typ.Type)
+	}
+}
+
+type ComparisonExprRaw struct {
+	Type     ExprType               `json:"type"`
+	Operator ExprComparisonOperator `json:"operator"`
+	Left     json.RawMessage        `json:"left"`
+	Right    json.RawMessage        `json:"right"`
+}
+
+func (r ComparisonExprRaw) ToComparisonExpr() (ComparisonExpr, error) {
+	leftExpr, err := UnmarshalExpr(r.Left)
+	if err != nil {
+		return ComparisonExpr{}, err
+	}
+	rightExpr, err := UnmarshalExpr(r.Right)
+	if err != nil {
+		return ComparisonExpr{}, err
+	}
+	return ComparisonExpr{
+		Type:     r.Type,
+		Operator: r.Operator,
+		Left:     leftExpr,
+		Right:    rightExpr,
+	}, nil
+}
+
+type LogicalExprRaw struct {
+	Type     ExprType            `json:"type"`
+	Operator ExprLogicalOperator `json:"operator"`
+	Left     json.RawMessage     `json:"left"`
+	Right    json.RawMessage     `json:"right"`
+}
+
+func (r LogicalExprRaw) ToLogicalExpr() (LogicalExpr, error) {
+	left, err := UnmarshalExpr(r.Left)
+	if err != nil {
+		return LogicalExpr{}, err
+	}
+	right, err := UnmarshalExpr(r.Right)
+	if err != nil {
+		return LogicalExpr{}, err
+	}
+	return LogicalExpr{
+		Type:     r.Type,
+		Operator: r.Operator,
+		Left:     left,
+		Right:    right,
+	}, nil
+}
+
+type NotExprRaw struct {
+	Type ExprType        `json:"type"`
+	Expr json.RawMessage `json:"expr"`
+}
+
+func (r NotExprRaw) ToNotExpr() (NotExpr, error) {
+	inner, err := UnmarshalExpr(r.Expr)
+	if err != nil {
+		return NotExpr{}, err
+	}
+	return NotExpr{
+		Type: r.Type,
+		Expr: inner,
+	}, nil
+}
--- a/internal/domain/expr/expr_test.go
+++ b/internal/domain/expr/expr_test.go
@@ -0,0 +1,127 @@
+package expr
+
+import (
+	"testing"
+)
+
+func TestLogicalEval(t *testing.T) {
+	// 测试逻辑表达式 and
+	logicalExpr := LogicalExpr{
+		Left: ConstantExpr{
+			Type:      "const",
+			Value:     "true",
+			ValueType: "boolean",
+		},
+		Operator: And,
+		Right: ConstantExpr{
+			Type:      "const",
+			Value:     "true",
+			ValueType: "boolean",
+		},
+	}
+	result, err := logicalExpr.Eval(nil)
+	if err != nil {
+		t.Errorf("failed to evaluate logical expression: %v", err)
+	}
+	if result.Value != true {
+		t.Errorf("expected true, got %v", result)
+	}
+
+	// 测试逻辑表达式 or
+	orExpr := LogicalExpr{
+		Left: ConstantExpr{
+			Type:      "const",
+			Value:     "true",
+			ValueType: "boolean",
+		},
+		Operator: Or,
+		Right: ConstantExpr{
+			Type:      "const",
+			Value:     "true",
+			ValueType: "boolean",
+		},
+	}
+	result, err = orExpr.Eval(nil)
+	if err != nil {
+		t.Errorf("failed to evaluate logical expression: %v", err)
+	}
+	if result.Value != true {
+		t.Errorf("expected true, got %v", result)
+	}
+}
+
+func TestUnmarshalExpr(t *testing.T) {
+	type args struct {
+		data []byte
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    Expr
+		wantErr bool
+	}{
+		{
+			name: "test1",
+			args: args{
+				data: []byte(`{"left":{"left":{"selector":{"id":"ODnYSOXB6HQP2_vz6JcZE","name":"certificate.validity","type":"boolean"},"type":"var"},"operator":"is","right":{"type":"const","value":true,"valueType":"boolean"},"type":"comparison"},"operator":"and","right":{"left":{"selector":{"id":"ODnYSOXB6HQP2_vz6JcZE","name":"certificate.daysLeft","type":"number"},"type":"var"},"operator":"eq","right":{"type":"const","value":2,"valueType":"number"},"type":"comparison"},"type":"logical"}`),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := UnmarshalExpr(tt.args.data)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("UnmarshalExpr() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got == nil {
+				t.Errorf("UnmarshalExpr() got = nil, want %v", tt.want)
+				return
+			}
+		})
+	}
+}
+
+func TestExpr_Eval(t *testing.T) {
+	type args struct {
+		variables map[string]map[string]any
+		data      []byte
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *EvalResult
+		wantErr bool
+	}{
+		{
+			name: "test1",
+			args: args{
+				variables: map[string]map[string]any{
+					"ODnYSOXB6HQP2_vz6JcZE": {
+						"certificate.validity": true,
+						"certificate.daysLeft": 2,
+					},
+				},
+				data: []byte(`{"left":{"left":{"selector":{"id":"ODnYSOXB6HQP2_vz6JcZE","name":"certificate.validity","type":"boolean"},"type":"var"},"operator":"is","right":{"type":"const","value":true,"valueType":"boolean"},"type":"comparison"},"operator":"and","right":{"left":{"selector":{"id":"ODnYSOXB6HQP2_vz6JcZE","name":"certificate.daysLeft","type":"number"},"type":"var"},"operator":"eq","right":{"type":"const","value":2,"valueType":"number"},"type":"comparison"},"type":"logical"}`),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c, err := UnmarshalExpr(tt.args.data)
+			if err != nil {
+				t.Errorf("UnmarshalExpr() error = %v", err)
+				return
+			}
+			got, err := c.Eval(tt.args.variables)
+			t.Log("got:", got)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ConstExpr.Eval() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got.Value != true {
+				t.Errorf("ConstExpr.Eval() got = %v, want %v", got.Value, true)
+			}
+		})
+	}
+}
--- a/internal/domain/notify.go
+++ b/internal/domain/notify.go
@@ -8,11 +8,16 @@ type NotifyChannelType string
 	注意：如果追加新的常量值，请保持以 ASCII 排序。
 	NOTICE: If you add new constant, please keep ASCII order.
 */
+// Deprecated: v0.4.x 将废弃
 const (
 	NotifyChannelTypeBark       = NotifyChannelType("bark")
 	NotifyChannelTypeDingTalk   = NotifyChannelType("dingtalk")
 	NotifyChannelTypeEmail      = NotifyChannelType("email")
+	NotifyChannelTypeGotify     = NotifyChannelType("gotify")
 	NotifyChannelTypeLark       = NotifyChannelType("lark")
+	NotifyChannelTypeMattermost = NotifyChannelType("mattermost")
+	NotifyChannelTypePushover   = NotifyChannelType("pushover")
+	NotifyChannelTypePushPlus   = NotifyChannelType("pushplus")
 	NotifyChannelTypeServerChan = NotifyChannelType("serverchan")
 	NotifyChannelTypeTelegram   = NotifyChannelType("telegram")
 	NotifyChannelTypeWebhook    = NotifyChannelType("webhook")
--- a/internal/domain/provider.go
+++ b/internal/domain/provider.go
@@ -1,4 +1,4 @@
-package domain
+package domain

 type AccessProviderType string

@@ -9,156 +9,292 @@ type AccessProviderType string
 	NOTICE: If you add new constant, please keep ASCII order.
 */
 const (
-	AccessProviderType1Panel       = AccessProviderType("1panel") // 1Panel（预留）
-	AccessProviderTypeACMEHttpReq  = AccessProviderType("acmehttpreq")
-	AccessProviderTypeAkamai       = AccessProviderType("akamai") // Akamai（预留）
-	AccessProviderTypeAliyun       = AccessProviderType("aliyun")
-	AccessProviderTypeAWS          = AccessProviderType("aws")
-	AccessProviderTypeAzure        = AccessProviderType("azure")
-	AccessProviderTypeBaiduCloud   = AccessProviderType("baiducloud")
-	AccessProviderTypeBaishan      = AccessProviderType("baishan")
-	AccessProviderTypeBaotaPanel   = AccessProviderType("baotapanel")
-	AccessProviderTypeBytePlus     = AccessProviderType("byteplus")
-	AccessProviderTypeCacheFly     = AccessProviderType("cachefly")
-	AccessProviderTypeCdnfly       = AccessProviderType("cdnfly")
-	AccessProviderTypeCloudflare   = AccessProviderType("cloudflare")
-	AccessProviderTypeClouDNS      = AccessProviderType("cloudns")
-	AccessProviderTypeCMCCCloud    = AccessProviderType("cmcccloud")
-	AccessProviderTypeCTCCCloud    = AccessProviderType("ctcccloud") // 联通云（预留）
-	AccessProviderTypeCUCCCloud    = AccessProviderType("cucccloud") // 天翼云（预留）
-	AccessProviderTypeDNSLA        = AccessProviderType("dnsla")
-	AccessProviderTypeDogeCloud    = AccessProviderType("dogecloud")
-	AccessProviderTypeEdgio        = AccessProviderType("edgio")
-	AccessProviderTypeFastly       = AccessProviderType("fastly") // Fastly（预留）
-	AccessProviderTypeGname        = AccessProviderType("gname")
-	AccessProviderTypeGcore        = AccessProviderType("gcore")
-	AccessProviderTypeGoDaddy      = AccessProviderType("godaddy")
-	AccessProviderTypeGoEdge       = AccessProviderType("goedge") // GoEdge（预留）
-	AccessProviderTypeHuaweiCloud  = AccessProviderType("huaweicloud")
-	AccessProviderTypeJDCloud      = AccessProviderType("jdcloud")
-	AccessProviderTypeKubernetes   = AccessProviderType("k8s")
-	AccessProviderTypeLocal        = AccessProviderType("local")
-	AccessProviderTypeNamecheap    = AccessProviderType("namecheap")
-	AccessProviderTypeNameDotCom   = AccessProviderType("namedotcom")
-	AccessProviderTypeNameSilo     = AccessProviderType("namesilo")
-	AccessProviderTypeNS1          = AccessProviderType("ns1")
-	AccessProviderTypePowerDNS     = AccessProviderType("powerdns")
-	AccessProviderTypeQiniu        = AccessProviderType("qiniu")
-	AccessProviderTypeQingCloud    = AccessProviderType("qingcloud") // 青云（预留）
-	AccessProviderTypeRainYun      = AccessProviderType("rainyun")
-	AccessProviderTypeSafeLine     = AccessProviderType("safeline")
-	AccessProviderTypeSSH          = AccessProviderType("ssh")
-	AccessProviderTypeTencentCloud = AccessProviderType("tencentcloud")
-	AccessProviderTypeUCloud       = AccessProviderType("ucloud")
-	AccessProviderTypeVolcEngine   = AccessProviderType("volcengine")
-	AccessProviderTypeWebhook      = AccessProviderType("webhook")
-	AccessProviderTypeWestcn       = AccessProviderType("westcn")
+	AccessProviderType1Panel              = AccessProviderType("1panel")
+	AccessProviderTypeACMECA              = AccessProviderType("acmeca")
+	AccessProviderTypeACMEHttpReq         = AccessProviderType("acmehttpreq")
+	AccessProviderTypeAkamai              = AccessProviderType("akamai") // Akamai（预留）
+	AccessProviderTypeAliyun              = AccessProviderType("aliyun")
+	AccessProviderTypeAPISIX              = AccessProviderType("apisix")
+	AccessProviderTypeAWS                 = AccessProviderType("aws")
+	AccessProviderTypeAzure               = AccessProviderType("azure")
+	AccessProviderTypeBaiduCloud          = AccessProviderType("baiducloud")
+	AccessProviderTypeBaishan             = AccessProviderType("baishan")
+	AccessProviderTypeBaotaPanel          = AccessProviderType("baotapanel")
+	AccessProviderTypeBaotaWAF            = AccessProviderType("baotawaf")
+	AccessProviderTypeBytePlus            = AccessProviderType("byteplus")
+	AccessProviderTypeBunny               = AccessProviderType("bunny")
+	AccessProviderTypeBuypass             = AccessProviderType("buypass")
+	AccessProviderTypeCacheFly            = AccessProviderType("cachefly")
+	AccessProviderTypeCdnfly              = AccessProviderType("cdnfly")
+	AccessProviderTypeCloudflare          = AccessProviderType("cloudflare")
+	AccessProviderTypeClouDNS             = AccessProviderType("cloudns")
+	AccessProviderTypeCMCCCloud           = AccessProviderType("cmcccloud")
+	AccessProviderTypeConstellix          = AccessProviderType("constellix")
+	AccessProviderTypeCTCCCloud           = AccessProviderType("ctcccloud")
+	AccessProviderTypeCUCCCloud           = AccessProviderType("cucccloud") // 联通云（预留）
+	AccessProviderTypeDeSEC               = AccessProviderType("desec")
+	AccessProviderTypeDigitalOcean        = AccessProviderType("digitalocean")
+	AccessProviderTypeDingTalkBot         = AccessProviderType("dingtalkbot")
+	AccessProviderTypeDiscordBot          = AccessProviderType("discordbot")
+	AccessProviderTypeDNSLA               = AccessProviderType("dnsla")
+	AccessProviderTypeDogeCloud           = AccessProviderType("dogecloud")
+	AccessProviderTypeDuckDNS             = AccessProviderType("duckdns")
+	AccessProviderTypeDynv6               = AccessProviderType("dynv6")
+	AccessProviderTypeEdgio               = AccessProviderType("edgio")
+	AccessProviderTypeEmail               = AccessProviderType("email")
+	AccessProviderTypeFastly              = AccessProviderType("fastly") // Fastly（预留）
+	AccessProviderTypeFlexCDN             = AccessProviderType("flexcdn")
+	AccessProviderTypeGname               = AccessProviderType("gname")
+	AccessProviderTypeGcore               = AccessProviderType("gcore")
+	AccessProviderTypeGoDaddy             = AccessProviderType("godaddy")
+	AccessProviderTypeGoEdge              = AccessProviderType("goedge")
+	AccessProviderTypeGoogleTrustServices = AccessProviderType("googletrustservices")
+	AccessProviderTypeHetzner             = AccessProviderType("hetzner")
+	AccessProviderTypeHuaweiCloud         = AccessProviderType("huaweicloud")
+	AccessProviderTypeJDCloud             = AccessProviderType("jdcloud")
+	AccessProviderTypeKubernetes          = AccessProviderType("k8s")
+	AccessProviderTypeLarkBot             = AccessProviderType("larkbot")
+	AccessProviderTypeLetsEncrypt         = AccessProviderType("letsencrypt")
+	AccessProviderTypeLetsEncryptStaging  = AccessProviderType("letsencryptstaging")
+	AccessProviderTypeLeCDN               = AccessProviderType("lecdn")
+	AccessProviderTypeLocal               = AccessProviderType("local")
+	AccessProviderTypeMattermost          = AccessProviderType("mattermost")
+	AccessProviderTypeNamecheap           = AccessProviderType("namecheap")
+	AccessProviderTypeNameDotCom          = AccessProviderType("namedotcom")
+	AccessProviderTypeNameSilo            = AccessProviderType("namesilo")
+	AccessProviderTypeNetcup              = AccessProviderType("netcup")
+	AccessProviderTypeNetlify             = AccessProviderType("netlify")
+	AccessProviderTypeNS1                 = AccessProviderType("ns1")
+	AccessProviderTypePorkbun             = AccessProviderType("porkbun")
+	AccessProviderTypePowerDNS            = AccessProviderType("powerdns")
+	AccessProviderTypeProxmoxVE           = AccessProviderType("proxmoxve")
+	AccessProviderTypeQiniu               = AccessProviderType("qiniu")
+	AccessProviderTypeQingCloud           = AccessProviderType("qingcloud") // 青云（预留）
+	AccessProviderTypeRainYun             = AccessProviderType("rainyun")
+	AccessProviderTypeRatPanel            = AccessProviderType("ratpanel")
+	AccessProviderTypeSafeLine            = AccessProviderType("safeline")
+	AccessProviderTypeSlackBot            = AccessProviderType("slackbot")
+	AccessProviderTypeSSH                 = AccessProviderType("ssh")
+	AccessProviderTypeSSLCOM              = AccessProviderType("sslcom")
+	AccessProviderTypeTelegramBot         = AccessProviderType("telegrambot")
+	AccessProviderTypeTencentCloud        = AccessProviderType("tencentcloud")
+	AccessProviderTypeUCloud              = AccessProviderType("ucloud")
+	AccessProviderTypeUniCloud            = AccessProviderType("unicloud")
+	AccessProviderTypeUpyun               = AccessProviderType("upyun")
+	AccessProviderTypeVercel              = AccessProviderType("vercel")
+	AccessProviderTypeVolcEngine          = AccessProviderType("volcengine")
+	AccessProviderTypeWangsu              = AccessProviderType("wangsu")
+	AccessProviderTypeWebhook             = AccessProviderType("webhook")
+	AccessProviderTypeWeComBot            = AccessProviderType("wecombot")
+	AccessProviderTypeWestcn              = AccessProviderType("westcn")
+	AccessProviderTypeZeroSSL             = AccessProviderType("zerossl")
 )

-type ApplyDNSProviderType string
+type CAProviderType string

 /*
-申请证书 DNS 提供商常量值。
+证书颁发机构提供商常量值。
 短横线前的部分始终等于授权提供商类型。

 	注意：如果追加新的常量值，请保持以 ASCII 排序。
 	NOTICE: If you add new constant, please keep ASCII order.
 */
 const (
-	ApplyDNSProviderTypeACMEHttpReq     = ApplyDNSProviderType("acmehttpreq")
-	ApplyDNSProviderTypeAliyun          = ApplyDNSProviderType("aliyun") // 兼容旧值，等同于 [ApplyDNSProviderTypeAliyunDNS]
-	ApplyDNSProviderTypeAliyunDNS       = ApplyDNSProviderType("aliyun-dns")
-	ApplyDNSProviderTypeAWS             = ApplyDNSProviderType("aws") // 兼容旧值，等同于 [ApplyDNSProviderTypeAWSRoute53]
-	ApplyDNSProviderTypeAWSRoute53      = ApplyDNSProviderType("aws-route53")
-	ApplyDNSProviderTypeAzure           = ApplyDNSProviderType("azure") // 兼容旧值，等同于 [ApplyDNSProviderTypeAzure]
-	ApplyDNSProviderTypeAzureDNS        = ApplyDNSProviderType("azure-dns")
-	ApplyDNSProviderTypeBaiduCloud      = ApplyDNSProviderType("baiducloud") // 兼容旧值，等同于 [ApplyDNSProviderTypeBaiduCloudDNS]
-	ApplyDNSProviderTypeBaiduCloudDNS   = ApplyDNSProviderType("baiducloud-dns")
-	ApplyDNSProviderTypeCloudflare      = ApplyDNSProviderType("cloudflare")
-	ApplyDNSProviderTypeClouDNS         = ApplyDNSProviderType("cloudns")
-	ApplyDNSProviderTypeCMCCCloud       = ApplyDNSProviderType("cmcccloud")
-	ApplyDNSProviderTypeDNSLA           = ApplyDNSProviderType("dnsla")
-	ApplyDNSProviderTypeGcore           = ApplyDNSProviderType("gcore")
-	ApplyDNSProviderTypeGname           = ApplyDNSProviderType("gname")
-	ApplyDNSProviderTypeGoDaddy         = ApplyDNSProviderType("godaddy")
-	ApplyDNSProviderTypeHuaweiCloud     = ApplyDNSProviderType("huaweicloud") // 兼容旧值，等同于 [ApplyDNSProviderTypeHuaweiCloudDNS]
-	ApplyDNSProviderTypeHuaweiCloudDNS  = ApplyDNSProviderType("huaweicloud-dns")
-	ApplyDNSProviderTypeJDCloud         = ApplyDNSProviderType("jdcloud") // 兼容旧值，等同于 [ApplyDNSProviderTypeJDCloudDNS]
-	ApplyDNSProviderTypeJDCloudDNS      = ApplyDNSProviderType("jdcloud-dns")
-	ApplyDNSProviderTypeNamecheap       = ApplyDNSProviderType("namecheap")
-	ApplyDNSProviderTypeNameDotCom      = ApplyDNSProviderType("namedotcom")
-	ApplyDNSProviderTypeNameSilo        = ApplyDNSProviderType("namesilo")
-	ApplyDNSProviderTypeNS1             = ApplyDNSProviderType("ns1")
-	ApplyDNSProviderTypePowerDNS        = ApplyDNSProviderType("powerdns")
-	ApplyDNSProviderTypeRainYun         = ApplyDNSProviderType("rainyun")
-	ApplyDNSProviderTypeTencentCloud    = ApplyDNSProviderType("tencentcloud") // 兼容旧值，等同于 [ApplyDNSProviderTypeTencentCloudDNS]
-	ApplyDNSProviderTypeTencentCloudDNS = ApplyDNSProviderType("tencentcloud-dns")
-	ApplyDNSProviderTypeVolcEngine      = ApplyDNSProviderType("volcengine") // 兼容旧值，等同于 [ApplyDNSProviderTypeVolcEngineDNS]
-	ApplyDNSProviderTypeVolcEngineDNS   = ApplyDNSProviderType("volcengine-dns")
-	ApplyDNSProviderTypeWestcn          = ApplyDNSProviderType("westcn")
+	CAProviderTypeACMECA              = CAProviderType(AccessProviderTypeACMECA)
+	CAProviderTypeBuypass             = CAProviderType(AccessProviderTypeBuypass)
+	CAProviderTypeGoogleTrustServices = CAProviderType(AccessProviderTypeGoogleTrustServices)
+	CAProviderTypeLetsEncrypt         = CAProviderType(AccessProviderTypeLetsEncrypt)
+	CAProviderTypeLetsEncryptStaging  = CAProviderType(AccessProviderTypeLetsEncryptStaging)
+	CAProviderTypeSSLCom              = CAProviderType(AccessProviderTypeSSLCOM)
+	CAProviderTypeZeroSSL             = CAProviderType(AccessProviderTypeZeroSSL)
 )

-type DeployProviderType string
+type ACMEDns01ProviderType string

 /*
-部署目标提供商常量值。
+ACME DNS-01 提供商常量值。
 短横线前的部分始终等于授权提供商类型。

 	注意：如果追加新的常量值，请保持以 ASCII 排序。
 	NOTICE: If you add new constant, please keep ASCII order.
 */
 const (
-	DeployProviderTypeAliyunALB             = DeployProviderType("aliyun-alb")
-	DeployProviderTypeAliyunCASDeploy       = DeployProviderType("aliyun-casdeploy")
-	DeployProviderTypeAliyunCDN             = DeployProviderType("aliyun-cdn")
-	DeployProviderTypeAliyunCLB             = DeployProviderType("aliyun-clb")
-	DeployProviderTypeAliyunDCDN            = DeployProviderType("aliyun-dcdn")
-	DeployProviderTypeAliyunESA             = DeployProviderType("aliyun-esa")
-	DeployProviderTypeAliyunLive            = DeployProviderType("aliyun-live")
-	DeployProviderTypeAliyunNLB             = DeployProviderType("aliyun-nlb")
-	DeployProviderTypeAliyunOSS             = DeployProviderType("aliyun-oss")
-	DeployProviderTypeAliyunVOD             = DeployProviderType("aliyun-vod")
-	DeployProviderTypeAliyunWAF             = DeployProviderType("aliyun-waf")
-	DeployProviderTypeAWSCloudFront         = DeployProviderType("aws-cloudfront")
-	DeployProviderTypeBaiduCloudCDN         = DeployProviderType("baiducloud-cdn")
-	DeployProviderTypeBaishanCDN            = DeployProviderType("baishan-cdn")
-	DeployProviderTypeBaotaPanelConsole     = DeployProviderType("baotapanel-console")
-	DeployProviderTypeBaotaPanelSite        = DeployProviderType("baotapanel-site")
-	DeployProviderTypeBytePlusCDN           = DeployProviderType("byteplus-cdn")
-	DeployProviderTypeCacheFly              = DeployProviderType("cachefly")
-	DeployProviderTypeCdnfly                = DeployProviderType("cdnfly")
-	DeployProviderTypeDogeCloudCDN          = DeployProviderType("dogecloud-cdn")
-	DeployProviderTypeEdgioApplications     = DeployProviderType("edgio-applications")
-	DeployProviderTypeGcoreCDN              = DeployProviderType("gcore-cdn")
-	DeployProviderTypeHuaweiCloudCDN        = DeployProviderType("huaweicloud-cdn")
-	DeployProviderTypeHuaweiCloudELB        = DeployProviderType("huaweicloud-elb")
-	DeployProviderTypeHuaweiCloudWAF        = DeployProviderType("huaweicloud-waf")
-	DeployProviderTypeJDCloudALB            = DeployProviderType("jdcloud-alb")
-	DeployProviderTypeJDCloudCDN            = DeployProviderType("jdcloud-cdn")
-	DeployProviderTypeJDCloudLive           = DeployProviderType("jdcloud-live")
-	DeployProviderTypeJDCloudVOD            = DeployProviderType("jdcloud-vod")
-	DeployProviderTypeKubernetesSecret      = DeployProviderType("k8s-secret")
-	DeployProviderTypeLocal                 = DeployProviderType("local")
-	DeployProviderTypeQiniuCDN              = DeployProviderType("qiniu-cdn")
-	DeployProviderTypeQiniuPili             = DeployProviderType("qiniu-pili")
-	DeployProviderTypeSafeLine              = DeployProviderType("safeline")
-	DeployProviderTypeSSH                   = DeployProviderType("ssh")
-	DeployProviderTypeTencentCloudCDN       = DeployProviderType("tencentcloud-cdn")
-	DeployProviderTypeTencentCloudCLB       = DeployProviderType("tencentcloud-clb")
-	DeployProviderTypeTencentCloudCOS       = DeployProviderType("tencentcloud-cos")
-	DeployProviderTypeTencentCloudCSS       = DeployProviderType("tencentcloud-css")
-	DeployProviderTypeTencentCloudECDN      = DeployProviderType("tencentcloud-ecdn")
-	DeployProviderTypeTencentCloudEO        = DeployProviderType("tencentcloud-eo")
-	DeployProviderTypeTencentCloudSSLDeploy = DeployProviderType("tencentcloud-ssldeploy")
-	DeployProviderTypeTencentCloudVOD       = DeployProviderType("tencentcloud-vod")
-	DeployProviderTypeTencentCloudWAF       = DeployProviderType("tencentcloud-waf")
-	DeployProviderTypeUCloudUCDN            = DeployProviderType("ucloud-ucdn")
-	DeployProviderTypeUCloudUS3             = DeployProviderType("ucloud-us3")
-	DeployProviderTypeVolcEngineCDN         = DeployProviderType("volcengine-cdn")
-	DeployProviderTypeVolcEngineCLB         = DeployProviderType("volcengine-clb")
-	DeployProviderTypeVolcEngineDCDN        = DeployProviderType("volcengine-dcdn")
-	DeployProviderTypeVolcEngineImageX      = DeployProviderType("volcengine-imagex")
-	DeployProviderTypeVolcEngineLive        = DeployProviderType("volcengine-live")
-	DeployProviderTypeVolcEngineTOS         = DeployProviderType("volcengine-tos")
-	DeployProviderTypeWebhook               = DeployProviderType("webhook")
+	ACMEDns01ProviderTypeACMEHttpReq       = ACMEDns01ProviderType(AccessProviderTypeACMEHttpReq)
+	ACMEDns01ProviderTypeAliyun            = ACMEDns01ProviderType(AccessProviderTypeAliyun) // 兼容旧值，等同于 [ACMEDns01ProviderTypeAliyunDNS]
+	ACMEDns01ProviderTypeAliyunDNS         = ACMEDns01ProviderType(AccessProviderTypeAliyun + "-dns")
+	ACMEDns01ProviderTypeAliyunESA         = ACMEDns01ProviderType(AccessProviderTypeAliyun + "-esa")
+	ACMEDns01ProviderTypeAWS               = ACMEDns01ProviderType(AccessProviderTypeAWS) // 兼容旧值，等同于 [ACMEDns01ProviderTypeAWSRoute53]
+	ACMEDns01ProviderTypeAWSRoute53        = ACMEDns01ProviderType(AccessProviderTypeAWS + "-route53")
+	ACMEDns01ProviderTypeAzure             = ACMEDns01ProviderType(AccessProviderTypeAzure) // 兼容旧值，等同于 [ACMEDns01ProviderTypeAzure]
+	ACMEDns01ProviderTypeAzureDNS          = ACMEDns01ProviderType(AccessProviderTypeAzure + "-dns")
+	ACMEDns01ProviderTypeBaiduCloud        = ACMEDns01ProviderType(AccessProviderTypeBaiduCloud) // 兼容旧值，等同于 [ACMEDns01ProviderTypeBaiduCloudDNS]
+	ACMEDns01ProviderTypeBaiduCloudDNS     = ACMEDns01ProviderType(AccessProviderTypeBaiduCloud + "-dns")
+	ACMEDns01ProviderTypeBunny             = ACMEDns01ProviderType(AccessProviderTypeBunny)
+	ACMEDns01ProviderTypeCloudflare        = ACMEDns01ProviderType(AccessProviderTypeCloudflare)
+	ACMEDns01ProviderTypeClouDNS           = ACMEDns01ProviderType(AccessProviderTypeClouDNS)
+	ACMEDns01ProviderTypeCMCCCloud         = ACMEDns01ProviderType(AccessProviderTypeCMCCCloud) // 兼容旧值，等同于 [ACMEDns01ProviderTypeCMCCCloudDNS]
+	ACMEDns01ProviderTypeCMCCCloudDNS      = ACMEDns01ProviderType(AccessProviderTypeCMCCCloud + "-dns")
+	ACMEDns01ProviderTypeConstellix        = ACMEDns01ProviderType(AccessProviderTypeConstellix)
+	ACMEDns01ProviderTypeCTCCCloud         = ACMEDns01ProviderType(AccessProviderTypeCTCCCloud) // 兼容旧值，等同于 [ACMEDns01ProviderTypeCTCCCloudSmartDNS]
+	ACMEDns01ProviderTypeCTCCCloudSmartDNS = ACMEDns01ProviderType(AccessProviderTypeCTCCCloud + "-smartdns")
+	ACMEDns01ProviderTypeDeSEC             = ACMEDns01ProviderType(AccessProviderTypeDeSEC)
+	ACMEDns01ProviderTypeDigitalOcean      = ACMEDns01ProviderType(AccessProviderTypeDigitalOcean)
+	ACMEDns01ProviderTypeDNSLA             = ACMEDns01ProviderType(AccessProviderTypeDNSLA)
+	ACMEDns01ProviderTypeDuckDNS           = ACMEDns01ProviderType(AccessProviderTypeDuckDNS)
+	ACMEDns01ProviderTypeDynv6             = ACMEDns01ProviderType(AccessProviderTypeDynv6)
+	ACMEDns01ProviderTypeGcore             = ACMEDns01ProviderType(AccessProviderTypeGcore)
+	ACMEDns01ProviderTypeGname             = ACMEDns01ProviderType(AccessProviderTypeGname)
+	ACMEDns01ProviderTypeGoDaddy           = ACMEDns01ProviderType(AccessProviderTypeGoDaddy)
+	ACMEDns01ProviderTypeHetzner           = ACMEDns01ProviderType(AccessProviderTypeHetzner)
+	ACMEDns01ProviderTypeHuaweiCloud       = ACMEDns01ProviderType(AccessProviderTypeHuaweiCloud) // 兼容旧值，等同于 [ACMEDns01ProviderTypeHuaweiCloudDNS]
+	ACMEDns01ProviderTypeHuaweiCloudDNS    = ACMEDns01ProviderType(AccessProviderTypeHuaweiCloud + "-dns")
+	ACMEDns01ProviderTypeJDCloud           = ACMEDns01ProviderType(AccessProviderTypeJDCloud) // 兼容旧值，等同于 [ACMEDns01ProviderTypeJDCloudDNS]
+	ACMEDns01ProviderTypeJDCloudDNS        = ACMEDns01ProviderType(AccessProviderTypeJDCloud + "-dns")
+	ACMEDns01ProviderTypeNamecheap         = ACMEDns01ProviderType(AccessProviderTypeNamecheap)
+	ACMEDns01ProviderTypeNameDotCom        = ACMEDns01ProviderType(AccessProviderTypeNameDotCom)
+	ACMEDns01ProviderTypeNameSilo          = ACMEDns01ProviderType(AccessProviderTypeNameSilo)
+	ACMEDns01ProviderTypeNetcup            = ACMEDns01ProviderType(AccessProviderTypeNetcup)
+	ACMEDns01ProviderTypeNetlify           = ACMEDns01ProviderType(AccessProviderTypeNetlify)
+	ACMEDns01ProviderTypeNS1               = ACMEDns01ProviderType(AccessProviderTypeNS1)
+	ACMEDns01ProviderTypePorkbun           = ACMEDns01ProviderType(AccessProviderTypePorkbun)
+	ACMEDns01ProviderTypePowerDNS          = ACMEDns01ProviderType(AccessProviderTypePowerDNS)
+	ACMEDns01ProviderTypeRainYun           = ACMEDns01ProviderType(AccessProviderTypeRainYun)
+	ACMEDns01ProviderTypeTencentCloud      = ACMEDns01ProviderType(AccessProviderTypeTencentCloud) // 兼容旧值，等同于 [ACMEDns01ProviderTypeTencentCloudDNS]
+	ACMEDns01ProviderTypeTencentCloudDNS   = ACMEDns01ProviderType(AccessProviderTypeTencentCloud + "-dns")
+	ACMEDns01ProviderTypeTencentCloudEO    = ACMEDns01ProviderType(AccessProviderTypeTencentCloud + "-eo")
+	ACMEDns01ProviderTypeUCloudUDNR        = ACMEDns01ProviderType(AccessProviderTypeUCloud + "-udnr")
+	ACMEDns01ProviderTypeVercel            = ACMEDns01ProviderType(AccessProviderTypeVercel)
+	ACMEDns01ProviderTypeVolcEngine        = ACMEDns01ProviderType(AccessProviderTypeVolcEngine) // 兼容旧值，等同于 [ACMEDns01ProviderTypeVolcEngineDNS]
+	ACMEDns01ProviderTypeVolcEngineDNS     = ACMEDns01ProviderType(AccessProviderTypeVolcEngine + "-dns")
+	ACMEDns01ProviderTypeWestcn            = ACMEDns01ProviderType(AccessProviderTypeWestcn)
+)
+
+type DeploymentProviderType string
+
+/*
+部署证书主机提供商常量值。
+短横线前的部分始终等于授权提供商类型。
+
+	注意：如果追加新的常量值，请保持以 ASCII 排序。
+	NOTICE: If you add new constant, please keep ASCII order.
+*/
+const (
+	DeploymentProviderType1PanelConsole         = DeploymentProviderType(AccessProviderType1Panel + "-console")
+	DeploymentProviderType1PanelSite            = DeploymentProviderType(AccessProviderType1Panel + "-site")
+	DeploymentProviderTypeAliyunALB             = DeploymentProviderType(AccessProviderTypeAliyun + "-alb")
+	DeploymentProviderTypeAliyunAPIGW           = DeploymentProviderType(AccessProviderTypeAliyun + "-apigw")
+	DeploymentProviderTypeAliyunCAS             = DeploymentProviderType(AccessProviderTypeAliyun + "-cas")
+	DeploymentProviderTypeAliyunCASDeploy       = DeploymentProviderType(AccessProviderTypeAliyun + "-casdeploy")
+	DeploymentProviderTypeAliyunCDN             = DeploymentProviderType(AccessProviderTypeAliyun + "-cdn")
+	DeploymentProviderTypeAliyunCLB             = DeploymentProviderType(AccessProviderTypeAliyun + "-clb")
+	DeploymentProviderTypeAliyunDCDN            = DeploymentProviderType(AccessProviderTypeAliyun + "-dcdn")
+	DeploymentProviderTypeAliyunDDoS            = DeploymentProviderType(AccessProviderTypeAliyun + "-ddos")
+	DeploymentProviderTypeAliyunESA             = DeploymentProviderType(AccessProviderTypeAliyun + "-esa")
+	DeploymentProviderTypeAliyunFC              = DeploymentProviderType(AccessProviderTypeAliyun + "-fc")
+	DeploymentProviderTypeAliyunGA              = DeploymentProviderType(AccessProviderTypeAliyun + "-ga")
+	DeploymentProviderTypeAliyunLive            = DeploymentProviderType(AccessProviderTypeAliyun + "-live")
+	DeploymentProviderTypeAliyunNLB             = DeploymentProviderType(AccessProviderTypeAliyun + "-nlb")
+	DeploymentProviderTypeAliyunOSS             = DeploymentProviderType(AccessProviderTypeAliyun + "-oss")
+	DeploymentProviderTypeAliyunVOD             = DeploymentProviderType(AccessProviderTypeAliyun + "-vod")
+	DeploymentProviderTypeAliyunWAF             = DeploymentProviderType(AccessProviderTypeAliyun + "-waf")
+	DeploymentProviderTypeAPISIX                = DeploymentProviderType(AccessProviderTypeAWS + "-apisix")
+	DeploymentProviderTypeAWSACM                = DeploymentProviderType(AccessProviderTypeAWS + "-acm")
+	DeploymentProviderTypeAWSCloudFront         = DeploymentProviderType(AccessProviderTypeAWS + "-cloudfront")
+	DeploymentProviderTypeAWSIAM                = DeploymentProviderType(AccessProviderTypeAWS + "-iam")
+	DeploymentProviderTypeAzureKeyVault         = DeploymentProviderType(AccessProviderTypeAzure + "-keyvault")
+	DeploymentProviderTypeBaiduCloudAppBLB      = DeploymentProviderType(AccessProviderTypeBaiduCloud + "-appblb")
+	DeploymentProviderTypeBaiduCloudBLB         = DeploymentProviderType(AccessProviderTypeBaiduCloud + "-blb")
+	DeploymentProviderTypeBaiduCloudCDN         = DeploymentProviderType(AccessProviderTypeBaiduCloud + "-cdn")
+	DeploymentProviderTypeBaiduCloudCert        = DeploymentProviderType(AccessProviderTypeBaiduCloud + "-cert")
+	DeploymentProviderTypeBaishanCDN            = DeploymentProviderType(AccessProviderTypeBaishan + "-cdn")
+	DeploymentProviderTypeBaotaPanelConsole     = DeploymentProviderType(AccessProviderTypeBaotaPanel + "-console")
+	DeploymentProviderTypeBaotaPanelSite        = DeploymentProviderType(AccessProviderTypeBaotaPanel + "-site")
+	DeploymentProviderTypeBaotaWAFConsole       = DeploymentProviderType(AccessProviderTypeBaotaWAF + "-console")
+	DeploymentProviderTypeBaotaWAFSite          = DeploymentProviderType(AccessProviderTypeBaotaWAF + "-site")
+	DeploymentProviderTypeBunnyCDN              = DeploymentProviderType(AccessProviderTypeBunny + "-cdn")
+	DeploymentProviderTypeBytePlusCDN           = DeploymentProviderType(AccessProviderTypeBytePlus + "-cdn")
+	DeploymentProviderTypeCacheFly              = DeploymentProviderType(AccessProviderTypeCacheFly)
+	DeploymentProviderTypeCdnfly                = DeploymentProviderType(AccessProviderTypeCdnfly)
+	DeploymentProviderTypeCTCCCloudAO           = DeploymentProviderType(AccessProviderTypeCTCCCloud + "-ao")
+	DeploymentProviderTypeCTCCCloudCDN          = DeploymentProviderType(AccessProviderTypeCTCCCloud + "-cdn")
+	DeploymentProviderTypeCTCCCloudCMS          = DeploymentProviderType(AccessProviderTypeCTCCCloud + "-cms")
+	DeploymentProviderTypeCTCCCloudELB          = DeploymentProviderType(AccessProviderTypeCTCCCloud + "-elb")
+	DeploymentProviderTypeCTCCCloudICDN         = DeploymentProviderType(AccessProviderTypeCTCCCloud + "-icdn")
+	DeploymentProviderTypeCTCCCloudLVDN         = DeploymentProviderType(AccessProviderTypeCTCCCloud + "-ldvn")
+	DeploymentProviderTypeDogeCloudCDN          = DeploymentProviderType(AccessProviderTypeDogeCloud + "-cdn")
+	DeploymentProviderTypeEdgioApplications     = DeploymentProviderType(AccessProviderTypeEdgio + "-applications")
+	DeploymentProviderTypeFlexCDN               = DeploymentProviderType(AccessProviderTypeFlexCDN)
+	DeploymentProviderTypeGcoreCDN              = DeploymentProviderType(AccessProviderTypeGcore + "-cdn")
+	DeploymentProviderTypeGoEdge                = DeploymentProviderType(AccessProviderTypeGoEdge)
+	DeploymentProviderTypeHuaweiCloudCDN        = DeploymentProviderType(AccessProviderTypeHuaweiCloud + "-cdn")
+	DeploymentProviderTypeHuaweiCloudELB        = DeploymentProviderType(AccessProviderTypeHuaweiCloud + "-elb")
+	DeploymentProviderTypeHuaweiCloudSCM        = DeploymentProviderType(AccessProviderTypeHuaweiCloud + "-scm")
+	DeploymentProviderTypeHuaweiCloudWAF        = DeploymentProviderType(AccessProviderTypeHuaweiCloud + "-waf")
+	DeploymentProviderTypeJDCloudALB            = DeploymentProviderType(AccessProviderTypeJDCloud + "-alb")
+	DeploymentProviderTypeJDCloudCDN            = DeploymentProviderType(AccessProviderTypeJDCloud + "-cdn")
+	DeploymentProviderTypeJDCloudLive           = DeploymentProviderType(AccessProviderTypeJDCloud + "-live")
+	DeploymentProviderTypeJDCloudVOD            = DeploymentProviderType(AccessProviderTypeJDCloud + "-vod")
+	DeploymentProviderTypeKubernetesSecret      = DeploymentProviderType(AccessProviderTypeKubernetes + "-secret")
+	DeploymentProviderTypeLeCDN                 = DeploymentProviderType(AccessProviderTypeLeCDN)
+	DeploymentProviderTypeLocal                 = DeploymentProviderType(AccessProviderTypeLocal)
+	DeploymentProviderTypeNetlifySite           = DeploymentProviderType(AccessProviderTypeNetlify + "-site")
+	DeploymentProviderTypeProxmoxVE             = DeploymentProviderType(AccessProviderTypeProxmoxVE)
+	DeploymentProviderTypeQiniuCDN              = DeploymentProviderType(AccessProviderTypeQiniu + "-cdn")
+	DeploymentProviderTypeQiniuKodo             = DeploymentProviderType(AccessProviderTypeQiniu + "-kodo")
+	DeploymentProviderTypeQiniuPili             = DeploymentProviderType(AccessProviderTypeQiniu + "-pili")
+	DeploymentProviderTypeRainYunRCDN           = DeploymentProviderType(AccessProviderTypeRainYun + "-rcdn")
+	DeploymentProviderTypeRatPanelConsole       = DeploymentProviderType(AccessProviderTypeRatPanel + "-console")
+	DeploymentProviderTypeRatPanelSite          = DeploymentProviderType(AccessProviderTypeRatPanel + "-site")
+	DeploymentProviderTypeSafeLine              = DeploymentProviderType(AccessProviderTypeSafeLine)
+	DeploymentProviderTypeSSH                   = DeploymentProviderType(AccessProviderTypeSSH)
+	DeploymentProviderTypeTencentCloudCDN       = DeploymentProviderType(AccessProviderTypeTencentCloud + "-cdn")
+	DeploymentProviderTypeTencentCloudCLB       = DeploymentProviderType(AccessProviderTypeTencentCloud + "-clb")
+	DeploymentProviderTypeTencentCloudCOS       = DeploymentProviderType(AccessProviderTypeTencentCloud + "-cos")
+	DeploymentProviderTypeTencentCloudCSS       = DeploymentProviderType(AccessProviderTypeTencentCloud + "-css")
+	DeploymentProviderTypeTencentCloudECDN      = DeploymentProviderType(AccessProviderTypeTencentCloud + "-ecdn")
+	DeploymentProviderTypeTencentCloudEO        = DeploymentProviderType(AccessProviderTypeTencentCloud + "-eo")
+	DeploymentProviderTypeTencentCloudGAAP      = DeploymentProviderType(AccessProviderTypeTencentCloud + "-gaap")
+	DeploymentProviderTypeTencentCloudSCF       = DeploymentProviderType(AccessProviderTypeTencentCloud + "-scf")
+	DeploymentProviderTypeTencentCloudSSL       = DeploymentProviderType(AccessProviderTypeTencentCloud + "-ssl")
+	DeploymentProviderTypeTencentCloudSSLDeploy = DeploymentProviderType(AccessProviderTypeTencentCloud + "-ssldeploy")
+	DeploymentProviderTypeTencentCloudVOD       = DeploymentProviderType(AccessProviderTypeTencentCloud + "-vod")
+	DeploymentProviderTypeTencentCloudWAF       = DeploymentProviderType(AccessProviderTypeTencentCloud + "-waf")
+	DeploymentProviderTypeUCloudUCDN            = DeploymentProviderType(AccessProviderTypeUCloud + "-ucdn")
+	DeploymentProviderTypeUCloudUS3             = DeploymentProviderType(AccessProviderTypeUCloud + "-us3")
+	DeploymentProviderTypeUniCloudWebHost       = DeploymentProviderType(AccessProviderTypeUniCloud + "-webhost")
+	DeploymentProviderTypeUpyunCDN              = DeploymentProviderType(AccessProviderTypeUpyun + "-cdn")
+	DeploymentProviderTypeUpyunFile             = DeploymentProviderType(AccessProviderTypeUpyun + "-file")
+	DeploymentProviderTypeVolcEngineALB         = DeploymentProviderType(AccessProviderTypeVolcEngine + "-alb")
+	DeploymentProviderTypeVolcEngineCDN         = DeploymentProviderType(AccessProviderTypeVolcEngine + "-cdn")
+	DeploymentProviderTypeVolcEngineCertCenter  = DeploymentProviderType(AccessProviderTypeVolcEngine + "-certcenter")
+	DeploymentProviderTypeVolcEngineCLB         = DeploymentProviderType(AccessProviderTypeVolcEngine + "-clb")
+	DeploymentProviderTypeVolcEngineDCDN        = DeploymentProviderType(AccessProviderTypeVolcEngine + "-dcdn")
+	DeploymentProviderTypeVolcEngineImageX      = DeploymentProviderType(AccessProviderTypeVolcEngine + "-imagex")
+	DeploymentProviderTypeVolcEngineLive        = DeploymentProviderType(AccessProviderTypeVolcEngine + "-live")
+	DeploymentProviderTypeVolcEngineTOS         = DeploymentProviderType(AccessProviderTypeVolcEngine + "-tos")
+	DeploymentProviderTypeWangsuCDN             = DeploymentProviderType(AccessProviderTypeWangsu + "-cdn")
+	DeploymentProviderTypeWangsuCDNPro          = DeploymentProviderType(AccessProviderTypeWangsu + "-cdnpro")
+	DeploymentProviderTypeWangsuCertificate     = DeploymentProviderType(AccessProviderTypeWangsu + "-certificate")
+	DeploymentProviderTypeWebhook               = DeploymentProviderType(AccessProviderTypeWebhook)
+)
+
+type NotificationProviderType string
+
+/*
+消息通知提供商常量值。
+短横线前的部分始终等于授权提供商类型。
+
+	注意：如果追加新的常量值，请保持以 ASCII 排序。
+	NOTICE: If you add new constant, please keep ASCII order.
+*/
+const (
+	NotificationProviderTypeDingTalkBot = NotificationProviderType(AccessProviderTypeDingTalkBot)
+	NotificationProviderTypeDiscordBot  = NotificationProviderType(AccessProviderTypeDiscordBot)
+	NotificationProviderTypeEmail       = NotificationProviderType(AccessProviderTypeEmail)
+	NotificationProviderTypeLarkBot     = NotificationProviderType(AccessProviderTypeLarkBot)
+	NotificationProviderTypeMattermost  = NotificationProviderType(AccessProviderTypeMattermost)
+	NotificationProviderTypeSlackBot    = NotificationProviderType(AccessProviderTypeSlackBot)
+	NotificationProviderTypeTelegramBot = NotificationProviderType(AccessProviderTypeTelegramBot)
+	NotificationProviderTypeWebhook     = NotificationProviderType(AccessProviderTypeWebhook)
+	NotificationProviderTypeWeComBot    = NotificationProviderType(AccessProviderTypeWeComBot)
 )
--- a/internal/domain/settings.go
+++ b/internal/domain/settings.go
@@ -13,17 +13,18 @@ type Settings struct {
 	Content string `json:"content" db:"content"`
 }

+// Deprecated: v0.4.x 将废弃
 type NotifyTemplatesSettingsContent struct {
-	NotifyTemplates []NotifyTemplate `json:"notifyTemplates"`
-}
-
-type NotifyTemplate struct {
-	Subject string `json:"subject"`
-	Message string `json:"message"`
+	NotifyTemplates []struct {
+		Subject string `json:"subject"`
+		Message string `json:"message"`
+	} `json:"notifyTemplates"`
 }

+// Deprecated: v0.4.x 将废弃
 type NotifyChannelsSettingsContent map[string]map[string]any

+// Deprecated: v0.4.x 将废弃
 func (s *Settings) GetNotifyChannelConfig(channel string) (map[string]any, error) {
 	conf := &NotifyChannelsSettingsContent{}
 	if err := json.Unmarshal([]byte(s.Content), conf); err != nil {
@@ -37,3 +38,8 @@ func (s *Settings) GetNotifyChannelConfig(channel string) (map[string]any, error

 	return v, nil
 }
+
+type PersistenceSettingsContent struct {
+	WorkflowRunsMaxDaysRetention        int `json:"workflowRunsMaxDaysRetention"`
+	ExpiredCertificatesMaxDaysRetention int `json:"expiredCertificatesMaxDaysRetention"`
+}
--- a/internal/domain/workflow.go
+++ b/internal/domain/workflow.go
@@ -1,9 +1,11 @@
 package domain

 import (
+	"encoding/json"
 	"time"

-	"github.com/usual2970/certimate/internal/pkg/utils/maps"
+	"github.com/certimate-go/certimate/internal/domain/expr"
+	xmaps "github.com/certimate-go/certimate/pkg/utils/maps"
 )

 const CollectionNameWorkflow = "workflow"
@@ -30,6 +32,7 @@ const (
 	WorkflowNodeTypeEnd                 = WorkflowNodeType("end")
 	WorkflowNodeTypeApply               = WorkflowNodeType("apply")
 	WorkflowNodeTypeUpload              = WorkflowNodeType("upload")
+	WorkflowNodeTypeMonitor             = WorkflowNodeType("monitor")
 	WorkflowNodeTypeDeploy              = WorkflowNodeType("deploy")
 	WorkflowNodeTypeNotify              = WorkflowNodeType("notify")
 	WorkflowNodeTypeBranch              = WorkflowNodeType("branch")
@@ -62,108 +65,135 @@ type WorkflowNode struct {
 }

 type WorkflowNodeConfigForApply struct {
-	Domains               string         `json:"domains"`               // 域名列表，以半角逗号分隔
-	ContactEmail          string         `json:"contactEmail"`          // 联系邮箱
-	ChallengeType         string         `json:"challengeType"`         // TODO: 验证方式。目前仅支持 dns-01
-	Provider              string         `json:"provider"`              // DNS 提供商
-	ProviderAccessId      string         `json:"providerAccessId"`      // DNS 提供商授权记录 ID
-	ProviderConfig        map[string]any `json:"providerConfig"`        // DNS 提供商额外配置
-	KeyAlgorithm          string         `json:"keyAlgorithm"`          // 密钥算法
-	Nameservers           string         `json:"nameservers"`           // DNS 服务器列表，以半角逗号分隔
-	DnsPropagationTimeout int32          `json:"dnsPropagationTimeout"` // DNS 传播超时时间（零值取决于提供商的默认值）
-	DnsTTL                int32          `json:"dnsTTL"`                // DNS TTL（零值取决于提供商的默认值）
-	DisableFollowCNAME    bool           `json:"disableFollowCNAME"`    // 是否关闭 CNAME 跟随
-	DisableARI            bool           `json:"disableARI"`            // 是否关闭 ARI
-	SkipBeforeExpiryDays  int32          `json:"skipBeforeExpiryDays"`  // 证书到期前多少天前跳过续期（零值将使用默认值 30）
+	Domains               string         `json:"domains"`                         // 域名列表，以半角分号分隔
+	ContactEmail          string         `json:"contactEmail"`                    // 联系邮箱
+	ChallengeType         string         `json:"challengeType"`                   // TODO: 验证方式。目前仅支持 dns-01
+	Provider              string         `json:"provider"`                        // DNS 提供商
+	ProviderAccessId      string         `json:"providerAccessId"`                // DNS 提供商授权记录 ID
+	ProviderConfig        map[string]any `json:"providerConfig"`                  // DNS 提供商额外配置
+	CAProvider            string         `json:"caProvider,omitempty"`            // CA 提供商（零值时使用全局配置）
+	CAProviderAccessId    string         `json:"caProviderAccessId,omitempty"`    // CA 提供商授权记录 ID
+	CAProviderConfig      map[string]any `json:"caProviderConfig,omitempty"`      // CA 提供商额外配置
+	KeyAlgorithm          string         `json:"keyAlgorithm"`                    // 证书算法
+	Nameservers           string         `json:"nameservers,omitempty"`           // DNS 服务器列表，以半角分号分隔
+	DnsPropagationWait    int32          `json:"dnsPropagationWait,omitempty"`    // DNS 传播等待时间，等同于 lego 的 `--dns-propagation-wait` 参数
+	DnsPropagationTimeout int32          `json:"dnsPropagationTimeout,omitempty"` // DNS 传播检查超时时间（零值时使用提供商的默认值）
+	DnsTTL                int32          `json:"dnsTTL,omitempty"`                // DNS 解析记录 TTL（零值时使用提供商的默认值）
+	DisableFollowCNAME    bool           `json:"disableFollowCNAME,omitempty"`    // 是否关闭 CNAME 跟随
+	DisableARI            bool           `json:"disableARI,omitempty"`            // 是否关闭 ARI
+	SkipBeforeExpiryDays  int32          `json:"skipBeforeExpiryDays,omitempty"`  // 证书到期前多少天前跳过续期（零值时默认值 30）
 }

 type WorkflowNodeConfigForUpload struct {
-	Certificate string `json:"certificate"`
-	PrivateKey  string `json:"privateKey"`
-	Domains     string `json:"domains"`
+	Certificate string `json:"certificate"` // 证书 PEM 内容
+	PrivateKey  string `json:"privateKey"`  // 私钥 PEM 内容
+	Domains     string `json:"domains,omitempty"`
+}
+
+type WorkflowNodeConfigForMonitor struct {
+	Host        string `json:"host"`                  // 主机地址
+	Port        int32  `json:"port,omitempty"`        // 端口（零值时默认值 443）
+	Domain      string `json:"domain,omitempty"`      // 域名（零值时默认值 [Host]）
+	RequestPath string `json:"requestPath,omitempty"` // 请求路径
 }

 type WorkflowNodeConfigForDeploy struct {
-	Certificate         string         `json:"certificate"`         // 前序节点输出的证书，形如“${NodeId}#certificate”
-	Provider            string         `json:"provider"`            // 主机提供商
-	ProviderAccessId    string         `json:"providerAccessId"`    // 主机提供商授权记录 ID
-	ProviderConfig      map[string]any `json:"providerConfig"`      // 主机提供商额外配置
-	SkipOnLastSucceeded bool           `json:"skipOnLastSucceeded"` // 上次部署成功时是否跳过
+	Certificate         string         `json:"certificate"`                // 前序节点输出的证书，形如“${NodeId}#certificate”
+	Provider            string         `json:"provider"`                   // 主机提供商
+	ProviderAccessId    string         `json:"providerAccessId,omitempty"` // 主机提供商授权记录 ID
+	ProviderConfig      map[string]any `json:"providerConfig,omitempty"`   // 主机提供商额外配置
+	SkipOnLastSucceeded bool           `json:"skipOnLastSucceeded"`        // 上次部署成功时是否跳过
 }

 type WorkflowNodeConfigForNotify struct {
-	Channel string `json:"channel"` // 通知渠道
-	Subject string `json:"subject"` // 通知主题
-	Message string `json:"message"` // 通知内容
+	Channel              string         `json:"channel,omitempty"`        // Deprecated: v0.4.x 将废弃
+	Provider             string         `json:"provider"`                 // 通知提供商
+	ProviderAccessId     string         `json:"providerAccessId"`         // 通知提供商授权记录 ID
+	ProviderConfig       map[string]any `json:"providerConfig,omitempty"` // 通知提供商额外配置
+	Subject              string         `json:"subject"`                  // 通知主题
+	Message              string         `json:"message"`                  // 通知内容
+	SkipOnAllPrevSkipped bool           `json:"skipOnAllPrevSkipped"`     // 前序节点均已跳过时是否跳过
 }

-func (n *WorkflowNode) getConfigValueAsString(key string) string {
-	return maps.GetValueAsString(n.Config, key)
-}
-
-func (n *WorkflowNode) getConfigValueAsBool(key string) bool {
-	return maps.GetValueAsBool(n.Config, key)
-}
-
-func (n *WorkflowNode) getConfigValueAsInt32(key string) int32 {
-	return maps.GetValueAsInt32(n.Config, key)
-}
-
-func (n *WorkflowNode) getConfigValueAsMap(key string) map[string]any {
-	if val, ok := n.Config[key]; ok {
-		if result, ok := val.(map[string]any); ok {
-			return result
-		}
-	}
-
-	return make(map[string]any)
+type WorkflowNodeConfigForCondition struct {
+	Expression expr.Expr `json:"expression"` // 条件表达式
 }

 func (n *WorkflowNode) GetConfigForApply() WorkflowNodeConfigForApply {
-	skipBeforeExpiryDays := n.getConfigValueAsInt32("skipBeforeExpiryDays")
-	if skipBeforeExpiryDays == 0 {
-		skipBeforeExpiryDays = 30
-	}
-
 	return WorkflowNodeConfigForApply{
-		Domains:               n.getConfigValueAsString("domains"),
-		ContactEmail:          n.getConfigValueAsString("contactEmail"),
-		Provider:              n.getConfigValueAsString("provider"),
-		ProviderAccessId:      n.getConfigValueAsString("providerAccessId"),
-		ProviderConfig:        n.getConfigValueAsMap("providerConfig"),
-		KeyAlgorithm:          n.getConfigValueAsString("keyAlgorithm"),
-		Nameservers:           n.getConfigValueAsString("nameservers"),
-		DnsPropagationTimeout: n.getConfigValueAsInt32("dnsPropagationTimeout"),
-		DnsTTL:                n.getConfigValueAsInt32("dnsTTL"),
-		DisableFollowCNAME:    n.getConfigValueAsBool("disableFollowCNAME"),
-		DisableARI:            n.getConfigValueAsBool("disableARI"),
-		SkipBeforeExpiryDays:  skipBeforeExpiryDays,
+		Domains:               xmaps.GetString(n.Config, "domains"),
+		ContactEmail:          xmaps.GetString(n.Config, "contactEmail"),
+		Provider:              xmaps.GetString(n.Config, "provider"),
+		ProviderAccessId:      xmaps.GetString(n.Config, "providerAccessId"),
+		ProviderConfig:        xmaps.GetKVMapAny(n.Config, "providerConfig"),
+		CAProvider:            xmaps.GetString(n.Config, "caProvider"),
+		CAProviderAccessId:    xmaps.GetString(n.Config, "caProviderAccessId"),
+		CAProviderConfig:      xmaps.GetKVMapAny(n.Config, "caProviderConfig"),
+		KeyAlgorithm:          xmaps.GetOrDefaultString(n.Config, "keyAlgorithm", string(CertificateKeyAlgorithmTypeRSA2048)),
+		Nameservers:           xmaps.GetString(n.Config, "nameservers"),
+		DnsPropagationWait:    xmaps.GetInt32(n.Config, "dnsPropagationWait"),
+		DnsPropagationTimeout: xmaps.GetInt32(n.Config, "dnsPropagationTimeout"),
+		DnsTTL:                xmaps.GetInt32(n.Config, "dnsTTL"),
+		DisableFollowCNAME:    xmaps.GetBool(n.Config, "disableFollowCNAME"),
+		DisableARI:            xmaps.GetBool(n.Config, "disableARI"),
+		SkipBeforeExpiryDays:  xmaps.GetOrDefaultInt32(n.Config, "skipBeforeExpiryDays", 30),
 	}
 }

 func (n *WorkflowNode) GetConfigForUpload() WorkflowNodeConfigForUpload {
 	return WorkflowNodeConfigForUpload{
-		Certificate: n.getConfigValueAsString("certificate"),
-		PrivateKey:  n.getConfigValueAsString("privateKey"),
-		Domains:     n.getConfigValueAsString("domains"),
+		Certificate: xmaps.GetString(n.Config, "certificate"),
+		PrivateKey:  xmaps.GetString(n.Config, "privateKey"),
+		Domains:     xmaps.GetString(n.Config, "domains"),
+	}
+}
+
+func (n *WorkflowNode) GetConfigForMonitor() WorkflowNodeConfigForMonitor {
+	host := xmaps.GetString(n.Config, "host")
+	return WorkflowNodeConfigForMonitor{
+		Host:        host,
+		Port:        xmaps.GetOrDefaultInt32(n.Config, "port", 443),
+		Domain:      xmaps.GetOrDefaultString(n.Config, "domain", host),
+		RequestPath: xmaps.GetString(n.Config, "path"),
 	}
 }

 func (n *WorkflowNode) GetConfigForDeploy() WorkflowNodeConfigForDeploy {
 	return WorkflowNodeConfigForDeploy{
-		Certificate:         n.getConfigValueAsString("certificate"),
-		Provider:            n.getConfigValueAsString("provider"),
-		ProviderAccessId:    n.getConfigValueAsString("providerAccessId"),
-		ProviderConfig:      n.getConfigValueAsMap("providerConfig"),
-		SkipOnLastSucceeded: n.getConfigValueAsBool("skipOnLastSucceeded"),
+		Certificate:         xmaps.GetString(n.Config, "certificate"),
+		Provider:            xmaps.GetString(n.Config, "provider"),
+		ProviderAccessId:    xmaps.GetString(n.Config, "providerAccessId"),
+		ProviderConfig:      xmaps.GetKVMapAny(n.Config, "providerConfig"),
+		SkipOnLastSucceeded: xmaps.GetBool(n.Config, "skipOnLastSucceeded"),
 	}
 }

 func (n *WorkflowNode) GetConfigForNotify() WorkflowNodeConfigForNotify {
 	return WorkflowNodeConfigForNotify{
-		Channel: n.getConfigValueAsString("channel"),
-		Subject: n.getConfigValueAsString("subject"),
-		Message: n.getConfigValueAsString("message"),
+		Channel:              xmaps.GetString(n.Config, "channel"),
+		Provider:             xmaps.GetString(n.Config, "provider"),
+		ProviderAccessId:     xmaps.GetString(n.Config, "providerAccessId"),
+		ProviderConfig:       xmaps.GetKVMapAny(n.Config, "providerConfig"),
+		Subject:              xmaps.GetString(n.Config, "subject"),
+		Message:              xmaps.GetString(n.Config, "message"),
+		SkipOnAllPrevSkipped: xmaps.GetBool(n.Config, "skipOnAllPrevSkipped"),
+	}
+}
+
+func (n *WorkflowNode) GetConfigForCondition() WorkflowNodeConfigForCondition {
+	expression := n.Config["expression"]
+	if expression == nil {
+		return WorkflowNodeConfigForCondition{}
+	}
+
+	exprRaw, _ := json.Marshal(expression)
+	expr, err := expr.UnmarshalExpr([]byte(exprRaw))
+	if err != nil {
+		return WorkflowNodeConfigForCondition{}
+	}
+
+	return WorkflowNodeConfigForCondition{
+		Expression: expr,
 	}
 }

@@ -176,9 +206,6 @@ type WorkflowNodeIO struct {
 	ValueSelector WorkflowNodeIOValueSelector `json:"valueSelector"`
 }

-type WorkflowNodeIOValueSelector struct {
-	Id   string `json:"id"`
-	Name string `json:"name"`
-}
+type WorkflowNodeIOValueSelector = expr.ExprValueSelector

 const WorkflowNodeIONameCertificate string = "certificate"
--- a/internal/domain/workflow_log.go
+++ b/internal/domain/workflow_log.go
@@ -0,0 +1,30 @@
+package domain
+
+import "strings"
+
+const CollectionNameWorkflowLog = "workflow_logs"
+
+type WorkflowLog struct {
+	Meta
+	WorkflowId string         `json:"workflowId" db:"workflowId"`
+	RunId      string         `json:"workflorunIdwId" db:"runId"`
+	NodeId     string         `json:"nodeId" db:"nodeId"`
+	NodeName   string         `json:"nodeName" db:"nodeName"`
+	Timestamp  int64          `json:"timestamp" db:"timestamp"` // 毫秒级时间戳
+	Level      string         `json:"level" db:"level"`
+	Message    string         `json:"message" db:"message"`
+	Data       map[string]any `json:"data" db:"data"`
+}
+
+type WorkflowLogs []WorkflowLog
+
+func (r WorkflowLogs) ErrorString() string {
+	var builder strings.Builder
+	for _, log := range r {
+		if log.Level == "ERROR" {
+			builder.WriteString(log.Message)
+			builder.WriteString("\n")
+		}
+	}
+	return strings.TrimSpace(builder.String())
+}
--- a/internal/domain/workflow_run.go
+++ b/internal/domain/workflow_run.go
@@ -1,7 +1,6 @@
 package domain

 import (
-	"strings"
 	"time"
 )

@@ -14,7 +13,7 @@ type WorkflowRun struct {
 	Trigger    WorkflowTriggerType   `json:"trigger" db:"trigger"`
 	StartedAt  time.Time             `json:"startedAt" db:"startedAt"`
 	EndedAt    time.Time             `json:"endedAt" db:"endedAt"`
-	Logs       []WorkflowRunLog      `json:"logs" db:"logs"`
+	Detail     *WorkflowNode         `json:"detail" db:"detail"`
 	Error      string                `json:"error" db:"error"`
 }

@@ -27,39 +26,3 @@ const (
 	WorkflowRunStatusTypeFailed    WorkflowRunStatusType = "failed"
 	WorkflowRunStatusTypeCanceled  WorkflowRunStatusType = "canceled"
 )
-
-type WorkflowRunLog struct {
-	NodeId   string                 `json:"nodeId"`
-	NodeName string                 `json:"nodeName"`
-	Records  []WorkflowRunLogRecord `json:"records"`
-	Error    string                 `json:"error"`
-}
-
-type WorkflowRunLogRecord struct {
-	Time    string              `json:"time"`
-	Level   WorkflowRunLogLevel `json:"level"`
-	Content string              `json:"content"`
-	Error   string              `json:"error"`
-}
-
-type WorkflowRunLogLevel string
-
-const (
-	WorkflowRunLogLevelDebug WorkflowRunLogLevel = "DEBUG"
-	WorkflowRunLogLevelInfo  WorkflowRunLogLevel = "INFO"
-	WorkflowRunLogLevelWarn  WorkflowRunLogLevel = "WARN"
-	WorkflowRunLogLevelError WorkflowRunLogLevel = "ERROR"
-)
-
-type WorkflowRunLogs []WorkflowRunLog
-
-func (r WorkflowRunLogs) ErrorString() string {
-	var builder strings.Builder
-	for _, log := range r {
-		if log.Error != "" {
-			builder.WriteString(log.Error)
-			builder.WriteString("\n")
-		}
-	}
-	return builder.String()
-}
--- a/internal/notify/notifier.go
+++ b/internal/notify/notifier.go
@@ -0,0 +1,74 @@
+package notify
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+
+	"github.com/certimate-go/certimate/internal/domain"
+	"github.com/certimate-go/certimate/internal/repository"
+	"github.com/certimate-go/certimate/pkg/core"
+)
+
+type Notifier interface {
+	Notify(ctx context.Context) error
+}
+
+type NotifierWithWorkflowNodeConfig struct {
+	Node    *domain.WorkflowNode
+	Logger  *slog.Logger
+	Subject string
+	Message string
+}
+
+func NewWithWorkflowNode(config NotifierWithWorkflowNodeConfig) (Notifier, error) {
+	if config.Node == nil {
+		return nil, fmt.Errorf("node is nil")
+	}
+	if config.Node.Type != domain.WorkflowNodeTypeNotify {
+		return nil, fmt.Errorf("node type is not '%s'", string(domain.WorkflowNodeTypeNotify))
+	}
+
+	nodeCfg := config.Node.GetConfigForNotify()
+	options := &notifierProviderOptions{
+		Provider:              domain.NotificationProviderType(nodeCfg.Provider),
+		ProviderAccessConfig:  make(map[string]any),
+		ProviderServiceConfig: nodeCfg.ProviderConfig,
+	}
+
+	accessRepo := repository.NewAccessRepository()
+	if nodeCfg.ProviderAccessId != "" {
+		access, err := accessRepo.GetById(context.Background(), nodeCfg.ProviderAccessId)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get access #%s record: %w", nodeCfg.ProviderAccessId, err)
+		} else {
+			options.ProviderAccessConfig = access.Config
+		}
+	}
+
+	notifier, err := createNotifierProvider(options)
+	if err != nil {
+		return nil, err
+	} else {
+		notifier.SetLogger(config.Logger)
+	}
+
+	return &notifierImpl{
+		provider: notifier,
+		subject:  config.Subject,
+		message:  config.Message,
+	}, nil
+}
+
+type notifierImpl struct {
+	provider core.Notifier
+	subject  string
+	message  string
+}
+
+var _ Notifier = (*notifierImpl)(nil)
+
+func (n *notifierImpl) Notify(ctx context.Context) error {
+	_, err := n.provider.Notify(ctx, n.subject, n.message)
+	return err
+}
--- a/internal/notify/notify.go
+++ b/internal/notify/notify.go
@@ -7,12 +7,13 @@ import (

 	"golang.org/x/sync/errgroup"

-	"github.com/usual2970/certimate/internal/domain"
-	"github.com/usual2970/certimate/internal/pkg/core/notifier"
-	"github.com/usual2970/certimate/internal/pkg/utils/maps"
-	"github.com/usual2970/certimate/internal/repository"
+	"github.com/certimate-go/certimate/internal/domain"
+	"github.com/certimate-go/certimate/internal/repository"
+	"github.com/certimate-go/certimate/pkg/core"
+	xmaps "github.com/certimate-go/certimate/pkg/utils/maps"
 )

+// Deprecated: v0.4.x 将废弃
 func SendToAllChannels(subject, message string) error {
 	notifiers, err := getEnabledNotifiers()
 	if err != nil {
@@ -38,8 +39,9 @@ func SendToAllChannels(subject, message string) error {
 	return err
 }

+// Deprecated: v0.4.x 将废弃
 func SendToChannel(subject, message string, channel string, channelConfig map[string]any) error {
-	notifier, err := createNotifier(domain.NotifyChannelType(channel), channelConfig)
+	notifier, err := createNotifierProviderUseGlobalSettings(domain.NotifyChannelType(channel), channelConfig)
 	if err != nil {
 		return err
 	}
@@ -48,7 +50,8 @@ func SendToChannel(subject, message string, channel string, channelConfig map[st
 	return err
 }

-func getEnabledNotifiers() ([]notifier.Notifier, error) {
+// Deprecated: v0.4.x 将废弃
+func getEnabledNotifiers() ([]core.Notifier, error) {
 	settingsRepo := repository.NewSettingsRepository()
 	settings, err := settingsRepo.GetByName(context.Background(), "notifyChannels")
 	if err != nil {
@@ -60,13 +63,13 @@ func getEnabledNotifiers() ([]notifier.Notifier, error) {
 		return nil, fmt.Errorf("unmarshal notifyChannels error: %w", err)
 	}

-	notifiers := make([]notifier.Notifier, 0)
+	notifiers := make([]core.Notifier, 0)
 	for k, v := range rs {
-		if !maps.GetValueAsBool(v, "enabled") {
+		if !xmaps.GetBool(v, "enabled") {
 			continue
 		}

-		notifier, err := createNotifier(domain.NotifyChannelType(k), v)
+		notifier, err := createNotifierProviderUseGlobalSettings(domain.NotifyChannelType(k), v)
 		if err != nil {
 			continue
 		}
--- a/internal/notify/providers.go
+++ b/internal/notify/providers.go
@@ -2,75 +2,181 @@ package notify

 import (
 	"fmt"
+	"net/http"

-	"github.com/usual2970/certimate/internal/domain"
-	"github.com/usual2970/certimate/internal/pkg/core/notifier"
-	pBark "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/bark"
-	pDingTalk "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/dingtalk"
-	pEmail "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/email"
-	pLark "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/lark"
-	pServerChan "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/serverchan"
-	pTelegram "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/telegram"
-	pWebhook "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/webhook"
-	pWeCom "github.com/usual2970/certimate/internal/pkg/core/notifier/providers/wecom"
-	"github.com/usual2970/certimate/internal/pkg/utils/maps"
+	"github.com/certimate-go/certimate/internal/domain"
+	"github.com/certimate-go/certimate/pkg/core"
+	pDingTalkBot "github.com/certimate-go/certimate/pkg/core/notifier/providers/dingtalkbot"
+	pDiscordBot "github.com/certimate-go/certimate/pkg/core/notifier/providers/discordbot"
+	pEmail "github.com/certimate-go/certimate/pkg/core/notifier/providers/email"
+	pLarkBot "github.com/certimate-go/certimate/pkg/core/notifier/providers/larkbot"
+	pMattermost "github.com/certimate-go/certimate/pkg/core/notifier/providers/mattermost"
+	pSlackBot "github.com/certimate-go/certimate/pkg/core/notifier/providers/slackbot"
+	pTelegramBot "github.com/certimate-go/certimate/pkg/core/notifier/providers/telegrambot"
+	pWebhook "github.com/certimate-go/certimate/pkg/core/notifier/providers/webhook"
+	pWeComBot "github.com/certimate-go/certimate/pkg/core/notifier/providers/wecombot"
+	xhttp "github.com/certimate-go/certimate/pkg/utils/http"
+	xmaps "github.com/certimate-go/certimate/pkg/utils/maps"
 )

-func createNotifier(channel domain.NotifyChannelType, channelConfig map[string]any) (notifier.Notifier, error) {
+type notifierProviderOptions struct {
+	Provider              domain.NotificationProviderType
+	ProviderAccessConfig  map[string]any
+	ProviderServiceConfig map[string]any
+}
+
+func createNotifierProvider(options *notifierProviderOptions) (core.Notifier, error) {
 	/*
 	  注意：如果追加新的常量值，请保持以 ASCII 排序。
 	  NOTICE: If you add new constant, please keep ASCII order.
 	*/
-	switch channel {
-	case domain.NotifyChannelTypeBark:
-		return pBark.NewNotifier(&pBark.NotifierConfig{
-			DeviceKey: maps.GetValueAsString(channelConfig, "deviceKey"),
-			ServerUrl: maps.GetValueAsString(channelConfig, "serverUrl"),
-		})
+	switch options.Provider {
+	case domain.NotificationProviderTypeDingTalkBot:
+		{
+			access := domain.AccessConfigForDingTalkBot{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}

-	case domain.NotifyChannelTypeDingTalk:
-		return pDingTalk.NewNotifier(&pDingTalk.NotifierConfig{
-			AccessToken: maps.GetValueAsString(channelConfig, "accessToken"),
-			Secret:      maps.GetValueAsString(channelConfig, "secret"),
-		})
+			return pDingTalkBot.NewNotifierProvider(&pDingTalkBot.NotifierProviderConfig{
+				WebhookUrl: access.WebhookUrl,
+				Secret:     access.Secret,
+			})
+		}

-	case domain.NotifyChannelTypeEmail:
-		return pEmail.NewNotifier(&pEmail.NotifierConfig{
-			SmtpHost:        maps.GetValueAsString(channelConfig, "smtpHost"),
-			SmtpPort:        maps.GetValueAsInt32(channelConfig, "smtpPort"),
-			SmtpTLS:         maps.GetValueOrDefaultAsBool(channelConfig, "smtpTLS", true),
-			Username:        maps.GetValueOrDefaultAsString(channelConfig, "username", maps.GetValueAsString(channelConfig, "senderAddress")),
-			Password:        maps.GetValueAsString(channelConfig, "password"),
-			SenderAddress:   maps.GetValueAsString(channelConfig, "senderAddress"),
-			ReceiverAddress: maps.GetValueAsString(channelConfig, "receiverAddress"),
-		})
+	case domain.NotificationProviderTypeDiscordBot:
+		{
+			access := domain.AccessConfigForDiscordBot{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}

-	case domain.NotifyChannelTypeLark:
-		return pLark.NewNotifier(&pLark.NotifierConfig{
-			WebhookUrl: maps.GetValueAsString(channelConfig, "webhookUrl"),
-		})
+			return pDiscordBot.NewNotifierProvider(&pDiscordBot.NotifierProviderConfig{
+				BotToken:  access.BotToken,
+				ChannelId: xmaps.GetOrDefaultString(options.ProviderServiceConfig, "channelId", access.DefaultChannelId),
+			})
+		}

-	case domain.NotifyChannelTypeServerChan:
-		return pServerChan.NewNotifier(&pServerChan.NotifierConfig{
-			Url: maps.GetValueAsString(channelConfig, "url"),
-		})
+	case domain.NotificationProviderTypeEmail:
+		{
+			access := domain.AccessConfigForEmail{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}

-	case domain.NotifyChannelTypeTelegram:
-		return pTelegram.NewNotifier(&pTelegram.NotifierConfig{
-			ApiToken: maps.GetValueAsString(channelConfig, "apiToken"),
-			ChatId:   maps.GetValueAsInt64(channelConfig, "chatId"),
-		})
+			return pEmail.NewNotifierProvider(&pEmail.NotifierProviderConfig{
+				SmtpHost:        access.SmtpHost,
+				SmtpPort:        access.SmtpPort,
+				SmtpTls:         access.SmtpTls,
+				Username:        access.Username,
+				Password:        access.Password,
+				SenderAddress:   xmaps.GetOrDefaultString(options.ProviderServiceConfig, "senderAddress", access.DefaultSenderAddress),
+				SenderName:      xmaps.GetOrDefaultString(options.ProviderServiceConfig, "senderName", access.DefaultSenderName),
+				ReceiverAddress: xmaps.GetOrDefaultString(options.ProviderServiceConfig, "receiverAddress", access.DefaultReceiverAddress),
+			})
+		}

-	case domain.NotifyChannelTypeWebhook:
-		return pWebhook.NewNotifier(&pWebhook.NotifierConfig{
-			Url: maps.GetValueAsString(channelConfig, "url"),
-		})
+	case domain.NotificationProviderTypeLarkBot:
+		{
+			access := domain.AccessConfigForLarkBot{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}

-	case domain.NotifyChannelTypeWeCom:
-		return pWeCom.NewNotifier(&pWeCom.NotifierConfig{
-			WebhookUrl: maps.GetValueAsString(channelConfig, "webhookUrl"),
-		})
+			return pLarkBot.NewNotifierProvider(&pLarkBot.NotifierProviderConfig{
+				WebhookUrl: access.WebhookUrl,
+			})
+		}
+
+	case domain.NotificationProviderTypeMattermost:
+		{
+			access := domain.AccessConfigForMattermost{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			return pMattermost.NewNotifierProvider(&pMattermost.NotifierProviderConfig{
+				ServerUrl: access.ServerUrl,
+				Username:  access.Username,
+				Password:  access.Password,
+				ChannelId: xmaps.GetOrDefaultString(options.ProviderServiceConfig, "channelId", access.DefaultChannelId),
+			})
+		}
+
+	case domain.NotificationProviderTypeSlackBot:
+		{
+			access := domain.AccessConfigForSlackBot{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			return pSlackBot.NewNotifierProvider(&pSlackBot.NotifierProviderConfig{
+				BotToken:  access.BotToken,
+				ChannelId: xmaps.GetOrDefaultString(options.ProviderServiceConfig, "channelId", access.DefaultChannelId),
+			})
+		}
+
+	case domain.NotificationProviderTypeTelegramBot:
+		{
+			access := domain.AccessConfigForTelegramBot{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			return pTelegramBot.NewNotifierProvider(&pTelegramBot.NotifierProviderConfig{
+				BotToken: access.BotToken,
+				ChatId:   xmaps.GetOrDefaultInt64(options.ProviderServiceConfig, "chatId", access.DefaultChatId),
+			})
+		}
+
+	case domain.NotificationProviderTypeWebhook:
+		{
+			access := domain.AccessConfigForWebhook{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			mergedHeaders := make(map[string]string)
+			if defaultHeadersString := access.HeadersString; defaultHeadersString != "" {
+				h, err := xhttp.ParseHeaders(defaultHeadersString)
+				if err != nil {
+					return nil, fmt.Errorf("failed to parse webhook headers: %w", err)
+				}
+				for key := range h {
+					mergedHeaders[http.CanonicalHeaderKey(key)] = h.Get(key)
+				}
+			}
+			if extendedHeadersString := xmaps.GetString(options.ProviderServiceConfig, "headers"); extendedHeadersString != "" {
+				h, err := xhttp.ParseHeaders(extendedHeadersString)
+				if err != nil {
+					return nil, fmt.Errorf("failed to parse webhook headers: %w", err)
+				}
+				for key := range h {
+					mergedHeaders[http.CanonicalHeaderKey(key)] = h.Get(key)
+				}
+			}
+
+			return pWebhook.NewNotifierProvider(&pWebhook.NotifierProviderConfig{
+				WebhookUrl:               access.Url,
+				WebhookData:              xmaps.GetOrDefaultString(options.ProviderServiceConfig, "webhookData", access.DefaultDataForNotification),
+				Method:                   access.Method,
+				Headers:                  mergedHeaders,
+				AllowInsecureConnections: access.AllowInsecureConnections,
+			})
+		}
+
+	case domain.NotificationProviderTypeWeComBot:
+		{
+			access := domain.AccessConfigForWeComBot{}
+			if err := xmaps.Populate(options.ProviderAccessConfig, &access); err != nil {
+				return nil, fmt.Errorf("failed to populate provider access config: %w", err)
+			}
+
+			return pWeComBot.NewNotifierProvider(&pWeComBot.NotifierProviderConfig{
+				WebhookUrl: access.WebhookUrl,
+			})
+		}
 	}

-	return nil, fmt.Errorf("unsupported notifier channel: %s", channelConfig)
+	return nil, fmt.Errorf("unsupported notifier provider '%s'", options.Provider)
 }
--- a/internal/notify/providers_deprecated.go
+++ b/internal/notify/providers_deprecated.go
@@ -0,0 +1,108 @@
+package notify
+
+import (
+	"fmt"
+
+	"github.com/certimate-go/certimate/internal/domain"
+	"github.com/certimate-go/certimate/pkg/core"
+	pBark "github.com/certimate-go/certimate/pkg/core/notifier/providers/bark"
+	pDingTalk "github.com/certimate-go/certimate/pkg/core/notifier/providers/dingtalkbot"
+	pEmail "github.com/certimate-go/certimate/pkg/core/notifier/providers/email"
+	pGotify "github.com/certimate-go/certimate/pkg/core/notifier/providers/gotify"
+	pLark "github.com/certimate-go/certimate/pkg/core/notifier/providers/larkbot"
+	pMattermost "github.com/certimate-go/certimate/pkg/core/notifier/providers/mattermost"
+	pPushover "github.com/certimate-go/certimate/pkg/core/notifier/providers/pushover"
+	pPushPlus "github.com/certimate-go/certimate/pkg/core/notifier/providers/pushplus"
+	pServerChan "github.com/certimate-go/certimate/pkg/core/notifier/providers/serverchan"
+	pTelegram "github.com/certimate-go/certimate/pkg/core/notifier/providers/telegrambot"
+	pWebhook "github.com/certimate-go/certimate/pkg/core/notifier/providers/webhook"
+	pWeCom "github.com/certimate-go/certimate/pkg/core/notifier/providers/wecombot"
+	xmaps "github.com/certimate-go/certimate/pkg/utils/maps"
+)
+
+// Deprecated: v0.4.x 将废弃
+func createNotifierProviderUseGlobalSettings(channel domain.NotifyChannelType, channelConfig map[string]any) (core.Notifier, error) {
+	/*
+	  注意：如果追加新的常量值，请保持以 ASCII 排序。
+	  NOTICE: If you add new constant, please keep ASCII order.
+	*/
+	switch channel {
+	case domain.NotifyChannelTypeBark:
+		return pBark.NewNotifierProvider(&pBark.NotifierProviderConfig{
+			DeviceKey: xmaps.GetString(channelConfig, "deviceKey"),
+			ServerUrl: xmaps.GetString(channelConfig, "serverUrl"),
+		})
+
+	case domain.NotifyChannelTypeDingTalk:
+		return pDingTalk.NewNotifierProvider(&pDingTalk.NotifierProviderConfig{
+			WebhookUrl: "https://oapi.dingtalk.com/robot/send?access_token=" + xmaps.GetString(channelConfig, "accessToken"),
+			Secret:     xmaps.GetString(channelConfig, "secret"),
+		})
+
+	case domain.NotifyChannelTypeEmail:
+		return pEmail.NewNotifierProvider(&pEmail.NotifierProviderConfig{
+			SmtpHost:        xmaps.GetString(channelConfig, "smtpHost"),
+			SmtpPort:        xmaps.GetInt32(channelConfig, "smtpPort"),
+			SmtpTls:         xmaps.GetOrDefaultBool(channelConfig, "smtpTLS", true),
+			Username:        xmaps.GetOrDefaultString(channelConfig, "username", xmaps.GetString(channelConfig, "senderAddress")),
+			Password:        xmaps.GetString(channelConfig, "password"),
+			SenderAddress:   xmaps.GetString(channelConfig, "senderAddress"),
+			ReceiverAddress: xmaps.GetString(channelConfig, "receiverAddress"),
+		})
+
+	case domain.NotifyChannelTypeGotify:
+		return pGotify.NewNotifierProvider(&pGotify.NotifierProviderConfig{
+			ServerUrl: xmaps.GetString(channelConfig, "url"),
+			Token:     xmaps.GetString(channelConfig, "token"),
+			Priority:  xmaps.GetOrDefaultInt64(channelConfig, "priority", 1),
+		})
+
+	case domain.NotifyChannelTypeLark:
+		return pLark.NewNotifierProvider(&pLark.NotifierProviderConfig{
+			WebhookUrl: xmaps.GetString(channelConfig, "webhookUrl"),
+		})
+
+	case domain.NotifyChannelTypeMattermost:
+		return pMattermost.NewNotifierProvider(&pMattermost.NotifierProviderConfig{
+			ServerUrl: xmaps.GetString(channelConfig, "serverUrl"),
+			ChannelId: xmaps.GetString(channelConfig, "channelId"),
+			Username:  xmaps.GetString(channelConfig, "username"),
+			Password:  xmaps.GetString(channelConfig, "password"),
+		})
+
+	case domain.NotifyChannelTypePushover:
+		return pPushover.NewNotifierProvider(&pPushover.NotifierProviderConfig{
+			Token: xmaps.GetString(channelConfig, "token"),
+			User:  xmaps.GetString(channelConfig, "user"),
+		})
+
+	case domain.NotifyChannelTypePushPlus:
+		return pPushPlus.NewNotifierProvider(&pPushPlus.NotifierProviderConfig{
+			Token: xmaps.GetString(channelConfig, "token"),
+		})
+
+	case domain.NotifyChannelTypeServerChan:
+		return pServerChan.NewNotifierProvider(&pServerChan.NotifierProviderConfig{
+			ServerUrl: xmaps.GetString(channelConfig, "url"),
+		})
+
+	case domain.NotifyChannelTypeTelegram:
+		return pTelegram.NewNotifierProvider(&pTelegram.NotifierProviderConfig{
+			BotToken: xmaps.GetString(channelConfig, "apiToken"),
+			ChatId:   xmaps.GetInt64(channelConfig, "chatId"),
+		})
+
+	case domain.NotifyChannelTypeWebhook:
+		return pWebhook.NewNotifierProvider(&pWebhook.NotifierProviderConfig{
+			WebhookUrl:               xmaps.GetString(channelConfig, "url"),
+			AllowInsecureConnections: xmaps.GetBool(channelConfig, "allowInsecureConnections"),
+		})
+
+	case domain.NotifyChannelTypeWeCom:
+		return pWeCom.NewNotifierProvider(&pWeCom.NotifierProviderConfig{
+			WebhookUrl: xmaps.GetString(channelConfig, "webhookUrl"),
+		})
+	}
+
+	return nil, fmt.Errorf("unsupported notifier channel '%s'", channelConfig)
+}
--- a/internal/notify/service.go
+++ b/internal/notify/service.go
@@ -4,29 +4,34 @@ import (
 	"context"
 	"fmt"

-	"github.com/usual2970/certimate/internal/domain"
-	"github.com/usual2970/certimate/internal/domain/dtos"
+	"github.com/certimate-go/certimate/internal/domain"
+	"github.com/certimate-go/certimate/internal/domain/dtos"
 )

+// Deprecated: v0.4.x 将废弃
 const (
 	notifyTestTitle = "测试通知"
 	notifyTestBody  = "欢迎使用 Certimate ，这是一条测试通知。"
 )

+// Deprecated: v0.4.x 将废弃
 type settingsRepository interface {
 	GetByName(ctx context.Context, name string) (*domain.Settings, error)
 }

+// Deprecated: v0.4.x 将废弃
 type NotifyService struct {
 	settingsRepo settingsRepository
 }

+// Deprecated: v0.4.x 将废弃
 func NewNotifyService(settingsRepo settingsRepository) *NotifyService {
 	return &NotifyService{
 		settingsRepo: settingsRepo,
 	}
 }

+// Deprecated: v0.4.x 将废弃
 func (n *NotifyService) Test(ctx context.Context, req *dtos.NotifyTestPushReq) error {
 	settings, err := n.settingsRepo.GetByName(ctx, "notifyChannels")
 	if err != nil {
--- a/internal/pkg/core/deployer/deployer.go
+++ b/internal/pkg/core/deployer/deployer.go
@@ -1,24 +0,0 @@
-package deployer
-
-import "context"
-
-// 表示定义证书部署器的抽象类型接口。
-// 注意与 `Uploader` 区分，“部署”通常为“上传”的后置操作。
-type Deployer interface {
-	// 部署证书。
-	//
-	// 入参：
-	//   - ctx：上下文。
-	//   - certPem：证书 PEM 内容。
-	//   - privkeyPem：私钥 PEM 内容。
-	//
-	// 出参：
-	//   - res：部署结果。
-	//   - err: 错误。
-	Deploy(ctx context.Context, certPem string, privkeyPem string) (res *DeployResult, err error)
-}
-
-// 表示证书部署结果的数据结构。
-type DeployResult struct {
-	ExtendedData map[string]any `json:"extendedData,omitempty"`
-}
--- a/internal/pkg/core/deployer/providers/aliyun-alb/aliyun_alb.go
+++ b/internal/pkg/core/deployer/providers/aliyun-alb/aliyun_alb.go
@@ -1,451 +0,0 @@
-package aliyunalb
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strconv"
-	"strings"
-	"time"
-
-	aliyunAlb "github.com/alibabacloud-go/alb-20200616/v2/client"
-	aliyunCas "github.com/alibabacloud-go/cas-20200407/v3/client"
-	aliyunOpen "github.com/alibabacloud-go/darabonba-openapi/v2/client"
-	"github.com/alibabacloud-go/tea/tea"
-	xerrors "github.com/pkg/errors"
-	"golang.org/x/exp/slices"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/aliyun-cas"
-)
-
-type DeployerConfig struct {
-	// 阿里云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 阿里云 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 阿里云地域。
-	Region string `json:"region"`
-	// 部署资源类型。
-	ResourceType ResourceType `json:"resourceType"`
-	// 负载均衡实例 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_LOADBALANCER] 时必填。
-	LoadbalancerId string `json:"loadbalancerId,omitempty"`
-	// 负载均衡监听 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_LISTENER] 时必填。
-	ListenerId string `json:"listenerId,omitempty"`
-	// SNI 域名（支持泛域名）。
-	// 部署资源类型为 [RESOURCE_TYPE_LOADBALANCER]、[RESOURCE_TYPE_LISTENER] 时选填。
-	Domain string `json:"domain,omitempty"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClients  *wSdkClients
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-type wSdkClients struct {
-	alb *aliyunAlb.Client
-	cas *aliyunCas.Client
-}
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	clients, err := createSdkClients(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk clients")
-	}
-
-	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClients:  clients,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 CAS
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 根据部署资源类型决定部署方式
-	switch d.config.ResourceType {
-	case RESOURCE_TYPE_LOADBALANCER:
-		if err := d.deployToLoadbalancer(ctx, upres.CertId); err != nil {
-			return nil, err
-		}
-
-	case RESOURCE_TYPE_LISTENER:
-		if err := d.deployToListener(ctx, upres.CertId); err != nil {
-			return nil, err
-		}
-
-	default:
-		return nil, fmt.Errorf("unsupported resource type: %s", d.config.ResourceType)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func (d *DeployerProvider) deployToLoadbalancer(ctx context.Context, cloudCertId string) error {
-	if d.config.LoadbalancerId == "" {
-		return errors.New("config `loadbalancerId` is required")
-	}
-
-	// 查询负载均衡实例的详细信息
-	// REF: https://help.aliyun.com/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-getloadbalancerattribute
-	getLoadBalancerAttributeReq := &aliyunAlb.GetLoadBalancerAttributeRequest{
-		LoadBalancerId: tea.String(d.config.LoadbalancerId),
-	}
-	getLoadBalancerAttributeResp, err := d.sdkClients.alb.GetLoadBalancerAttribute(getLoadBalancerAttributeReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'alb.GetLoadBalancerAttribute'")
-	}
-
-	d.logger.Logt("已查询到 ALB 负载均衡实例", getLoadBalancerAttributeResp)
-
-	// 查询 HTTPS 监听列表
-	// REF: https://help.aliyun.com/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-listlisteners
-	listenerIds := make([]string, 0)
-	listListenersLimit := int32(100)
-	var listListenersToken *string = nil
-	for {
-		listListenersReq := &aliyunAlb.ListListenersRequest{
-			MaxResults:       tea.Int32(listListenersLimit),
-			NextToken:        listListenersToken,
-			LoadBalancerIds:  []*string{tea.String(d.config.LoadbalancerId)},
-			ListenerProtocol: tea.String("HTTPS"),
-		}
-		listListenersResp, err := d.sdkClients.alb.ListListeners(listListenersReq)
-		if err != nil {
-			return xerrors.Wrap(err, "failed to execute sdk request 'alb.ListListeners'")
-		}
-
-		if listListenersResp.Body.Listeners != nil {
-			for _, listener := range listListenersResp.Body.Listeners {
-				listenerIds = append(listenerIds, *listener.ListenerId)
-			}
-		}
-
-		if len(listListenersResp.Body.Listeners) == 0 || listListenersResp.Body.NextToken == nil {
-			break
-		} else {
-			listListenersToken = listListenersResp.Body.NextToken
-		}
-	}
-
-	d.logger.Logt("已查询到 ALB 负载均衡实例下的全部 HTTPS 监听", listenerIds)
-
-	// 查询 QUIC 监听列表
-	// REF: https://help.aliyun.com/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-listlisteners
-	listListenersToken = nil
-	for {
-		listListenersReq := &aliyunAlb.ListListenersRequest{
-			MaxResults:       tea.Int32(listListenersLimit),
-			NextToken:        listListenersToken,
-			LoadBalancerIds:  []*string{tea.String(d.config.LoadbalancerId)},
-			ListenerProtocol: tea.String("QUIC"),
-		}
-		listListenersResp, err := d.sdkClients.alb.ListListeners(listListenersReq)
-		if err != nil {
-			return xerrors.Wrap(err, "failed to execute sdk request 'alb.ListListeners'")
-		}
-
-		if listListenersResp.Body.Listeners != nil {
-			for _, listener := range listListenersResp.Body.Listeners {
-				listenerIds = append(listenerIds, *listener.ListenerId)
-			}
-		}
-
-		if len(listListenersResp.Body.Listeners) == 0 || listListenersResp.Body.NextToken == nil {
-			break
-		} else {
-			listListenersToken = listListenersResp.Body.NextToken
-		}
-	}
-
-	d.logger.Logt("已查询到 ALB 负载均衡实例下的全部 QUIC 监听", listenerIds)
-
-	// 遍历更新监听证书
-	if len(listenerIds) == 0 {
-		return errors.New("listener not found")
-	} else {
-		var errs []error
-
-		for _, listenerId := range listenerIds {
-			if err := d.updateListenerCertificate(ctx, listenerId, cloudCertId); err != nil {
-				errs = append(errs, err)
-			}
-		}
-
-		if len(errs) > 0 {
-			return errors.Join(errs...)
-		}
-	}
-
-	return nil
-}
-
-func (d *DeployerProvider) deployToListener(ctx context.Context, cloudCertId string) error {
-	if d.config.ListenerId == "" {
-		return errors.New("config `listenerId` is required")
-	}
-
-	// 更新监听
-	if err := d.updateListenerCertificate(ctx, d.config.ListenerId, cloudCertId); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (d *DeployerProvider) updateListenerCertificate(ctx context.Context, cloudListenerId string, cloudCertId string) error {
-	// 查询监听的属性
-	// REF: https://help.aliyun.com/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-getlistenerattribute
-	getListenerAttributeReq := &aliyunAlb.GetListenerAttributeRequest{
-		ListenerId: tea.String(cloudListenerId),
-	}
-	getListenerAttributeResp, err := d.sdkClients.alb.GetListenerAttribute(getListenerAttributeReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'alb.GetListenerAttribute'")
-	}
-
-	d.logger.Logt("已查询到 ALB 监听配置", getListenerAttributeResp)
-
-	if d.config.Domain == "" {
-		// 未指定 SNI，只需部署到监听器
-
-		// 修改监听的属性
-		// REF: https://help.aliyun.com/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-updatelistenerattribute
-		updateListenerAttributeReq := &aliyunAlb.UpdateListenerAttributeRequest{
-			ListenerId: tea.String(cloudListenerId),
-			Certificates: []*aliyunAlb.UpdateListenerAttributeRequestCertificates{{
-				CertificateId: tea.String(cloudCertId),
-			}},
-		}
-		updateListenerAttributeResp, err := d.sdkClients.alb.UpdateListenerAttribute(updateListenerAttributeReq)
-		if err != nil {
-			return xerrors.Wrap(err, "failed to execute sdk request 'alb.UpdateListenerAttribute'")
-		}
-
-		d.logger.Logt("已更新 ALB 监听配置", updateListenerAttributeResp)
-	} else {
-		// 指定 SNI，需部署到扩展域名
-
-		// 查询监听证书列表
-		// REF: https://help.aliyun.com/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-listlistenercertificates
-		listenerCertificates := make([]aliyunAlb.ListListenerCertificatesResponseBodyCertificates, 0)
-		listListenerCertificatesLimit := int32(100)
-		var listListenerCertificatesToken *string = nil
-		for {
-			listListenerCertificatesReq := &aliyunAlb.ListListenerCertificatesRequest{
-				NextToken:       listListenerCertificatesToken,
-				MaxResults:      tea.Int32(listListenerCertificatesLimit),
-				ListenerId:      tea.String(cloudListenerId),
-				CertificateType: tea.String("Server"),
-			}
-			listListenerCertificatesResp, err := d.sdkClients.alb.ListListenerCertificates(listListenerCertificatesReq)
-			if err != nil {
-				return xerrors.Wrap(err, "failed to execute sdk request 'alb.ListListenerCertificates'")
-			}
-
-			if listListenerCertificatesResp.Body.Certificates != nil {
-				for _, listenerCertificate := range listListenerCertificatesResp.Body.Certificates {
-					listenerCertificates = append(listenerCertificates, *listenerCertificate)
-				}
-			}
-
-			if len(listListenerCertificatesResp.Body.Certificates) == 0 || listListenerCertificatesResp.Body.NextToken == nil {
-				break
-			} else {
-				listListenerCertificatesToken = listListenerCertificatesResp.Body.NextToken
-			}
-		}
-
-		d.logger.Logt("已查询到 ALB 监听下全部证书", listenerCertificates)
-
-		// 遍历查询监听证书，并找出需要解除关联的证书
-		// REF: https://help.aliyun.com/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-listlistenercertificates
-		// REF: https://help.aliyun.com/zh/ssl-certificate/developer-reference/api-cas-2020-04-07-getusercertificatedetail
-		certificateIsAssociated := false
-		certificateIdsExpired := make([]string, 0)
-		if len(listenerCertificates) > 0 {
-			var errs []error
-
-			for _, listenerCertificate := range listenerCertificates {
-				if *listenerCertificate.CertificateId == cloudCertId {
-					certificateIsAssociated = true
-					continue
-				}
-
-				if *listenerCertificate.IsDefault || !strings.EqualFold(*listenerCertificate.Status, "Associated") {
-					continue
-				}
-
-				listenerCertificateId, err := strconv.ParseInt(*listenerCertificate.CertificateId, 10, 64)
-				if err != nil {
-					errs = append(errs, err)
-					continue
-				}
-
-				getUserCertificateDetailReq := &aliyunCas.GetUserCertificateDetailRequest{
-					CertId: tea.Int64(listenerCertificateId),
-				}
-				getUserCertificateDetailResp, err := d.sdkClients.cas.GetUserCertificateDetail(getUserCertificateDetailReq)
-				if err != nil {
-					errs = append(errs, xerrors.Wrap(err, "failed to execute sdk request 'cas.GetUserCertificateDetail'"))
-					continue
-				}
-
-				certCnMatched := getUserCertificateDetailResp.Body.Common != nil && *getUserCertificateDetailResp.Body.Common == d.config.Domain
-				certSanMatched := getUserCertificateDetailResp.Body.Sans != nil && slices.Contains(strings.Split(*getUserCertificateDetailResp.Body.Sans, ","), d.config.Domain)
-				if !certCnMatched && !certSanMatched {
-					continue
-				}
-
-				certEndDate, _ := time.Parse("2006-01-02", *getUserCertificateDetailResp.Body.EndDate)
-				if time.Now().Before(certEndDate) {
-					continue
-				}
-
-				certificateIdsExpired = append(certificateIdsExpired, *listenerCertificate.CertificateId)
-			}
-
-			if len(errs) > 0 {
-				return errors.Join(errs...)
-			}
-		}
-
-		// 关联监听和扩展证书
-		// REF: https://help.aliyun.com/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-associateadditionalcertificateswithlistener
-		if !certificateIsAssociated {
-			associateAdditionalCertificatesFromListenerReq := &aliyunAlb.AssociateAdditionalCertificatesWithListenerRequest{
-				ListenerId: tea.String(cloudListenerId),
-				Certificates: []*aliyunAlb.AssociateAdditionalCertificatesWithListenerRequestCertificates{
-					{
-						CertificateId: tea.String(cloudCertId),
-					},
-				},
-			}
-			associateAdditionalCertificatesFromListenerResp, err := d.sdkClients.alb.AssociateAdditionalCertificatesWithListener(associateAdditionalCertificatesFromListenerReq)
-			if err != nil {
-				return xerrors.Wrap(err, "failed to execute sdk request 'alb.AssociateAdditionalCertificatesWithListener'")
-			}
-
-			d.logger.Logt("已关联 ALB 监听和扩展证书", associateAdditionalCertificatesFromListenerResp)
-		}
-
-		// 解除关联监听和扩展证书
-		// REF: https://help.aliyun.com/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-dissociateadditionalcertificatesfromlistener
-		if len(certificateIdsExpired) > 0 {
-			dissociateAdditionalCertificates := make([]*aliyunAlb.DissociateAdditionalCertificatesFromListenerRequestCertificates, 0)
-			for _, certificateId := range certificateIdsExpired {
-				dissociateAdditionalCertificates = append(dissociateAdditionalCertificates, &aliyunAlb.DissociateAdditionalCertificatesFromListenerRequestCertificates{
-					CertificateId: tea.String(certificateId),
-				})
-			}
-
-			dissociateAdditionalCertificatesFromListenerReq := &aliyunAlb.DissociateAdditionalCertificatesFromListenerRequest{
-				ListenerId:   tea.String(cloudListenerId),
-				Certificates: dissociateAdditionalCertificates,
-			}
-			dissociateAdditionalCertificatesFromListenerResp, err := d.sdkClients.alb.DissociateAdditionalCertificatesFromListener(dissociateAdditionalCertificatesFromListenerReq)
-			if err != nil {
-				return xerrors.Wrap(err, "failed to execute sdk request 'alb.DissociateAdditionalCertificatesFromListener'")
-			}
-
-			d.logger.Logt("已解除关联 ALB 监听和扩展证书", dissociateAdditionalCertificatesFromListenerResp)
-		}
-	}
-
-	return nil
-}
-
-func createSdkClients(accessKeyId, accessKeySecret, region string) (*wSdkClients, error) {
-	// 接入点一览 https://www.alibabacloud.com/help/zh/slb/application-load-balancer/developer-reference/api-alb-2020-06-16-albEndpoint
-	var albEndpoint string
-	switch region {
-	case "cn-hangzhou-finance":
-		albEndpoint = "alb.cn-hangzhou.aliyuncs.com"
-	default:
-		albEndpoint = fmt.Sprintf("alb.%s.aliyuncs.com", region)
-	}
-
-	albConfig := &aliyunOpen.Config{
-		AccessKeyId:     tea.String(accessKeyId),
-		AccessKeySecret: tea.String(accessKeySecret),
-		Endpoint:        tea.String(albEndpoint),
-	}
-	albClient, err := aliyunAlb.NewClient(albConfig)
-	if err != nil {
-		return nil, err
-	}
-
-	// 接入点一览 https://help.aliyun.com/zh/ssl-certificate/developer-reference/endpoints
-	var casEndpoint string
-	if !strings.HasPrefix(region, "cn-") {
-		casEndpoint = "cas.ap-southeast-1.aliyuncs.com"
-	} else {
-		casEndpoint = "cas.aliyuncs.com"
-	}
-
-	casConfig := &aliyunOpen.Config{
-		Endpoint:        tea.String(casEndpoint),
-		AccessKeyId:     tea.String(accessKeyId),
-		AccessKeySecret: tea.String(accessKeySecret),
-	}
-	casClient, err := aliyunCas.NewClient(casConfig)
-	if err != nil {
-		return nil, err
-	}
-
-	return &wSdkClients{
-		alb: albClient,
-		cas: casClient,
-	}, nil
-}
-
-func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
-	casRegion := region
-	if casRegion != "" {
-		// 阿里云 CAS 服务接入点是独立于 ALB 服务的
-		// 国内版固定接入点：华东一杭州
-		// 国际版固定接入点：亚太东南一新加坡
-		if casRegion != "" && !strings.HasPrefix(casRegion, "cn-") {
-			casRegion = "ap-southeast-1"
-		} else {
-			casRegion = "cn-hangzhou"
-		}
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     accessKeyId,
-		AccessKeySecret: accessKeySecret,
-		Region:          casRegion,
-	})
-	return uploader, err
-}
--- a/internal/pkg/core/deployer/providers/aliyun-cas-deploy/aliyun_cas_deploy.go
+++ b/internal/pkg/core/deployer/providers/aliyun-cas-deploy/aliyun_cas_deploy.go
@@ -1,184 +0,0 @@
-package aliyuncasdeploy
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strings"
-	"time"
-
-	aliyunCas "github.com/alibabacloud-go/cas-20200407/v3/client"
-	aliyunOpen "github.com/alibabacloud-go/darabonba-openapi/v2/client"
-	"github.com/alibabacloud-go/tea/tea"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/aliyun-cas"
-)
-
-type DeployerConfig struct {
-	// 阿里云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 阿里云 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 阿里云地域。
-	Region string `json:"region"`
-	// 阿里云云产品资源 ID 数组。
-	ResourceIds []string `json:"resourceIds"`
-	// 阿里云云联系人 ID 数组。
-	// 零值时默认使用账号下第一个联系人。
-	ContactIds []string `json:"contactIds"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *aliyunCas.Client
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	if len(d.config.ResourceIds) == 0 {
-		return nil, errors.New("config `resourceIds` is required")
-	}
-
-	// 上传证书到 CAS
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	contactIds := d.config.ContactIds
-	if len(contactIds) == 0 {
-		// 获取联系人列表
-		// REF: https://help.aliyun.com/zh/ssl-certificate/developer-reference/api-cas-2020-04-07-listcontact
-		listContactReq := &aliyunCas.ListContactRequest{}
-		listContactReq.ShowSize = tea.Int32(1)
-		listContactReq.CurrentPage = tea.Int32(1)
-		listContactResp, err := d.sdkClient.ListContact(listContactReq)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to execute sdk request 'cas.ListContact'")
-		}
-
-		if len(listContactResp.Body.ContactList) > 0 {
-			contactIds = []string{fmt.Sprintf("%d", listContactResp.Body.ContactList[0].ContactId)}
-		}
-	}
-
-	// 创建部署任务
-	// REF: https://help.aliyun.com/zh/ssl-certificate/developer-reference/api-cas-2020-04-07-createdeploymentjob
-	createDeploymentJobReq := &aliyunCas.CreateDeploymentJobRequest{
-		Name:        tea.String(fmt.Sprintf("certimate-%d", time.Now().UnixMilli())),
-		JobType:     tea.String("user"),
-		CertIds:     tea.String(upres.CertId),
-		ResourceIds: tea.String(strings.Join(d.config.ResourceIds, ",")),
-		ContactIds:  tea.String(strings.Join(contactIds, ",")),
-	}
-	createDeploymentJobResp, err := d.sdkClient.CreateDeploymentJob(createDeploymentJobReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cas.CreateDeploymentJob'")
-	}
-
-	d.logger.Logt("已创建部署任务", createDeploymentJobResp)
-
-	// 循环获取部署任务详情，等待任务状态变更
-	// REF: https://help.aliyun.com/zh/ssl-certificate/developer-reference/api-cas-2020-04-07-describedeploymentjob
-	for {
-		if ctx.Err() != nil {
-			return nil, ctx.Err()
-		}
-
-		describeDeploymentJobReq := &aliyunCas.DescribeDeploymentJobRequest{
-			JobId: createDeploymentJobResp.Body.JobId,
-		}
-		describeDeploymentJobResp, err := d.sdkClient.DescribeDeploymentJob(describeDeploymentJobReq)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to execute sdk request 'cas.DescribeDeploymentJob'")
-		}
-
-		if describeDeploymentJobResp.Body.Status == nil || *describeDeploymentJobResp.Body.Status == "editing" {
-			return nil, errors.New("部署任务状态异常")
-		}
-
-		if *describeDeploymentJobResp.Body.Status == "success" || *describeDeploymentJobResp.Body.Status == "error" {
-			d.logger.Logt("已获取部署任务详情", describeDeploymentJobResp)
-			break
-		}
-
-		d.logger.Logt("部署任务未完成 ...")
-		time.Sleep(time.Second * 5)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret, region string) (*aliyunCas.Client, error) {
-	if region == "" {
-		region = "cn-hangzhou" // CAS 服务默认区域：华东一杭州
-	}
-
-	// 接入点一览 https://help.aliyun.com/zh/ssl-certificate/developer-reference/endpoints
-	var endpoint string
-	switch region {
-	case "cn-hangzhou":
-		endpoint = "cas.aliyuncs.com"
-	default:
-		endpoint = fmt.Sprintf("cas.%s.aliyuncs.com", region)
-	}
-
-	config := &aliyunOpen.Config{
-		AccessKeyId:     tea.String(accessKeyId),
-		AccessKeySecret: tea.String(accessKeySecret),
-		Endpoint:        tea.String(endpoint),
-	}
-
-	client, err := aliyunCas.NewClient(config)
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
-
-func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     accessKeyId,
-		AccessKeySecret: accessKeySecret,
-		Region:          region,
-	})
-	return uploader, err
-}
--- a/internal/pkg/core/deployer/providers/aliyun-cdn/aliyun_cdn.go
+++ b/internal/pkg/core/deployer/providers/aliyun-cdn/aliyun_cdn.go
@@ -1,94 +0,0 @@
-package aliyuncdn
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"time"
-
-	aliyunCdn "github.com/alibabacloud-go/cdn-20180510/v5/client"
-	aliyunOpen "github.com/alibabacloud-go/darabonba-openapi/v2/client"
-	"github.com/alibabacloud-go/tea/tea"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-)
-
-type DeployerConfig struct {
-	// 阿里云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 阿里云 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 加速域名（支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config    *DeployerConfig
-	logger    logger.Logger
-	sdkClient *aliyunCdn.Client
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	return &DeployerProvider{
-		config:    config,
-		logger:    logger.NewNilLogger(),
-		sdkClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// "*.example.com" → ".example.com"，适配阿里云 CDN 要求的泛域名格式
-	domain := strings.TrimPrefix(d.config.Domain, "*")
-
-	// 设置 CDN 域名域名证书
-	// REF: https://help.aliyun.com/zh/cdn/developer-reference/api-cdn-2018-05-10-setcdndomainsslcertificate
-	setCdnDomainSSLCertificateReq := &aliyunCdn.SetCdnDomainSSLCertificateRequest{
-		DomainName:  tea.String(domain),
-		CertName:    tea.String(fmt.Sprintf("certimate-%d", time.Now().UnixMilli())),
-		CertType:    tea.String("upload"),
-		SSLProtocol: tea.String("on"),
-		SSLPub:      tea.String(certPem),
-		SSLPri:      tea.String(privkeyPem),
-	}
-	setCdnDomainSSLCertificateResp, err := d.sdkClient.SetCdnDomainSSLCertificate(setCdnDomainSSLCertificateReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.SetCdnDomainSSLCertificate'")
-	}
-
-	d.logger.Logt("已设置 CDN 域名证书", setCdnDomainSSLCertificateResp)
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret string) (*aliyunCdn.Client, error) {
-	config := &aliyunOpen.Config{
-		AccessKeyId:     tea.String(accessKeyId),
-		AccessKeySecret: tea.String(accessKeySecret),
-		Endpoint:        tea.String("cdn.aliyuncs.com"),
-	}
-
-	client, err := aliyunCdn.NewClient(config)
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/aliyun-dcdn/aliyun_dcdn.go
+++ b/internal/pkg/core/deployer/providers/aliyun-dcdn/aliyun_dcdn.go
@@ -1,94 +0,0 @@
-package aliyundcdn
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"time"
-
-	aliyunOpen "github.com/alibabacloud-go/darabonba-openapi/v2/client"
-	aliyunDcdn "github.com/alibabacloud-go/dcdn-20180115/v3/client"
-	"github.com/alibabacloud-go/tea/tea"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-)
-
-type DeployerConfig struct {
-	// 阿里云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 阿里云 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 加速域名（支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config    *DeployerConfig
-	logger    logger.Logger
-	sdkClient *aliyunDcdn.Client
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	return &DeployerProvider{
-		config:    config,
-		logger:    logger.NewNilLogger(),
-		sdkClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// "*.example.com" → ".example.com"，适配阿里云 DCDN 要求的泛域名格式
-	domain := strings.TrimPrefix(d.config.Domain, "*")
-
-	// 配置域名证书
-	// REF: https://help.aliyun.com/zh/edge-security-acceleration/dcdn/developer-reference/api-dcdn-2018-01-15-setdcdndomainsslcertificate
-	setDcdnDomainSSLCertificateReq := &aliyunDcdn.SetDcdnDomainSSLCertificateRequest{
-		DomainName:  tea.String(domain),
-		CertName:    tea.String(fmt.Sprintf("certimate-%d", time.Now().UnixMilli())),
-		CertType:    tea.String("upload"),
-		SSLProtocol: tea.String("on"),
-		SSLPub:      tea.String(certPem),
-		SSLPri:      tea.String(privkeyPem),
-	}
-	setDcdnDomainSSLCertificateResp, err := d.sdkClient.SetDcdnDomainSSLCertificate(setDcdnDomainSSLCertificateReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'dcdn.SetDcdnDomainSSLCertificate'")
-	}
-
-	d.logger.Logt("已配置 DCDN 域名证书", setDcdnDomainSSLCertificateResp)
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret string) (*aliyunDcdn.Client, error) {
-	config := &aliyunOpen.Config{
-		AccessKeyId:     tea.String(accessKeyId),
-		AccessKeySecret: tea.String(accessKeySecret),
-		Endpoint:        tea.String("dcdn.aliyuncs.com"),
-	}
-
-	client, err := aliyunDcdn.NewClient(config)
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/aliyun-esa/aliyun_esa.go
+++ b/internal/pkg/core/deployer/providers/aliyun-esa/aliyun_esa.go
@@ -1,135 +0,0 @@
-package aliyunesa
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strconv"
-	"strings"
-
-	aliyunOpen "github.com/alibabacloud-go/darabonba-openapi/v2/client"
-	aliyunEsa "github.com/alibabacloud-go/esa-20240910/v2/client"
-	"github.com/alibabacloud-go/tea/tea"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/aliyun-cas"
-)
-
-type DeployerConfig struct {
-	// 阿里云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 阿里云 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 阿里云地域。
-	Region string `json:"region"`
-	// 阿里云 ESA 站点 ID。
-	SiteId int64 `json:"siteId"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *aliyunEsa.Client
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	if d.config.SiteId == 0 {
-		return nil, errors.New("config `siteId` is required")
-	}
-
-	// 上传证书到 CAS
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 配置站点证书
-	// REF: https://help.aliyun.com/zh/edge-security-acceleration/esa/api-esa-2024-09-10-setcertificate
-	certId, _ := strconv.ParseInt(upres.CertId, 10, 64)
-	setCertificateReq := &aliyunEsa.SetCertificateRequest{
-		SiteId: tea.Int64(d.config.SiteId),
-		Type:   tea.String("cas"),
-		CasId:  tea.Int64(certId),
-	}
-	setCertificateResp, err := d.sdkClient.SetCertificate(setCertificateReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'esa.SetCertificate'")
-	}
-
-	d.logger.Logt("已配置站点证书", setCertificateResp)
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret, region string) (*aliyunEsa.Client, error) {
-	// 接入点一览 https://help.aliyun.com/zh/edge-security-acceleration/esa/api-esa-2024-09-10-endpoint
-	config := &aliyunOpen.Config{
-		AccessKeyId:     tea.String(accessKeyId),
-		AccessKeySecret: tea.String(accessKeySecret),
-		Endpoint:        tea.String(fmt.Sprintf("esa.%s.aliyuncs.com", region)),
-	}
-
-	client, err := aliyunEsa.NewClient(config)
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
-
-func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
-	casRegion := region
-	if casRegion != "" {
-		// 阿里云 CAS 服务接入点是独立于 ESA 服务的
-		// 国内版固定接入点：华东一杭州
-		// 国际版固定接入点：亚太东南一新加坡
-		if casRegion != "" && !strings.HasPrefix(casRegion, "cn-") {
-			casRegion = "ap-southeast-1"
-		} else {
-			casRegion = "cn-hangzhou"
-		}
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     accessKeyId,
-		AccessKeySecret: accessKeySecret,
-		Region:          casRegion,
-	})
-	return uploader, err
-}
--- a/internal/pkg/core/deployer/providers/aliyun-live/aliyun_live.go
+++ b/internal/pkg/core/deployer/providers/aliyun-live/aliyun_live.go
@@ -1,112 +0,0 @@
-package aliyunlive
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"time"
-
-	aliyunOpen "github.com/alibabacloud-go/darabonba-openapi/v2/client"
-	aliyunLive "github.com/alibabacloud-go/live-20161101/client"
-	"github.com/alibabacloud-go/tea/tea"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-)
-
-type DeployerConfig struct {
-	// 阿里云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 阿里云 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 阿里云地域。
-	Region string `json:"region"`
-	// 直播流域名（支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config    *DeployerConfig
-	logger    logger.Logger
-	sdkClient *aliyunLive.Client
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	return &DeployerProvider{
-		config:    config,
-		logger:    logger.NewNilLogger(),
-		sdkClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// "*.example.com" → ".example.com"，适配阿里云 Live 要求的泛域名格式
-	domain := strings.TrimPrefix(d.config.Domain, "*")
-
-	// 设置域名证书
-	// REF: https://help.aliyun.com/zh/live/developer-reference/api-live-2016-11-01-setlivedomaincertificate
-	setLiveDomainSSLCertificateReq := &aliyunLive.SetLiveDomainCertificateRequest{
-		DomainName:  tea.String(domain),
-		CertName:    tea.String(fmt.Sprintf("certimate-%d", time.Now().UnixMilli())),
-		CertType:    tea.String("upload"),
-		SSLProtocol: tea.String("on"),
-		SSLPub:      tea.String(certPem),
-		SSLPri:      tea.String(privkeyPem),
-	}
-	setLiveDomainSSLCertificateResp, err := d.sdkClient.SetLiveDomainCertificate(setLiveDomainSSLCertificateReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'live.SetLiveDomainCertificate'")
-	}
-
-	d.logger.Logt("已设置域名证书", setLiveDomainSSLCertificateResp)
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret, region string) (*aliyunLive.Client, error) {
-	// 接入点一览 https://help.aliyun.com/zh/live/developer-reference/api-live-2016-11-01-endpoint
-	var endpoint string
-	switch region {
-	case
-		"cn-qingdao",
-		"cn-beijing",
-		"cn-shanghai",
-		"cn-shenzhen",
-		"ap-northeast-1",
-		"ap-southeast-5",
-		"me-central-1":
-		endpoint = "live.aliyuncs.com"
-	default:
-		endpoint = fmt.Sprintf("live.%s.aliyuncs.com", region)
-	}
-
-	config := &aliyunOpen.Config{
-		AccessKeyId:     tea.String(accessKeyId),
-		AccessKeySecret: tea.String(accessKeySecret),
-		Endpoint:        tea.String(endpoint),
-	}
-
-	client, err := aliyunLive.NewClient(config)
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/aliyun-nlb/aliyun_nlb.go
+++ b/internal/pkg/core/deployer/providers/aliyun-nlb/aliyun_nlb.go
@@ -1,254 +0,0 @@
-package aliyunnlb
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strings"
-
-	aliyunOpen "github.com/alibabacloud-go/darabonba-openapi/v2/client"
-	aliyunNlb "github.com/alibabacloud-go/nlb-20220430/v2/client"
-	"github.com/alibabacloud-go/tea/tea"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/aliyun-cas"
-)
-
-type DeployerConfig struct {
-	// 阿里云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 阿里云 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 阿里云地域。
-	Region string `json:"region"`
-	// 部署资源类型。
-	ResourceType ResourceType `json:"resourceType"`
-	// 负载均衡实例 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_LOADBALANCER] 时必填。
-	LoadbalancerId string `json:"loadbalancerId,omitempty"`
-	// 负载均衡监听 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_LISTENER] 时必填。
-	ListenerId string `json:"listenerId,omitempty"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *aliyunNlb.Client
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 CAS
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 根据部署资源类型决定部署方式
-	switch d.config.ResourceType {
-	case RESOURCE_TYPE_LOADBALANCER:
-		if err := d.deployToLoadbalancer(ctx, upres.CertId); err != nil {
-			return nil, err
-		}
-
-	case RESOURCE_TYPE_LISTENER:
-		if err := d.deployToListener(ctx, upres.CertId); err != nil {
-			return nil, err
-		}
-
-	default:
-		return nil, fmt.Errorf("unsupported resource type: %s", d.config.ResourceType)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func (d *DeployerProvider) deployToLoadbalancer(ctx context.Context, cloudCertId string) error {
-	if d.config.LoadbalancerId == "" {
-		return errors.New("config `loadbalancerId` is required")
-	}
-
-	// 查询负载均衡实例的详细信息
-	// REF: https://help.aliyun.com/zh/slb/network-load-balancer/developer-reference/api-nlb-2022-04-30-getloadbalancerattribute
-	getLoadBalancerAttributeReq := &aliyunNlb.GetLoadBalancerAttributeRequest{
-		LoadBalancerId: tea.String(d.config.LoadbalancerId),
-	}
-	getLoadBalancerAttributeResp, err := d.sdkClient.GetLoadBalancerAttribute(getLoadBalancerAttributeReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'nlb.GetLoadBalancerAttribute'")
-	}
-
-	d.logger.Logt("已查询到 NLB 负载均衡实例", getLoadBalancerAttributeResp)
-
-	// 查询 TCPSSL 监听列表
-	// REF: https://help.aliyun.com/zh/slb/network-load-balancer/developer-reference/api-nlb-2022-04-30-listlisteners
-	listenerIds := make([]string, 0)
-	listListenersLimit := int32(100)
-	var listListenersToken *string = nil
-	for {
-		listListenersReq := &aliyunNlb.ListListenersRequest{
-			MaxResults:       tea.Int32(listListenersLimit),
-			NextToken:        listListenersToken,
-			LoadBalancerIds:  []*string{tea.String(d.config.LoadbalancerId)},
-			ListenerProtocol: tea.String("TCPSSL"),
-		}
-		listListenersResp, err := d.sdkClient.ListListeners(listListenersReq)
-		if err != nil {
-			return xerrors.Wrap(err, "failed to execute sdk request 'nlb.ListListeners'")
-		}
-
-		if listListenersResp.Body.Listeners != nil {
-			for _, listener := range listListenersResp.Body.Listeners {
-				listenerIds = append(listenerIds, *listener.ListenerId)
-			}
-		}
-
-		if len(listListenersResp.Body.Listeners) == 0 || listListenersResp.Body.NextToken == nil {
-			break
-		} else {
-			listListenersToken = listListenersResp.Body.NextToken
-		}
-	}
-
-	d.logger.Logt("已查询到 NLB 负载均衡实例下的全部 TCPSSL 监听", listenerIds)
-
-	// 遍历更新监听证书
-	if len(listenerIds) == 0 {
-		return errors.New("listener not found")
-	} else {
-		var errs []error
-
-		for _, listenerId := range listenerIds {
-			if err := d.updateListenerCertificate(ctx, listenerId, cloudCertId); err != nil {
-				errs = append(errs, err)
-			}
-		}
-
-		if len(errs) > 0 {
-			return errors.Join(errs...)
-		}
-	}
-
-	return nil
-}
-
-func (d *DeployerProvider) deployToListener(ctx context.Context, cloudCertId string) error {
-	if d.config.ListenerId == "" {
-		return errors.New("config `listenerId` is required")
-	}
-
-	// 更新监听
-	if err := d.updateListenerCertificate(ctx, d.config.ListenerId, cloudCertId); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (d *DeployerProvider) updateListenerCertificate(ctx context.Context, cloudListenerId string, cloudCertId string) error {
-	// 查询监听的属性
-	// REF: https://help.aliyun.com/zh/slb/network-load-balancer/developer-reference/api-nlb-2022-04-30-getlistenerattribute
-	getListenerAttributeReq := &aliyunNlb.GetListenerAttributeRequest{
-		ListenerId: tea.String(cloudListenerId),
-	}
-	getListenerAttributeResp, err := d.sdkClient.GetListenerAttribute(getListenerAttributeReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'nlb.GetListenerAttribute'")
-	}
-
-	d.logger.Logt("已查询到 NLB 监听配置", getListenerAttributeResp)
-
-	// 修改监听的属性
-	// REF: https://help.aliyun.com/zh/slb/network-load-balancer/developer-reference/api-nlb-2022-04-30-updatelistenerattribute
-	updateListenerAttributeReq := &aliyunNlb.UpdateListenerAttributeRequest{
-		ListenerId:     tea.String(cloudListenerId),
-		CertificateIds: []*string{tea.String(cloudCertId)},
-	}
-	updateListenerAttributeResp, err := d.sdkClient.UpdateListenerAttribute(updateListenerAttributeReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'nlb.UpdateListenerAttribute'")
-	}
-
-	d.logger.Logt("已更新 NLB 监听配置", updateListenerAttributeResp)
-
-	return nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret, region string) (*aliyunNlb.Client, error) {
-	// 接入点一览 https://help.aliyun.com/zh/slb/network-load-balancer/developer-reference/api-nlb-2022-04-30-endpoint
-	var endpoint string
-	switch region {
-	default:
-		endpoint = fmt.Sprintf("nlb.%s.aliyuncs.com", region)
-	}
-
-	config := &aliyunOpen.Config{
-		AccessKeyId:     tea.String(accessKeyId),
-		AccessKeySecret: tea.String(accessKeySecret),
-		Endpoint:        tea.String(endpoint),
-	}
-
-	client, err := aliyunNlb.NewClient(config)
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
-
-func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
-	casRegion := region
-	if casRegion != "" {
-		// 阿里云 CAS 服务接入点是独立于 NLB 服务的
-		// 国内版固定接入点：华东一杭州
-		// 国际版固定接入点：亚太东南一新加坡
-		if casRegion != "" && !strings.HasPrefix(casRegion, "cn-") {
-			casRegion = "ap-southeast-1"
-		} else {
-			casRegion = "cn-hangzhou"
-		}
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     accessKeyId,
-		AccessKeySecret: accessKeySecret,
-		Region:          casRegion,
-	})
-	return uploader, err
-}
--- a/internal/pkg/core/deployer/providers/aliyun-vod/aliyun_vod.go
+++ b/internal/pkg/core/deployer/providers/aliyun-vod/aliyun_vod.go
@@ -1,95 +0,0 @@
-package aliyunvod
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	aliyunOpen "github.com/alibabacloud-go/darabonba-openapi/v2/client"
-	"github.com/alibabacloud-go/tea/tea"
-	aliyunVod "github.com/alibabacloud-go/vod-20170321/v4/client"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-)
-
-type DeployerConfig struct {
-	// 阿里云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 阿里云 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 阿里云地域。
-	Region string `json:"region"`
-	// 点播加速域名（不支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config    *DeployerConfig
-	logger    logger.Logger
-	sdkClient *aliyunVod.Client
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	return &DeployerProvider{
-		config:    config,
-		logger:    logger.NewNilLogger(),
-		sdkClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 设置域名证书
-	// REF: https://help.aliyun.com/zh/vod/developer-reference/api-vod-2017-03-21-setvoddomainsslcertificate
-	setVodDomainSSLCertificateReq := &aliyunVod.SetVodDomainSSLCertificateRequest{
-		DomainName:  tea.String(d.config.Domain),
-		CertName:    tea.String(fmt.Sprintf("certimate-%d", time.Now().UnixMilli())),
-		CertType:    tea.String("upload"),
-		SSLProtocol: tea.String("on"),
-		SSLPub:      tea.String(certPem),
-		SSLPri:      tea.String(privkeyPem),
-	}
-	setVodDomainSSLCertificateResp, err := d.sdkClient.SetVodDomainSSLCertificate(setVodDomainSSLCertificateReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'live.SetVodDomainSSLCertificate'")
-	} else {
-		d.logger.Logt("已设置域名证书", setVodDomainSSLCertificateResp)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret, region string) (*aliyunVod.Client, error) {
-	// 接入点一览 https://help.aliyun.com/zh/vod/developer-reference/api-vod-2017-03-21-endpoint
-	endpoint := fmt.Sprintf("vod.%s.aliyuncs.com", region)
-
-	config := &aliyunOpen.Config{
-		AccessKeyId:     tea.String(accessKeyId),
-		AccessKeySecret: tea.String(accessKeySecret),
-		Endpoint:        tea.String(endpoint),
-	}
-
-	client, err := aliyunVod.NewClient(config)
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/aliyun-waf/aliyun_waf.go
+++ b/internal/pkg/core/deployer/providers/aliyun-waf/aliyun_waf.go
@@ -1,148 +0,0 @@
-package aliyunwaf
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strings"
-
-	aliyunOpen "github.com/alibabacloud-go/darabonba-openapi/v2/client"
-	"github.com/alibabacloud-go/tea/tea"
-	aliyunWaf "github.com/alibabacloud-go/waf-openapi-20211001/v5/client"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/aliyun-cas"
-)
-
-type DeployerConfig struct {
-	// 阿里云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 阿里云 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 阿里云地域。
-	Region string `json:"region"`
-	// 阿里云 WAF 实例 ID。
-	InstanceId string `json:"instanceId"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *aliyunWaf.Client
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := createSslUploader(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	if d.config.InstanceId == "" {
-		return nil, errors.New("config `instanceId` is required")
-	}
-
-	// 上传证书到 CAS
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 查询默认 SSL/TLS 设置
-	// REF: https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-describedefaulthttps
-	describeDefaultHttpsReq := &aliyunWaf.DescribeDefaultHttpsRequest{
-		InstanceId: tea.String(d.config.InstanceId),
-		RegionId:   tea.String(d.config.Region),
-	}
-	describeDefaultHttpsResp, err := d.sdkClient.DescribeDefaultHttps(describeDefaultHttpsReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'waf.DescribeDefaultHttps'")
-	}
-
-	d.logger.Logt("已查询到默认 SSL/TLS 设置", describeDefaultHttpsResp)
-
-	// 修改默认 SSL/TLS 设置
-	// REF: https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-modifydefaulthttps
-	modifyDefaultHttpsReq := &aliyunWaf.ModifyDefaultHttpsRequest{
-		InstanceId:  tea.String(d.config.InstanceId),
-		RegionId:    tea.String(d.config.Region),
-		CertId:      tea.String(upres.CertId),
-		TLSVersion:  describeDefaultHttpsResp.Body.DefaultHttps.TLSVersion,
-		EnableTLSv3: describeDefaultHttpsResp.Body.DefaultHttps.EnableTLSv3,
-	}
-	modifyDefaultHttpsResp, err := d.sdkClient.ModifyDefaultHttps(modifyDefaultHttpsReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'waf.ModifyDefaultHttps'")
-	}
-
-	d.logger.Logt("已修改默认 SSL/TLS 设置", modifyDefaultHttpsResp)
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret, region string) (*aliyunWaf.Client, error) {
-	// 接入点一览：https://help.aliyun.com/zh/waf/web-application-firewall-3-0/developer-reference/api-waf-openapi-2021-10-01-endpoint
-	config := &aliyunOpen.Config{
-		AccessKeyId:     tea.String(accessKeyId),
-		AccessKeySecret: tea.String(accessKeySecret),
-		Endpoint:        tea.String(fmt.Sprintf("wafopenapi.%s.aliyuncs.com", region)),
-	}
-
-	client, err := aliyunWaf.NewClient(config)
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
-
-func createSslUploader(accessKeyId, accessKeySecret, region string) (uploader.Uploader, error) {
-	casRegion := region
-	if casRegion != "" {
-		// 阿里云 CAS 服务接入点是独立于 WAF 服务的
-		// 国内版固定接入点：华东一杭州
-		// 国际版固定接入点：亚太东南一新加坡
-		if casRegion != "" && !strings.HasPrefix(casRegion, "cn-") {
-			casRegion = "ap-southeast-1"
-		} else {
-			casRegion = "cn-hangzhou"
-		}
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     accessKeyId,
-		AccessKeySecret: accessKeySecret,
-		Region:          casRegion,
-	})
-	return uploader, err
-}
--- a/internal/pkg/core/deployer/providers/aws-cloudfront/aws_cloudfront.go
+++ b/internal/pkg/core/deployer/providers/aws-cloudfront/aws_cloudfront.go
@@ -1,130 +0,0 @@
-package awscloudfront
-
-import (
-	"context"
-	"errors"
-
-	aws "github.com/aws/aws-sdk-go-v2/aws"
-	awsCfg "github.com/aws/aws-sdk-go-v2/config"
-	awsCred "github.com/aws/aws-sdk-go-v2/credentials"
-	awsCf "github.com/aws/aws-sdk-go-v2/service/cloudfront"
-	awsCfTypes "github.com/aws/aws-sdk-go-v2/service/cloudfront/types"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/aws-acm"
-)
-
-type DeployerConfig struct {
-	// AWS AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// AWS SecretAccessKey。
-	SecretAccessKey string `json:"secretAccessKey"`
-	// AWS 区域。
-	Region string `json:"region"`
-	// AWS CloudFront 分配 ID。
-	DistributionId string `json:"distributionId"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *awsCf.Client
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.SecretAccessKey, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		SecretAccessKey: config.SecretAccessKey,
-		Region:          config.Region,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	if d.config.DistributionId == "" {
-		return nil, errors.New("config `distribuitionId` is required")
-	}
-
-	// 上传证书到 ACM
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 获取分配配置
-	// REF: https://docs.aws.amazon.com/en_us/cloudfront/latest/APIReference/API_GetDistributionConfig.html
-	getDistributionConfigReq := &awsCf.GetDistributionConfigInput{
-		Id: aws.String(d.config.DistributionId),
-	}
-	getDistributionConfigResp, err := d.sdkClient.GetDistributionConfig(context.TODO(), getDistributionConfigReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cloudfront.GetDistributionConfig'")
-	}
-
-	d.logger.Logt("已获取分配配置", getDistributionConfigResp)
-
-	// 更新分配配置
-	// REF: https://docs.aws.amazon.com/zh_cn/cloudfront/latest/APIReference/API_UpdateDistribution.html
-	updateDistributionReq := &awsCf.UpdateDistributionInput{
-		Id:                 aws.String(d.config.DistributionId),
-		DistributionConfig: getDistributionConfigResp.DistributionConfig,
-		IfMatch:            getDistributionConfigResp.ETag,
-	}
-	if updateDistributionReq.DistributionConfig.ViewerCertificate == nil {
-		updateDistributionReq.DistributionConfig.ViewerCertificate = &awsCfTypes.ViewerCertificate{}
-	}
-	updateDistributionReq.DistributionConfig.ViewerCertificate.CloudFrontDefaultCertificate = aws.Bool(false)
-	updateDistributionReq.DistributionConfig.ViewerCertificate.ACMCertificateArn = aws.String(upres.CertId)
-	updateDistributionResp, err := d.sdkClient.UpdateDistribution(context.TODO(), updateDistributionReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cloudfront.UpdateDistribution'")
-	}
-
-	d.logger.Logt("已更新分配配置", updateDistributionResp)
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, secretAccessKey, region string) (*awsCf.Client, error) {
-	cfg, err := awsCfg.LoadDefaultConfig(context.TODO())
-	if err != nil {
-		return nil, err
-	}
-
-	client := awsCf.NewFromConfig(cfg, func(o *awsCf.Options) {
-		o.Region = region
-		o.Credentials = aws.NewCredentialsCache(awsCred.NewStaticCredentialsProvider(accessKeyId, secretAccessKey, ""))
-	})
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/baiducloud-cdn/baiducloud_cdn.go
+++ b/internal/pkg/core/deployer/providers/baiducloud-cdn/baiducloud_cdn.go
@@ -1,83 +0,0 @@
-package baiducloudcdn
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	bceCdn "github.com/baidubce/bce-sdk-go/services/cdn"
-	bceCdnApi "github.com/baidubce/bce-sdk-go/services/cdn/api"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-)
-
-type DeployerConfig struct {
-	// 百度智能云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 百度智能云 SecretAccessKey。
-	SecretAccessKey string `json:"secretAccessKey"`
-	// 加速域名（支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config    *DeployerConfig
-	logger    logger.Logger
-	sdkClient *bceCdn.Client
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.SecretAccessKey)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	return &DeployerProvider{
-		config:    config,
-		logger:    logger.NewNilLogger(),
-		sdkClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 修改域名证书
-	// REF: https://cloud.baidu.com/doc/CDN/s/qjzuz2hp8
-	putCertResp, err := d.sdkClient.PutCert(
-		d.config.Domain,
-		&bceCdnApi.UserCertificate{
-			CertName:    fmt.Sprintf("certimate-%d", time.Now().UnixMilli()),
-			ServerData:  certPem,
-			PrivateData: privkeyPem,
-		},
-		"ON",
-	)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.PutCert'")
-	}
-
-	d.logger.Logt("已修改域名证书", putCertResp)
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, secretAccessKey string) (*bceCdn.Client, error) {
-	client, err := bceCdn.NewClient(accessKeyId, secretAccessKey, "")
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/baishan-cdn/baishan_cdn.go
+++ b/internal/pkg/core/deployer/providers/baishan-cdn/baishan_cdn.go
@@ -1,117 +0,0 @@
-package baishancdn
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"time"
-
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	bssdk "github.com/usual2970/certimate/internal/pkg/vendors/baishan-sdk"
-)
-
-type DeployerConfig struct {
-	// 白山云 API Token。
-	ApiToken string `json:"apiToken"`
-	// 加速域名（支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config    *DeployerConfig
-	logger    logger.Logger
-	sdkClient *bssdk.Client
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.ApiToken)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	return &DeployerProvider{
-		config:    config,
-		logger:    logger.NewNilLogger(),
-		sdkClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	if d.config.Domain == "" {
-		return nil, errors.New("config `domain` is required")
-	}
-
-	// 查询域名配置
-	// REF: https://portal.baishancloud.com/track/document/api/1/1065
-	getDomainConfigReq := &bssdk.GetDomainConfigRequest{
-		Domains: d.config.Domain,
-		Config:  "https",
-	}
-	getDomainConfigResp, err := d.sdkClient.GetDomainConfig(getDomainConfigReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'baishan.GetDomainConfig'")
-	} else if len(getDomainConfigResp.Data) == 0 {
-		return nil, errors.New("domain config not found")
-	} else {
-		d.logger.Logt("已查询到域名配置", getDomainConfigResp)
-	}
-
-	// 新增证书
-	// REF: https://portal.baishancloud.com/track/document/downloadPdf/1441
-	createCertificateReq := &bssdk.CreateCertificateRequest{
-		Certificate: certPem,
-		Key:         privkeyPem,
-		Name:        fmt.Sprintf("certimate_%d", time.Now().UnixMilli()),
-	}
-	createCertificateResp, err := d.sdkClient.CreateCertificate(createCertificateReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'baishan.CreateCertificate'")
-	} else {
-		d.logger.Logt("已新增证书", createCertificateResp)
-	}
-
-	// 设置域名配置
-	// REF: https://portal.baishancloud.com/track/document/api/1/1045
-	setDomainConfigReq := &bssdk.SetDomainConfigRequest{
-		Domains: d.config.Domain,
-		Config: &bssdk.DomainConfig{
-			Https: &bssdk.DomainConfigHttps{
-				CertId:      createCertificateResp.Data.CertId,
-				ForceHttps:  getDomainConfigResp.Data[0].Config.Https.ForceHttps,
-				EnableHttp2: getDomainConfigResp.Data[0].Config.Https.EnableHttp2,
-				EnableOcsp:  getDomainConfigResp.Data[0].Config.Https.EnableOcsp,
-			},
-		},
-	}
-	setDomainConfigResp, err := d.sdkClient.SetDomainConfig(setDomainConfigReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'baishan.SetDomainConfig'")
-	} else {
-		d.logger.Logt("已设置域名配置", setDomainConfigResp)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(apiToken string) (*bssdk.Client, error) {
-	if apiToken == "" {
-		return nil, errors.New("invalid baishan api token")
-	}
-
-	client := bssdk.NewClient(apiToken)
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/baotapanel-console/baotapanel_console.go
+++ b/internal/pkg/core/deployer/providers/baotapanel-console/baotapanel_console.go
@@ -1,93 +0,0 @@
-package baotapanelconsole
-
-import (
-	"context"
-	"errors"
-	"net/url"
-
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	btsdk "github.com/usual2970/certimate/internal/pkg/vendors/btpanel-sdk"
-)
-
-type DeployerConfig struct {
-	// 宝塔面板地址。
-	ApiUrl string `json:"apiUrl"`
-	// 宝塔面板接口密钥。
-	ApiKey string `json:"apiKey"`
-	// 是否自动重启。
-	AutoRestart bool `json:"autoRestart"`
-}
-
-type DeployerProvider struct {
-	config    *DeployerConfig
-	logger    logger.Logger
-	sdkClient *btsdk.Client
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.ApiUrl, config.ApiKey)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	return &DeployerProvider{
-		config:    config,
-		logger:    logger.NewNilLogger(),
-		sdkClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 设置面板 SSL 证书
-	configSavePanelSSLReq := &btsdk.ConfigSavePanelSSLRequest{
-		PrivateKey:  privkeyPem,
-		Certificate: certPem,
-	}
-	configSavePanelSSLResp, err := d.sdkClient.ConfigSavePanelSSL(configSavePanelSSLReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'bt.ConfigSavePanelSSL'")
-	} else {
-		d.logger.Logt("已设置面板 SSL 证书", configSavePanelSSLResp)
-	}
-
-	if d.config.AutoRestart {
-		// 重启面板
-		systemServiceAdminReq := &btsdk.SystemServiceAdminRequest{
-			Name: "nginx",
-			Type: "restart",
-		}
-		_, err := d.sdkClient.SystemServiceAdmin(systemServiceAdminReq)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to execute sdk request 'bt.SystemServiceAdmin'")
-		}
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(apiUrl, apiKey string) (*btsdk.Client, error) {
-	if _, err := url.Parse(apiUrl); err != nil {
-		return nil, errors.New("invalid baota api url")
-	}
-
-	if apiKey == "" {
-		return nil, errors.New("invalid baota api key")
-	}
-
-	client := btsdk.NewClient(apiUrl, apiKey)
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/baotapanel-site/baotapanel_site.go
+++ b/internal/pkg/core/deployer/providers/baotapanel-site/baotapanel_site.go
@@ -1,136 +0,0 @@
-package baotapanelsite
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/url"
-
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/utils/slices"
-	btsdk "github.com/usual2970/certimate/internal/pkg/vendors/btpanel-sdk"
-)
-
-type DeployerConfig struct {
-	// 宝塔面板地址。
-	ApiUrl string `json:"apiUrl"`
-	// 宝塔面板接口密钥。
-	ApiKey string `json:"apiKey"`
-	// 站点类型。
-	SiteType string `json:"siteType"`
-	// 站点名称（单个）。
-	SiteName string `json:"siteName,omitempty"`
-	// 站点名称（多个）。
-	SiteNames []string `json:"siteNames,omitempty"`
-}
-
-type DeployerProvider struct {
-	config    *DeployerConfig
-	logger    logger.Logger
-	sdkClient *btsdk.Client
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.ApiUrl, config.ApiKey)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	return &DeployerProvider{
-		config:    config,
-		logger:    logger.NewNilLogger(),
-		sdkClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	switch d.config.SiteType {
-	case "php":
-		{
-			if d.config.SiteName == "" {
-				return nil, errors.New("config `siteName` is required")
-			}
-
-			// 设置站点 SSL 证书
-			siteSetSSLReq := &btsdk.SiteSetSSLRequest{
-				SiteName:    d.config.SiteName,
-				Type:        "0",
-				Certificate: certPem,
-				PrivateKey:  privkeyPem,
-			}
-			siteSetSSLResp, err := d.sdkClient.SiteSetSSL(siteSetSSLReq)
-			if err != nil {
-				return nil, xerrors.Wrap(err, "failed to execute sdk request 'bt.SiteSetSSL'")
-			} else {
-				d.logger.Logt("已设置站点证书", siteSetSSLResp)
-			}
-		}
-
-	case "other":
-		{
-			if len(d.config.SiteNames) == 0 {
-				return nil, errors.New("config `siteNames` is required")
-			}
-
-			// 上传证书
-			sslCertSaveCertReq := &btsdk.SSLCertSaveCertRequest{
-				Certificate: certPem,
-				PrivateKey:  privkeyPem,
-			}
-			sslCertSaveCertResp, err := d.sdkClient.SSLCertSaveCert(sslCertSaveCertReq)
-			if err != nil {
-				return nil, xerrors.Wrap(err, "failed to execute sdk request 'bt.SSLCertSaveCert'")
-			} else {
-				d.logger.Logt("已上传证书", sslCertSaveCertResp)
-			}
-
-			// 设置站点证书
-			sslSetBatchCertToSiteReq := &btsdk.SSLSetBatchCertToSiteRequest{
-				BatchInfo: slices.Map(d.config.SiteNames, func(siteName string) *btsdk.SSLSetBatchCertToSiteRequestBatchInfo {
-					return &btsdk.SSLSetBatchCertToSiteRequestBatchInfo{
-						SiteName: siteName,
-						SSLHash:  sslCertSaveCertResp.SSLHash,
-					}
-				}),
-			}
-			sslSetBatchCertToSiteResp, err := d.sdkClient.SSLSetBatchCertToSite(sslSetBatchCertToSiteReq)
-			if err != nil {
-				return nil, xerrors.Wrap(err, "failed to execute sdk request 'bt.SSLSetBatchCertToSite'")
-			} else {
-				d.logger.Logt("已设置站点证书", sslSetBatchCertToSiteResp)
-			}
-		}
-
-	default:
-		return nil, fmt.Errorf("unsupported site type: %s", d.config.SiteType)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(apiUrl, apiKey string) (*btsdk.Client, error) {
-	if _, err := url.Parse(apiUrl); err != nil {
-		return nil, errors.New("invalid baota api url")
-	}
-
-	if apiKey == "" {
-		return nil, errors.New("invalid baota api key")
-	}
-
-	client := btsdk.NewClient(apiUrl, apiKey)
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/byteplus-cdn/byteplus_cdn.go
+++ b/internal/pkg/core/deployer/providers/byteplus-cdn/byteplus_cdn.go
@@ -1,134 +0,0 @@
-package bytepluscdn
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strings"
-
-	bpCdn "github.com/byteplus-sdk/byteplus-sdk-golang/service/cdn"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/byteplus-cdn"
-)
-
-type DeployerConfig struct {
-	// BytePlus AccessKey。
-	AccessKey string `json:"accessKey"`
-	// BytePlus SecretKey。
-	SecretKey string `json:"secretKey"`
-	// 加速域名（支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *bpCdn.CDN
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client := bpCdn.NewInstance()
-	client.Client.SetAccessKey(config.AccessKey)
-	client.Client.SetSecretKey(config.SecretKey)
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKey: config.AccessKey,
-		SecretKey: config.SecretKey,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 CDN
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	domains := make([]string, 0)
-	if strings.HasPrefix(d.config.Domain, "*.") {
-		// 获取指定证书可关联的域名
-		// REF: https://docs.byteplus.com/en/docs/byteplus-cdn/reference-describecertconfig-9ea17
-		describeCertConfigReq := &bpCdn.DescribeCertConfigRequest{
-			CertId: upres.CertId,
-		}
-		describeCertConfigResp, err := d.sdkClient.DescribeCertConfig(describeCertConfigReq)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.DescribeCertConfig'")
-		}
-
-		if describeCertConfigResp.Result.CertNotConfig != nil {
-			for i := range describeCertConfigResp.Result.CertNotConfig {
-				domains = append(domains, describeCertConfigResp.Result.CertNotConfig[i].Domain)
-			}
-		}
-
-		if describeCertConfigResp.Result.OtherCertConfig != nil {
-			for i := range describeCertConfigResp.Result.OtherCertConfig {
-				domains = append(domains, describeCertConfigResp.Result.OtherCertConfig[i].Domain)
-			}
-		}
-
-		if len(domains) == 0 {
-			if len(describeCertConfigResp.Result.SpecifiedCertConfig) > 0 {
-				// 所有可关联的域名都配置了该证书，跳过部署
-			} else {
-				return nil, errors.New("domain not found")
-			}
-		}
-	} else {
-		domains = append(domains, d.config.Domain)
-	}
-
-	if len(domains) > 0 {
-		var errs []error
-
-		for _, domain := range domains {
-			// 关联证书与加速域名
-			// REF: https://docs.byteplus.com/en/docs/byteplus-cdn/reference-batchdeploycert
-			batchDeployCertReq := &bpCdn.BatchDeployCertRequest{
-				CertId: upres.CertId,
-				Domain: domain,
-			}
-			batchDeployCertResp, err := d.sdkClient.BatchDeployCert(batchDeployCertReq)
-			if err != nil {
-				errs = append(errs, err)
-			} else {
-				d.logger.Logt(fmt.Sprintf("已关联证书到域名 %s", domain), batchDeployCertResp)
-			}
-		}
-
-		if len(errs) > 0 {
-			return nil, errors.Join(errs...)
-		}
-	}
-
-	return &deployer.DeployResult{}, nil
-}
--- a/internal/pkg/core/deployer/providers/cachefly/cachefly.go
+++ b/internal/pkg/core/deployer/providers/cachefly/cachefly.go
@@ -1,72 +0,0 @@
-package cachefly
-
-import (
-	"context"
-	"errors"
-
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	cfsdk "github.com/usual2970/certimate/internal/pkg/vendors/cachefly-sdk"
-)
-
-type DeployerConfig struct {
-	// CacheFly API Token。
-	ApiToken string `json:"apiToken"`
-}
-
-type DeployerProvider struct {
-	config    *DeployerConfig
-	logger    logger.Logger
-	sdkClient *cfsdk.Client
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.ApiToken)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	return &DeployerProvider{
-		config:    config,
-		logger:    logger.NewNilLogger(),
-		sdkClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书
-	createCertificateReq := &cfsdk.CreateCertificateRequest{
-		Certificate:    certPem,
-		CertificateKey: privkeyPem,
-	}
-	createCertificateResp, err := d.sdkClient.CreateCertificate(createCertificateReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cachefly.CreateCertificate'")
-	} else {
-		d.logger.Logt("已上传证书", createCertificateResp)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(apiToken string) (*cfsdk.Client, error) {
-	if apiToken == "" {
-		return nil, errors.New("invalid cachefly api token")
-	}
-
-	client := cfsdk.NewClient(apiToken)
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/cdnfly/cdnfly.go
+++ b/internal/pkg/core/deployer/providers/cdnfly/cdnfly.go
@@ -1,177 +0,0 @@
-package cdnfly
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net/url"
-	"time"
-
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	cfsdk "github.com/usual2970/certimate/internal/pkg/vendors/cdnfly-sdk"
-)
-
-type DeployerConfig struct {
-	// Cdnfly 地址。
-	ApiUrl string `json:"apiUrl"`
-	// Cdnfly 用户端 API Key。
-	ApiKey string `json:"apiKey"`
-	// Cdnfly 用户端 API Secret。
-	ApiSecret string `json:"apiSecret"`
-	// 部署资源类型。
-	ResourceType ResourceType `json:"resourceType"`
-	// 网站 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_SITE] 时必填。
-	SiteId string `json:"siteId,omitempty"`
-	// 证书 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_CERTIFICATE] 时必填。
-	CertificateId string `json:"certificateId,omitempty"`
-}
-
-type DeployerProvider struct {
-	config    *DeployerConfig
-	logger    logger.Logger
-	sdkClient *cfsdk.Client
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.ApiUrl, config.ApiKey, config.ApiSecret)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	return &DeployerProvider{
-		config:    config,
-		logger:    logger.NewNilLogger(),
-		sdkClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 根据部署资源类型决定部署方式
-	switch d.config.ResourceType {
-	case RESOURCE_TYPE_SITE:
-		if err := d.deployToSite(ctx, certPem, privkeyPem); err != nil {
-			return nil, err
-		}
-
-	case RESOURCE_TYPE_CERTIFICATE:
-		if err := d.deployToCertificate(ctx, certPem, privkeyPem); err != nil {
-			return nil, err
-		}
-
-	default:
-		return nil, fmt.Errorf("unsupported resource type: %s", d.config.ResourceType)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func (d *DeployerProvider) deployToSite(ctx context.Context, certPem string, privkeyPem string) error {
-	if d.config.SiteId == "" {
-		return errors.New("config `siteId` is required")
-	}
-
-	// 获取单个网站详情
-	// REF: https://doc.cdnfly.cn/wangzhanguanli-v1-sites.html#%E8%8E%B7%E5%8F%96%E5%8D%95%E4%B8%AA%E7%BD%91%E7%AB%99%E8%AF%A6%E6%83%85
-	getSiteReq := &cfsdk.GetSiteRequest{
-		Id: d.config.SiteId,
-	}
-	getSiteResp, err := d.sdkClient.GetSite(getSiteReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'cdnfly.GetSite'")
-	} else {
-		d.logger.Logt("已获取网站详情", getSiteResp)
-	}
-
-	// 添加单个证书
-	// REF: https://doc.cdnfly.cn/wangzhanzhengshu-v1-certs.html#%E6%B7%BB%E5%8A%A0%E5%8D%95%E4%B8%AA%E6%88%96%E5%A4%9A%E4%B8%AA%E8%AF%81%E4%B9%A6-%E5%A4%9A%E4%B8%AA%E8%AF%81%E4%B9%A6%E6%97%B6%E6%95%B0%E6%8D%AE%E6%A0%BC%E5%BC%8F%E4%B8%BA%E6%95%B0%E7%BB%84
-	createCertificateReq := &cfsdk.CreateCertificateRequest{
-		Name: fmt.Sprintf("certimate-%d", time.Now().UnixMilli()),
-		Type: "custom",
-		Cert: certPem,
-		Key:  privkeyPem,
-	}
-	createCertificateResp, err := d.sdkClient.CreateCertificate(createCertificateReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'cdnfly.CreateCertificate'")
-	} else {
-		d.logger.Logt("已添加证书", createCertificateResp)
-	}
-
-	// 修改单个网站
-	// REF: https://doc.cdnfly.cn/wangzhanguanli-v1-sites.html#%E4%BF%AE%E6%94%B9%E5%8D%95%E4%B8%AA%E7%BD%91%E7%AB%99
-	updateSiteHttpsListenMap := make(map[string]any)
-	_ = json.Unmarshal([]byte(getSiteResp.Data.HttpsListen), &updateSiteHttpsListenMap)
-	updateSiteHttpsListenMap["cert"] = createCertificateResp.Data
-	updateSiteHttpsListenData, _ := json.Marshal(updateSiteHttpsListenMap)
-	updateSiteHttpsListen := string(updateSiteHttpsListenData)
-	updateSiteReq := &cfsdk.UpdateSiteRequest{
-		Id:          d.config.SiteId,
-		HttpsListen: &updateSiteHttpsListen,
-	}
-	updateSiteResp, err := d.sdkClient.UpdateSite(updateSiteReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'cdnfly.UpdateSite'")
-	} else {
-		d.logger.Logt("已修改网站", updateSiteResp)
-	}
-
-	return nil
-}
-
-func (d *DeployerProvider) deployToCertificate(ctx context.Context, certPem string, privkeyPem string) error {
-	if d.config.CertificateId == "" {
-		return errors.New("config `certificateId` is required")
-	}
-
-	// 修改单个证书
-	// REF: https://doc.cdnfly.cn/wangzhanzhengshu-v1-certs.html#%E4%BF%AE%E6%94%B9%E5%8D%95%E4%B8%AA%E8%AF%81%E4%B9%A6
-	updateCertificateType := "custom"
-	updateCertificateReq := &cfsdk.UpdateCertificateRequest{
-		Id:   d.config.CertificateId,
-		Type: &updateCertificateType,
-		Cert: &certPem,
-		Key:  &privkeyPem,
-	}
-	updateCertificateResp, err := d.sdkClient.UpdateCertificate(updateCertificateReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'cdnfly.UpdateCertificate'")
-	} else {
-		d.logger.Logt("已修改证书", updateCertificateResp)
-	}
-
-	return nil
-}
-
-func createSdkClient(apiUrl, apiKey, apiSecret string) (*cfsdk.Client, error) {
-	if _, err := url.Parse(apiUrl); err != nil {
-		return nil, errors.New("invalid cachefly api url")
-	}
-
-	if apiKey == "" {
-		return nil, errors.New("invalid cachefly api key")
-	}
-
-	if apiSecret == "" {
-		return nil, errors.New("invalid cachefly api secret")
-	}
-
-	client := cfsdk.NewClient(apiUrl, apiKey, apiSecret)
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/dogecloud-cdn/dogecloud_cdn.go
+++ b/internal/pkg/core/deployer/providers/dogecloud-cdn/dogecloud_cdn.go
@@ -1,82 +0,0 @@
-package dogecloudcdn
-
-import (
-	"context"
-	"strconv"
-
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/dogecloud"
-	dogesdk "github.com/usual2970/certimate/internal/pkg/vendors/dogecloud-sdk"
-)
-
-type DeployerConfig struct {
-	// 多吉云 AccessKey。
-	AccessKey string `json:"accessKey"`
-	// 多吉云 SecretKey。
-	SecretKey string `json:"secretKey"`
-	// 加速域名（不支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *dogesdk.Client
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client := dogesdk.NewClient(config.AccessKey, config.SecretKey)
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKey: config.AccessKey,
-		SecretKey: config.SecretKey,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 CDN
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 绑定证书
-	// REF: https://docs.dogecloud.com/cdn/api-cert-bind
-	bindCdnCertId, _ := strconv.ParseInt(upres.CertId, 10, 64)
-	bindCdnCertResp, err := d.sdkClient.BindCdnCertWithDomain(bindCdnCertId, d.config.Domain)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.BindCdnCert'")
-	}
-
-	d.logger.Logt("已绑定证书", bindCdnCertResp)
-
-	return &deployer.DeployResult{}, nil
-}
--- a/internal/pkg/core/deployer/providers/edgio-applications/edgio_applications.go
+++ b/internal/pkg/core/deployer/providers/edgio-applications/edgio_applications.go
@@ -1,82 +0,0 @@
-package edgioapplications
-
-import (
-	"context"
-
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/utils/certs"
-	edgsdk "github.com/usual2970/certimate/internal/pkg/vendors/edgio-sdk/applications/v7"
-	edgsdkDtos "github.com/usual2970/certimate/internal/pkg/vendors/edgio-sdk/applications/v7/dtos"
-)
-
-type DeployerConfig struct {
-	// Edgio ClientId。
-	ClientId string `json:"clientId"`
-	// Edgio ClientSecret。
-	ClientSecret string `json:"clientSecret"`
-	// Edgio 环境 ID。
-	EnvironmentId string `json:"environmentId"`
-}
-
-type DeployerProvider struct {
-	config    *DeployerConfig
-	logger    logger.Logger
-	sdkClient *edgsdk.EdgioClient
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.ClientId, config.ClientSecret)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	return &DeployerProvider{
-		config:    config,
-		logger:    logger.NewNilLogger(),
-		sdkClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 提取 Edgio 所需的服务端证书和中间证书内容
-	privateCertPem, intermediateCertPem, err := certs.ExtractCertificatesFromPEM(certPem)
-	if err != nil {
-		return nil, err
-	}
-
-	// 上传 TLS 证书
-	// REF: https://docs.edg.io/rest_api/#tag/tls-certs/operation/postConfigV01TlsCerts
-	uploadTlsCertReq := edgsdkDtos.UploadTlsCertRequest{
-		EnvironmentID:    d.config.EnvironmentId,
-		PrimaryCert:      privateCertPem,
-		IntermediateCert: intermediateCertPem,
-		PrivateKey:       privkeyPem,
-	}
-	uploadTlsCertResp, err := d.sdkClient.UploadTlsCert(uploadTlsCertReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'edgio.UploadTlsCert'")
-	}
-
-	d.logger.Logt("已上传 TLS 证书", uploadTlsCertResp)
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(clientId, clientSecret string) (*edgsdk.EdgioClient, error) {
-	client := edgsdk.NewEdgioClient(clientId, clientSecret, "", "")
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/gcore-cdn/gcore_cdn.go
+++ b/internal/pkg/core/deployer/providers/gcore-cdn/gcore_cdn.go
@@ -1,124 +0,0 @@
-package gcorecdn
-
-import (
-	"context"
-	"errors"
-	"strconv"
-
-	gprovider "github.com/G-Core/gcorelabscdn-go/gcore/provider"
-	gresources "github.com/G-Core/gcorelabscdn-go/resources"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/gcore-cdn"
-	gcoresdk "github.com/usual2970/certimate/internal/pkg/vendors/gcore-sdk/common"
-)
-
-type DeployerConfig struct {
-	// Gcore API Token。
-	ApiToken string `json:"apiToken"`
-	// CDN 资源 ID。
-	ResourceId int64 `json:"resourceId"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *gresources.Service
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.ApiToken)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		ApiToken: config.ApiToken,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	if d.config.ResourceId == 0 {
-		return nil, errors.New("config `resourceId` is required")
-	}
-
-	// 上传证书到 CDN
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	} else {
-		d.logger.Logt("certificate file uploaded", upres)
-	}
-
-	// 获取 CDN 资源详情
-	// REF: https://api.gcore.com/docs/cdn#tag/CDN-resources/paths/~1cdn~1resources~1%7Bresource_id%7D/get
-	getResourceResp, err := d.sdkClient.Get(context.TODO(), d.config.ResourceId)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'resources.Get'")
-	} else {
-		d.logger.Logt("已获取 CDN 资源详情", getResourceResp)
-	}
-
-	// 更新 CDN 资源详情
-	// REF: https://api.gcore.com/docs/cdn#tag/CDN-resources/operation/change_cdn_resource
-	updateResourceCertId, _ := strconv.ParseInt(upres.CertId, 10, 64)
-	updateResourceReq := &gresources.UpdateRequest{
-		Description:        getResourceResp.Description,
-		Active:             getResourceResp.Active,
-		OriginGroup:        int(getResourceResp.OriginGroup),
-		OriginProtocol:     getResourceResp.OriginProtocol,
-		SecondaryHostnames: getResourceResp.SecondaryHostnames,
-		SSlEnabled:         true,
-		SSLData:            int(updateResourceCertId),
-		ProxySSLEnabled:    getResourceResp.ProxySSLEnabled,
-		ProxySSLCA:         &getResourceResp.ProxySSLCA,
-		ProxySSLData:       &getResourceResp.ProxySSLData,
-		Options:            getResourceResp.Options,
-	}
-	updateResourceResp, err := d.sdkClient.Update(context.TODO(), d.config.ResourceId, updateResourceReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'resources.Update'")
-	} else {
-		d.logger.Logt("已更新 CDN 资源详情", updateResourceResp)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(apiToken string) (*gresources.Service, error) {
-	if apiToken == "" {
-		return nil, errors.New("invalid gcore api token")
-	}
-
-	requester := gprovider.NewClient(
-		gcoresdk.BASE_URL,
-		gprovider.WithSigner(gcoresdk.NewAuthRequestSigner(apiToken)),
-	)
-	service := gresources.NewService(requester)
-	return service, nil
-}
--- a/internal/pkg/core/deployer/providers/huaweicloud-cdn/huaweicloud_cdn.go
+++ b/internal/pkg/core/deployer/providers/huaweicloud-cdn/huaweicloud_cdn.go
@@ -1,184 +0,0 @@
-package huaweicloudcdn
-
-import (
-	"context"
-
-	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/global"
-	hcCdn "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cdn/v2"
-	hcCdnModel "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cdn/v2/model"
-	hcCdnRegion "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cdn/v2/region"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/huaweicloud-scm"
-	hwsdk "github.com/usual2970/certimate/internal/pkg/vendors/huaweicloud-sdk"
-)
-
-type DeployerConfig struct {
-	// 华为云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 华为云 SecretAccessKey。
-	SecretAccessKey string `json:"secretAccessKey"`
-	// 华为云区域。
-	Region string `json:"region"`
-	// 加速域名（不支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *hcCdn.CdnClient
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(
-		config.AccessKeyId,
-		config.SecretAccessKey,
-		config.Region,
-	)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		SecretAccessKey: config.SecretAccessKey,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 SCM
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 查询加速域名配置
-	// REF: https://support.huaweicloud.com/api-cdn/ShowDomainFullConfig.html
-	showDomainFullConfigReq := &hcCdnModel.ShowDomainFullConfigRequest{
-		DomainName: d.config.Domain,
-	}
-	showDomainFullConfigResp, err := d.sdkClient.ShowDomainFullConfig(showDomainFullConfigReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.ShowDomainFullConfig'")
-	}
-
-	d.logger.Logt("已查询到加速域名配置", showDomainFullConfigResp)
-
-	// 更新加速域名配置
-	// REF: https://support.huaweicloud.com/api-cdn/UpdateDomainMultiCertificates.html
-	// REF: https://support.huaweicloud.com/usermanual-cdn/cdn_01_0306.html
-	updateDomainMultiCertificatesReqBodyContent := &hcCdnModel.UpdateDomainMultiCertificatesRequestBodyContent{}
-	updateDomainMultiCertificatesReqBodyContent.DomainName = d.config.Domain
-	updateDomainMultiCertificatesReqBodyContent.HttpsSwitch = 1
-	updateDomainMultiCertificatesReqBodyContent.CertificateType = hwsdk.Int32Ptr(2)
-	updateDomainMultiCertificatesReqBodyContent.ScmCertificateId = hwsdk.StringPtr(upres.CertId)
-	updateDomainMultiCertificatesReqBodyContent.CertName = hwsdk.StringPtr(upres.CertName)
-	updateDomainMultiCertificatesReqBodyContent = assign(updateDomainMultiCertificatesReqBodyContent, showDomainFullConfigResp.Configs)
-	updateDomainMultiCertificatesReq := &hcCdnModel.UpdateDomainMultiCertificatesRequest{
-		Body: &hcCdnModel.UpdateDomainMultiCertificatesRequestBody{
-			Https: updateDomainMultiCertificatesReqBodyContent,
-		},
-	}
-	updateDomainMultiCertificatesResp, err := d.sdkClient.UpdateDomainMultiCertificates(updateDomainMultiCertificatesReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.UploadDomainMultiCertificates'")
-	}
-
-	d.logger.Logt("已更新加速域名配置", updateDomainMultiCertificatesResp)
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, secretAccessKey, region string) (*hcCdn.CdnClient, error) {
-	if region == "" {
-		region = "cn-north-1" // CDN 服务默认区域：华北一北京
-	}
-
-	auth, err := global.NewCredentialsBuilder().
-		WithAk(accessKeyId).
-		WithSk(secretAccessKey).
-		SafeBuild()
-	if err != nil {
-		return nil, err
-	}
-
-	hcRegion, err := hcCdnRegion.SafeValueOf(region)
-	if err != nil {
-		return nil, err
-	}
-
-	hcClient, err := hcCdn.CdnClientBuilder().
-		WithRegion(hcRegion).
-		WithCredential(auth).
-		SafeBuild()
-	if err != nil {
-		return nil, err
-	}
-
-	client := hcCdn.NewCdnClient(hcClient)
-	return client, nil
-}
-
-func assign(reqContent *hcCdnModel.UpdateDomainMultiCertificatesRequestBodyContent, target *hcCdnModel.ConfigsGetBody) *hcCdnModel.UpdateDomainMultiCertificatesRequestBodyContent {
-	if target == nil {
-		return reqContent
-	}
-
-	// 华为云 API 中不传的字段表示使用默认值、而非保留原值，因此这里需要把原配置中的参数重新赋值回去。
-	// 而且蛋疼的是查询接口返回的数据结构和更新接口传入的参数结构不一致，需要做很多转化。
-
-	if *target.OriginProtocol == "follow" {
-		reqContent.AccessOriginWay = hwsdk.Int32Ptr(1)
-	} else if *target.OriginProtocol == "http" {
-		reqContent.AccessOriginWay = hwsdk.Int32Ptr(2)
-	} else if *target.OriginProtocol == "https" {
-		reqContent.AccessOriginWay = hwsdk.Int32Ptr(3)
-	}
-
-	if target.ForceRedirect != nil {
-		reqContent.ForceRedirectConfig = &hcCdnModel.ForceRedirect{}
-
-		if target.ForceRedirect.Status == "on" {
-			reqContent.ForceRedirectConfig.Switch = 1
-			reqContent.ForceRedirectConfig.RedirectType = target.ForceRedirect.Type
-		} else {
-			reqContent.ForceRedirectConfig.Switch = 0
-		}
-	}
-
-	if target.Https != nil {
-		if *target.Https.Http2Status == "on" {
-			reqContent.Http2 = hwsdk.Int32Ptr(1)
-		}
-	}
-
-	return reqContent
-}
--- a/internal/pkg/core/deployer/providers/huaweicloud-elb/huaweicloud_elb.go
+++ b/internal/pkg/core/deployer/providers/huaweicloud-elb/huaweicloud_elb.go
@@ -1,394 +0,0 @@
-package huaweicloudelb
-
-import (
-	"context"
-	"errors"
-	"fmt"
-
-	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
-	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/global"
-	hcElb "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/elb/v3"
-	hcElbModel "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/elb/v3/model"
-	hcElbRegion "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/elb/v3/region"
-	hcIam "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/iam/v3"
-	hcIamModel "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/iam/v3/model"
-	hcIamRegion "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/iam/v3/region"
-	xerrors "github.com/pkg/errors"
-	"golang.org/x/exp/slices"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/huaweicloud-elb"
-	hwsdk "github.com/usual2970/certimate/internal/pkg/vendors/huaweicloud-sdk"
-)
-
-type DeployerConfig struct {
-	// 华为云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 华为云 SecretAccessKey。
-	SecretAccessKey string `json:"secretAccessKey"`
-	// 华为云区域。
-	Region string `json:"region"`
-	// 部署资源类型。
-	ResourceType ResourceType `json:"resourceType"`
-	// 证书 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_CERTIFICATE] 时必填。
-	CertificateId string `json:"certificateId,omitempty"`
-	// 负载均衡器 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_LOADBALANCER] 时必填。
-	LoadbalancerId string `json:"loadbalancerId,omitempty"`
-	// 负载均衡监听 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_LISTENER] 时必填。
-	ListenerId string `json:"listenerId,omitempty"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *hcElb.ElbClient
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.SecretAccessKey, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		SecretAccessKey: config.SecretAccessKey,
-		Region:          config.Region,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 SCM
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 根据部署资源类型决定部署方式
-	switch d.config.ResourceType {
-	case RESOURCE_TYPE_CERTIFICATE:
-		if err := d.deployToCertificate(ctx, certPem, privkeyPem); err != nil {
-			return nil, err
-		}
-
-	case RESOURCE_TYPE_LOADBALANCER:
-		if err := d.deployToLoadbalancer(ctx, certPem, privkeyPem); err != nil {
-			return nil, err
-		}
-
-	case RESOURCE_TYPE_LISTENER:
-		if err := d.deployToListener(ctx, certPem, privkeyPem); err != nil {
-			return nil, err
-		}
-
-	default:
-		return nil, fmt.Errorf("unsupported resource type: %s", d.config.ResourceType)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func (d *DeployerProvider) deployToCertificate(ctx context.Context, certPem string, privkeyPem string) error {
-	if d.config.CertificateId == "" {
-		return errors.New("config `certificateId` is required")
-	}
-
-	// 更新证书
-	// REF: https://support.huaweicloud.com/api-elb/UpdateCertificate.html
-	updateCertificateReq := &hcElbModel.UpdateCertificateRequest{
-		CertificateId: d.config.CertificateId,
-		Body: &hcElbModel.UpdateCertificateRequestBody{
-			Certificate: &hcElbModel.UpdateCertificateOption{
-				Certificate: hwsdk.StringPtr(certPem),
-				PrivateKey:  hwsdk.StringPtr(privkeyPem),
-			},
-		},
-	}
-	updateCertificateResp, err := d.sdkClient.UpdateCertificate(updateCertificateReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'elb.UpdateCertificate'")
-	}
-
-	d.logger.Logt("已更新 ELB 证书", updateCertificateResp)
-
-	return nil
-}
-
-func (d *DeployerProvider) deployToLoadbalancer(ctx context.Context, certPem string, privkeyPem string) error {
-	if d.config.LoadbalancerId == "" {
-		return errors.New("config `loadbalancerId` is required")
-	}
-
-	// 查询负载均衡器详情
-	// REF: https://support.huaweicloud.com/api-elb/ShowLoadBalancer.html
-	showLoadBalancerReq := &hcElbModel.ShowLoadBalancerRequest{
-		LoadbalancerId: d.config.LoadbalancerId,
-	}
-	showLoadBalancerResp, err := d.sdkClient.ShowLoadBalancer(showLoadBalancerReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'elb.ShowLoadBalancer'")
-	}
-
-	d.logger.Logt("已查询到 ELB 负载均衡器", showLoadBalancerResp)
-
-	// 查询监听器列表
-	// REF: https://support.huaweicloud.com/api-elb/ListListeners.html
-	listenerIds := make([]string, 0)
-	listListenersLimit := int32(2000)
-	var listListenersMarker *string = nil
-	for {
-		listListenersReq := &hcElbModel.ListListenersRequest{
-			Limit:          hwsdk.Int32Ptr(listListenersLimit),
-			Marker:         listListenersMarker,
-			Protocol:       &[]string{"HTTPS", "TERMINATED_HTTPS"},
-			LoadbalancerId: &[]string{showLoadBalancerResp.Loadbalancer.Id},
-		}
-		listListenersResp, err := d.sdkClient.ListListeners(listListenersReq)
-		if err != nil {
-			return xerrors.Wrap(err, "failed to execute sdk request 'elb.ListListeners'")
-		}
-
-		if listListenersResp.Listeners != nil {
-			for _, listener := range *listListenersResp.Listeners {
-				listenerIds = append(listenerIds, listener.Id)
-			}
-		}
-
-		if listListenersResp.Listeners == nil || len(*listListenersResp.Listeners) < int(listListenersLimit) {
-			break
-		} else {
-			listListenersMarker = listListenersResp.PageInfo.NextMarker
-		}
-	}
-
-	d.logger.Logt("已查询到 ELB 负载均衡器下的监听器", listenerIds)
-
-	// 上传证书到 SCM
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 遍历更新监听器证书
-	if len(listenerIds) == 0 {
-		return errors.New("listener not found")
-	} else {
-		var errs []error
-
-		for _, listenerId := range listenerIds {
-			if err := d.modifyListenerCertificate(ctx, listenerId, upres.CertId); err != nil {
-				errs = append(errs, err)
-			}
-		}
-
-		if len(errs) > 0 {
-			return errors.Join(errs...)
-		}
-	}
-
-	return nil
-}
-
-func (d *DeployerProvider) deployToListener(ctx context.Context, certPem string, privkeyPem string) error {
-	if d.config.ListenerId == "" {
-		return errors.New("config `listenerId` is required")
-	}
-
-	// 上传证书到 SCM
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 更新监听器证书
-	if err := d.modifyListenerCertificate(ctx, d.config.ListenerId, upres.CertId); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (d *DeployerProvider) modifyListenerCertificate(ctx context.Context, cloudListenerId string, cloudCertId string) error {
-	// 查询监听器详情
-	// REF: https://support.huaweicloud.com/api-elb/ShowListener.html
-	showListenerReq := &hcElbModel.ShowListenerRequest{
-		ListenerId: cloudListenerId,
-	}
-	showListenerResp, err := d.sdkClient.ShowListener(showListenerReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'elb.ShowListener'")
-	}
-
-	d.logger.Logt("已查询到 ELB 监听器", showListenerResp)
-
-	// 更新监听器
-	// REF: https://support.huaweicloud.com/api-elb/UpdateListener.html
-	updateListenerReq := &hcElbModel.UpdateListenerRequest{
-		ListenerId: cloudListenerId,
-		Body: &hcElbModel.UpdateListenerRequestBody{
-			Listener: &hcElbModel.UpdateListenerOption{
-				DefaultTlsContainerRef: hwsdk.StringPtr(cloudCertId),
-			},
-		},
-	}
-	if showListenerResp.Listener.SniContainerRefs != nil {
-		if len(showListenerResp.Listener.SniContainerRefs) > 0 {
-			// 如果开启 SNI，需替换同 SAN 的证书
-			sniCertIds := make([]string, 0)
-			sniCertIds = append(sniCertIds, cloudCertId)
-
-			listOldCertificateReq := &hcElbModel.ListCertificatesRequest{
-				Id: &showListenerResp.Listener.SniContainerRefs,
-			}
-			listOldCertificateResp, err := d.sdkClient.ListCertificates(listOldCertificateReq)
-			if err != nil {
-				return xerrors.Wrap(err, "failed to execute sdk request 'elb.ListCertificates'")
-			}
-
-			showNewCertificateReq := &hcElbModel.ShowCertificateRequest{
-				CertificateId: cloudCertId,
-			}
-			showNewCertificateResp, err := d.sdkClient.ShowCertificate(showNewCertificateReq)
-			if err != nil {
-				return xerrors.Wrap(err, "failed to execute sdk request 'elb.ShowCertificate'")
-			}
-
-			for _, certificate := range *listOldCertificateResp.Certificates {
-				oldCertificate := certificate
-				newCertificate := showNewCertificateResp.Certificate
-
-				if oldCertificate.SubjectAlternativeNames != nil && newCertificate.SubjectAlternativeNames != nil {
-					if slices.Equal(*oldCertificate.SubjectAlternativeNames, *newCertificate.SubjectAlternativeNames) {
-						continue
-					}
-				} else {
-					if oldCertificate.Domain == newCertificate.Domain {
-						continue
-					}
-				}
-
-				sniCertIds = append(sniCertIds, certificate.Id)
-			}
-
-			updateListenerReq.Body.Listener.SniContainerRefs = &sniCertIds
-		}
-
-		if showListenerResp.Listener.SniMatchAlgo != "" {
-			updateListenerReq.Body.Listener.SniMatchAlgo = hwsdk.StringPtr(showListenerResp.Listener.SniMatchAlgo)
-		}
-	}
-	updateListenerResp, err := d.sdkClient.UpdateListener(updateListenerReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'elb.UpdateListener'")
-	}
-
-	d.logger.Logt("已更新 ELB 监听器", updateListenerResp)
-
-	return nil
-}
-
-func createSdkClient(accessKeyId, secretAccessKey, region string) (*hcElb.ElbClient, error) {
-	projectId, err := getSdkProjectId(accessKeyId, secretAccessKey, region)
-	if err != nil {
-		return nil, err
-	}
-
-	auth, err := basic.NewCredentialsBuilder().
-		WithAk(accessKeyId).
-		WithSk(secretAccessKey).
-		WithProjectId(projectId).
-		SafeBuild()
-	if err != nil {
-		return nil, err
-	}
-
-	hcRegion, err := hcElbRegion.SafeValueOf(region)
-	if err != nil {
-		return nil, err
-	}
-
-	hcClient, err := hcElb.ElbClientBuilder().
-		WithRegion(hcRegion).
-		WithCredential(auth).
-		SafeBuild()
-	if err != nil {
-		return nil, err
-	}
-
-	client := hcElb.NewElbClient(hcClient)
-	return client, nil
-}
-
-func getSdkProjectId(accessKeyId, secretAccessKey, region string) (string, error) {
-	if region == "" {
-		region = "cn-north-4" // IAM 服务默认区域：华北四北京
-	}
-
-	auth, err := global.NewCredentialsBuilder().
-		WithAk(accessKeyId).
-		WithSk(secretAccessKey).
-		SafeBuild()
-	if err != nil {
-		return "", err
-	}
-
-	hcRegion, err := hcIamRegion.SafeValueOf(region)
-	if err != nil {
-		return "", err
-	}
-
-	hcClient, err := hcIam.IamClientBuilder().
-		WithRegion(hcRegion).
-		WithCredential(auth).
-		SafeBuild()
-	if err != nil {
-		return "", err
-	}
-
-	client := hcIam.NewIamClient(hcClient)
-
-	request := &hcIamModel.KeystoneListProjectsRequest{
-		Name: &region,
-	}
-	response, err := client.KeystoneListProjects(request)
-	if err != nil {
-		return "", err
-	} else if response.Projects == nil || len(*response.Projects) == 0 {
-		return "", errors.New("no project found")
-	}
-
-	return (*response.Projects)[0].Id, nil
-}
--- a/internal/pkg/core/deployer/providers/huaweicloud-waf/huaweicloud_waf.go
+++ b/internal/pkg/core/deployer/providers/huaweicloud-waf/huaweicloud_waf.go
@@ -1,355 +0,0 @@
-package huaweicloudwaf
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
-	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/global"
-	hcIam "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/iam/v3"
-	hcIamModel "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/iam/v3/model"
-	hcIamRegion "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/iam/v3/region"
-	hcWaf "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1"
-	hcWafModel "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1/model"
-	hcWafRegion "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1/region"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/huaweicloud-waf"
-	hwsdk "github.com/usual2970/certimate/internal/pkg/vendors/huaweicloud-sdk"
-)
-
-type DeployerConfig struct {
-	// 华为云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 华为云 SecretAccessKey。
-	SecretAccessKey string `json:"secretAccessKey"`
-	// 华为云区域。
-	Region string `json:"region"`
-	// 部署资源类型。
-	ResourceType ResourceType `json:"resourceType"`
-	// 证书 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_CERTIFICATE] 时必填。
-	CertificateId string `json:"certificateId,omitempty"`
-	// 防护域名（支持泛域名）。
-	// 部署资源类型为 [RESOURCE_TYPE_CLOUDSERVER]、[RESOURCE_TYPE_PREMIUMHOST] 时必填。
-	Domain string `json:"domain,omitempty"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *hcWaf.WafClient
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.SecretAccessKey, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		SecretAccessKey: config.SecretAccessKey,
-		Region:          config.Region,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 WAF
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	} else {
-		d.logger.Logt("certificate file uploaded", upres)
-	}
-
-	// 根据部署资源类型决定部署方式
-	switch d.config.ResourceType {
-	case RESOURCE_TYPE_CERTIFICATE:
-		if err := d.deployToCertificate(ctx, certPem, privkeyPem); err != nil {
-			return nil, err
-		}
-
-	case RESOURCE_TYPE_CLOUDSERVER:
-		if err := d.deployToCloudServer(ctx, certPem, privkeyPem); err != nil {
-			return nil, err
-		}
-
-	case RESOURCE_TYPE_PREMIUMHOST:
-		if err := d.deployToPremiumHost(ctx, certPem, privkeyPem); err != nil {
-			return nil, err
-		}
-
-	default:
-		return nil, fmt.Errorf("unsupported resource type: %s", d.config.ResourceType)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func (d *DeployerProvider) deployToCertificate(ctx context.Context, certPem string, privkeyPem string) error {
-	if d.config.CertificateId == "" {
-		return errors.New("config `certificateId` is required")
-	}
-
-	// 查询证书
-	// REF: https://support.huaweicloud.com/api-waf/ShowCertificate.html
-	showCertificateReq := &hcWafModel.ShowCertificateRequest{
-		CertificateId: d.config.CertificateId,
-	}
-	showCertificateResp, err := d.sdkClient.ShowCertificate(showCertificateReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'waf.ShowCertificate'")
-	} else {
-		d.logger.Logt("已获取 WAF 证书", showCertificateResp)
-	}
-
-	// 更新证书
-	// REF: https://support.huaweicloud.com/api-waf/UpdateCertificate.html
-	updateCertificateReq := &hcWafModel.UpdateCertificateRequest{
-		CertificateId: d.config.CertificateId,
-		Body: &hcWafModel.UpdateCertificateRequestBody{
-			Name:    *showCertificateResp.Name,
-			Content: hwsdk.StringPtr(certPem),
-			Key:     hwsdk.StringPtr(privkeyPem),
-		},
-	}
-	updateCertificateResp, err := d.sdkClient.UpdateCertificate(updateCertificateReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'waf.UpdateCertificate'")
-	} else {
-		d.logger.Logt("已更新 WAF 证书", updateCertificateResp)
-	}
-
-	return nil
-}
-
-func (d *DeployerProvider) deployToCloudServer(ctx context.Context, certPem string, privkeyPem string) error {
-	if d.config.Domain == "" {
-		return errors.New("config `domain` is required")
-	}
-
-	// 上传证书到 WAF
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to upload certificate file")
-	} else {
-		d.logger.Logt("certificate file uploaded", upres)
-	}
-
-	// 遍历查询云模式防护域名列表，获取防护域名 ID
-	// REF: https://support.huaweicloud.com/api-waf/ListHost.html
-	hostId := ""
-	listHostPage := int32(1)
-	listHostPageSize := int32(100)
-	for {
-		listHostReq := &hcWafModel.ListHostRequest{
-			Hostname: hwsdk.StringPtr(strings.TrimPrefix(d.config.Domain, "*")),
-			Page:     hwsdk.Int32Ptr(listHostPage),
-			Pagesize: hwsdk.Int32Ptr(listHostPageSize),
-		}
-		listHostResp, err := d.sdkClient.ListHost(listHostReq)
-		if err != nil {
-			return xerrors.Wrap(err, "failed to execute sdk request 'waf.ListHost'")
-		}
-
-		if listHostResp.Items != nil {
-			for _, hostItem := range *listHostResp.Items {
-				if strings.TrimPrefix(d.config.Domain, "*") == *hostItem.Hostname {
-					hostId = *hostItem.Id
-					break
-				}
-			}
-		}
-
-		if listHostResp.Items == nil || len(*listHostResp.Items) < int(listHostPageSize) {
-			break
-		} else {
-			listHostPage++
-		}
-	}
-	if hostId == "" {
-		return errors.New("host not found")
-	}
-
-	// 更新云模式防护域名的配置
-	// REF: https://support.huaweicloud.com/api-waf/UpdateHost.html
-	updateHostReq := &hcWafModel.UpdateHostRequest{
-		InstanceId: hostId,
-		Body: &hcWafModel.UpdateHostRequestBody{
-			Certificateid:   hwsdk.StringPtr(upres.CertId),
-			Certificatename: hwsdk.StringPtr(upres.CertName),
-		},
-	}
-	updateHostResp, err := d.sdkClient.UpdateHost(updateHostReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'waf.UpdateHost'")
-	} else {
-		d.logger.Logt("已更新云模式防护域名的配置", updateHostResp)
-	}
-
-	return nil
-}
-
-func (d *DeployerProvider) deployToPremiumHost(ctx context.Context, certPem string, privkeyPem string) error {
-	if d.config.Domain == "" {
-		return errors.New("config `domain` is required")
-	}
-
-	// 上传证书到 WAF
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to upload certificate file")
-	} else {
-		d.logger.Logt("certificate file uploaded", upres)
-	}
-
-	// 遍历查询独享模式域名列表，获取防护域名 ID
-	// REF: https://support.huaweicloud.com/api-waf/ListPremiumHost.html
-	hostId := ""
-	listPremiumHostPage := int32(1)
-	listPremiumHostPageSize := int32(100)
-	for {
-		listPremiumHostReq := &hcWafModel.ListPremiumHostRequest{
-			Hostname: hwsdk.StringPtr(strings.TrimPrefix(d.config.Domain, "*")),
-			Page:     hwsdk.StringPtr(fmt.Sprintf("%d", listPremiumHostPage)),
-			Pagesize: hwsdk.StringPtr(fmt.Sprintf("%d", listPremiumHostPageSize)),
-		}
-		listPremiumHostResp, err := d.sdkClient.ListPremiumHost(listPremiumHostReq)
-		if err != nil {
-			return xerrors.Wrap(err, "failed to execute sdk request 'waf.ListPremiumHost'")
-		}
-
-		if listPremiumHostResp.Items != nil {
-			for _, hostItem := range *listPremiumHostResp.Items {
-				if strings.TrimPrefix(d.config.Domain, "*") == *hostItem.Hostname {
-					hostId = *hostItem.Id
-					break
-				}
-			}
-		}
-
-		if listPremiumHostResp.Items == nil || len(*listPremiumHostResp.Items) < int(listPremiumHostPageSize) {
-			break
-		} else {
-			listPremiumHostPage++
-		}
-	}
-	if hostId == "" {
-		return errors.New("host not found")
-	}
-
-	// 修改独享模式域名配置
-	// REF: https://support.huaweicloud.com/api-waf/UpdatePremiumHost.html
-	updatePremiumHostReq := &hcWafModel.UpdatePremiumHostRequest{
-		HostId: hostId,
-		Body: &hcWafModel.UpdatePremiumHostRequestBody{
-			Certificateid:   hwsdk.StringPtr(upres.CertId),
-			Certificatename: hwsdk.StringPtr(upres.CertName),
-		},
-	}
-	updatePremiumHostResp, err := d.sdkClient.UpdatePremiumHost(updatePremiumHostReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'waf.UpdatePremiumHost'")
-	} else {
-		d.logger.Logt("已修改独享模式域名配置", updatePremiumHostResp)
-	}
-
-	return nil
-}
-
-func createSdkClient(accessKeyId, secretAccessKey, region string) (*hcWaf.WafClient, error) {
-	projectId, err := getSdkProjectId(accessKeyId, secretAccessKey, region)
-	if err != nil {
-		return nil, err
-	}
-
-	auth, err := basic.NewCredentialsBuilder().
-		WithAk(accessKeyId).
-		WithSk(secretAccessKey).
-		WithProjectId(projectId).
-		SafeBuild()
-	if err != nil {
-		return nil, err
-	}
-
-	hcRegion, err := hcWafRegion.SafeValueOf(region)
-	if err != nil {
-		return nil, err
-	}
-
-	hcClient, err := hcWaf.WafClientBuilder().
-		WithRegion(hcRegion).
-		WithCredential(auth).
-		SafeBuild()
-	if err != nil {
-		return nil, err
-	}
-
-	client := hcWaf.NewWafClient(hcClient)
-	return client, nil
-}
-
-func getSdkProjectId(accessKeyId, secretAccessKey, region string) (string, error) {
-	auth, err := global.NewCredentialsBuilder().
-		WithAk(accessKeyId).
-		WithSk(secretAccessKey).
-		SafeBuild()
-	if err != nil {
-		return "", err
-	}
-
-	hcRegion, err := hcIamRegion.SafeValueOf(region)
-	if err != nil {
-		return "", err
-	}
-
-	hcClient, err := hcIam.IamClientBuilder().
-		WithRegion(hcRegion).
-		WithCredential(auth).
-		SafeBuild()
-	if err != nil {
-		return "", err
-	}
-
-	client := hcIam.NewIamClient(hcClient)
-
-	request := &hcIamModel.KeystoneListProjectsRequest{
-		Name: &region,
-	}
-	response, err := client.KeystoneListProjects(request)
-	if err != nil {
-		return "", err
-	} else if response.Projects == nil || len(*response.Projects) == 0 {
-		return "", errors.New("no project found")
-	}
-
-	return (*response.Projects)[0].Id, nil
-}
--- a/internal/pkg/core/deployer/providers/jdcloud-alb/jdcloud_alb.go
+++ b/internal/pkg/core/deployer/providers/jdcloud-alb/jdcloud_alb.go
@@ -1,252 +0,0 @@
-package jdcloudalb
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strings"
-
-	jdCore "github.com/jdcloud-api/jdcloud-sdk-go/core"
-	jdCommon "github.com/jdcloud-api/jdcloud-sdk-go/services/common/models"
-	jdLbApi "github.com/jdcloud-api/jdcloud-sdk-go/services/lb/apis"
-	jdLbClient "github.com/jdcloud-api/jdcloud-sdk-go/services/lb/client"
-	jdLbModel "github.com/jdcloud-api/jdcloud-sdk-go/services/lb/models"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/jdcloud-ssl"
-	"github.com/usual2970/certimate/internal/pkg/utils/slices"
-)
-
-type DeployerConfig struct {
-	// 京东云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 京东云 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 京东云地域 ID。
-	RegionId string `json:"regionId"`
-	// 部署资源类型。
-	ResourceType ResourceType `json:"resourceType"`
-	// 负载均衡器 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_LOADBALANCER] 时必填。
-	LoadbalancerId string `json:"loadbalancerId,omitempty"`
-	// 监听器 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_LISTENER] 时必填。
-	ListenerId string `json:"listenerId,omitempty"`
-	// SNI 域名（支持泛域名）。
-	// 部署资源类型为 [RESOURCE_TYPE_LOADBALANCER]、[RESOURCE_TYPE_LISTENER] 时选填。
-	Domain string `json:"domain,omitempty"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *jdLbClient.LbClient
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		AccessKeySecret: config.AccessKeySecret,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 SSL
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	} else {
-		d.logger.Logt("certificate file uploaded", upres)
-	}
-
-	// 根据部署资源类型决定部署方式
-	switch d.config.ResourceType {
-	case RESOURCE_TYPE_LOADBALANCER:
-		if err := d.deployToLoadbalancer(ctx, upres.CertId); err != nil {
-			return nil, err
-		}
-
-	case RESOURCE_TYPE_LISTENER:
-		if err := d.deployToListener(ctx, upres.CertId); err != nil {
-			return nil, err
-		}
-
-	default:
-		return nil, fmt.Errorf("unsupported resource type: %s", d.config.ResourceType)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func (d *DeployerProvider) deployToLoadbalancer(ctx context.Context, cloudCertId string) error {
-	if d.config.LoadbalancerId == "" {
-		return errors.New("config `loadbalancerId` is required")
-	}
-
-	// 查询负载均衡器详情
-	// REF: https://docs.jdcloud.com/cn/load-balancer/api/describeloadbalancer
-	describeLoadBalancerReq := jdLbApi.NewDescribeLoadBalancerRequest(d.config.RegionId, d.config.LoadbalancerId)
-	describeLoadBalancerResp, err := d.sdkClient.DescribeLoadBalancer(describeLoadBalancerReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'lb.DescribeLoadBalancer'")
-	} else {
-		d.logger.Logt("已查询到负载均衡器详情", describeLoadBalancerResp)
-	}
-
-	// 查询监听器列表
-	// REF: https://docs.jdcloud.com/cn/load-balancer/api/describelisteners
-	listenerIds := make([]string, 0)
-	describeListenersPageNumber := 1
-	describeListenersPageSize := 100
-	for {
-		describeListenersReq := jdLbApi.NewDescribeListenersRequest(d.config.RegionId)
-		describeListenersReq.SetFilters([]jdCommon.Filter{{Name: "loadBalancerId", Values: []string{d.config.LoadbalancerId}}})
-		describeListenersReq.SetPageSize(describeListenersPageNumber)
-		describeListenersReq.SetPageSize(describeListenersPageSize)
-		describeListenersResp, err := d.sdkClient.DescribeListeners(describeListenersReq)
-		if err != nil {
-			return xerrors.Wrap(err, "failed to execute sdk request 'lb.DescribeListeners'")
-		}
-
-		for _, listener := range describeListenersResp.Result.Listeners {
-			if strings.EqualFold(listener.Protocol, "https") || strings.EqualFold(listener.Protocol, "tls") {
-				listenerIds = append(listenerIds, listener.ListenerId)
-			}
-		}
-
-		if len(describeListenersResp.Result.Listeners) < int(describeListenersPageSize) {
-			break
-		} else {
-			describeListenersPageNumber++
-		}
-	}
-
-	// 遍历更新监听器证书
-	if len(listenerIds) == 0 {
-		return errors.New("listener not found")
-	} else {
-		d.logger.Logt("已查询到负载均衡器下的全部 HTTPS/TLS 监听器", listenerIds)
-
-		var errs []error
-
-		for _, listenerId := range listenerIds {
-			if err := d.updateListenerCertificate(ctx, listenerId, cloudCertId); err != nil {
-				errs = append(errs, err)
-			}
-		}
-
-		if len(errs) > 0 {
-			return errors.Join(errs...)
-		}
-	}
-
-	return nil
-}
-
-func (d *DeployerProvider) deployToListener(ctx context.Context, cloudCertId string) error {
-	if d.config.ListenerId == "" {
-		return errors.New("config `listenerId` is required")
-	}
-
-	// 更新监听器证书
-	if err := d.updateListenerCertificate(ctx, d.config.ListenerId, cloudCertId); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (d *DeployerProvider) updateListenerCertificate(ctx context.Context, cloudListenerId string, cloudCertId string) error {
-	// 查询监听器详情
-	// REF: https://docs.jdcloud.com/cn/load-balancer/api/describelistener
-	describeListenerReq := jdLbApi.NewDescribeListenerRequest(d.config.RegionId, cloudListenerId)
-	describeListenerResp, err := d.sdkClient.DescribeListener(describeListenerReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'lb.DescribeListener'")
-	} else {
-		d.logger.Logt("已查询到监听器详情", describeListenerResp)
-	}
-
-	if d.config.Domain == "" {
-		// 未指定 SNI，只需部署到监听器
-
-		// 修改监听器信息
-		// REF: https://docs.jdcloud.com/cn/load-balancer/api/updatelistener
-		updateListenerReq := jdLbApi.NewUpdateListenerRequest(d.config.RegionId, cloudListenerId)
-		updateListenerReq.SetCertificateSpecs([]jdLbModel.CertificateSpec{{CertificateId: cloudCertId}})
-		updateListenerResp, err := d.sdkClient.UpdateListener(updateListenerReq)
-		if err != nil {
-			return xerrors.Wrap(err, "failed to execute sdk request 'lb.UpdateListener'")
-		} else {
-			d.logger.Logt("已修改监听器信息", updateListenerResp)
-		}
-	} else {
-		// 指定 SNI，需部署到扩展证书
-
-		extCertSpecs := slices.Filter(describeListenerResp.Result.Listener.ExtensionCertificateSpecs, func(extCertSpec jdLbModel.ExtensionCertificateSpec) bool {
-			return extCertSpec.Domain == d.config.Domain
-		})
-		if len(extCertSpecs) == 0 {
-			return errors.New("extension certificate spec not found")
-		}
-
-		// 批量修改扩展证书
-		// REF: https://docs.jdcloud.com/cn/load-balancer/api/updatelistenercertificates
-		updateListenerCertificatesReq := jdLbApi.NewUpdateListenerCertificatesRequest(
-			d.config.RegionId,
-			cloudListenerId,
-			slices.Map(extCertSpecs, func(extCertSpec jdLbModel.ExtensionCertificateSpec) jdLbModel.ExtCertificateUpdateSpec {
-				return jdLbModel.ExtCertificateUpdateSpec{
-					CertificateBindId: extCertSpec.CertificateBindId,
-					CertificateId:     &cloudCertId,
-					Domain:            &extCertSpec.Domain,
-				}
-			}),
-		)
-		updateListenerCertificatesResp, err := d.sdkClient.UpdateListenerCertificates(updateListenerCertificatesReq)
-		if err != nil {
-			return xerrors.Wrap(err, "failed to execute sdk request 'lb.UpdateListenerCertificates'")
-		} else {
-			d.logger.Logt("已批量修改扩展证书", updateListenerCertificatesResp)
-		}
-	}
-
-	return nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret string) (*jdLbClient.LbClient, error) {
-	clientCredentials := jdCore.NewCredentials(accessKeyId, accessKeySecret)
-	client := jdLbClient.NewLbClient(clientCredentials)
-	client.SetLogger(jdCore.NewDefaultLogger(jdCore.LogWarn))
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/jdcloud-cdn/jdcloud_cdn.go
+++ b/internal/pkg/core/deployer/providers/jdcloud-cdn/jdcloud_cdn.go
@@ -1,109 +0,0 @@
-package jdcloudcdn
-
-import (
-	"context"
-
-	jdCore "github.com/jdcloud-api/jdcloud-sdk-go/core"
-	jdCdnApi "github.com/jdcloud-api/jdcloud-sdk-go/services/cdn/apis"
-	jdCdnClient "github.com/jdcloud-api/jdcloud-sdk-go/services/cdn/client"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/jdcloud-ssl"
-)
-
-type DeployerConfig struct {
-	// 京东云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 京东云 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 加速域名（支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *jdCdnClient.CdnClient
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		AccessKeySecret: config.AccessKeySecret,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 查询域名配置信息
-	// REF: https://docs.jdcloud.com/cn/cdn/api/querydomainconfig
-	queryDomainConfigReq := jdCdnApi.NewQueryDomainConfigRequest(d.config.Domain)
-	queryDomainConfigResp, err := d.sdkClient.QueryDomainConfig(queryDomainConfigReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.QueryDomainConfig'")
-	} else {
-		d.logger.Logt("已查询到域名配置信息", queryDomainConfigResp)
-	}
-
-	// 上传证书到 SSL
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	} else {
-		d.logger.Logt("certificate file uploaded", upres)
-	}
-
-	// 设置通讯协议
-	// REF: https://docs.jdcloud.com/cn/cdn/api/sethttptype
-	setHttpTypeReq := jdCdnApi.NewSetHttpTypeRequest(d.config.Domain)
-	setHttpTypeReq.SetHttpType("https")
-	setHttpTypeReq.SetCertificate(certPem)
-	setHttpTypeReq.SetRsaKey(privkeyPem)
-	setHttpTypeReq.SetCertFrom("ssl")
-	setHttpTypeReq.SetSslCertId(upres.CertId)
-	setHttpTypeReq.SetJumpType(queryDomainConfigResp.Result.HttpsJumpType)
-	setHttpTypeResp, err := d.sdkClient.SetHttpType(setHttpTypeReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.SetHttpType'")
-	} else {
-		d.logger.Logt("已设置通讯协议", setHttpTypeResp)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret string) (*jdCdnClient.CdnClient, error) {
-	clientCredentials := jdCore.NewCredentials(accessKeyId, accessKeySecret)
-	client := jdCdnClient.NewCdnClient(clientCredentials)
-	client.SetLogger(jdCore.NewDefaultLogger(jdCore.LogWarn))
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/jdcloud-live/jdcloud_live.go
+++ b/internal/pkg/core/deployer/providers/jdcloud-live/jdcloud_live.go
@@ -1,75 +0,0 @@
-package jdcloudlive
-
-import (
-	"context"
-
-	jdCore "github.com/jdcloud-api/jdcloud-sdk-go/core"
-	jdLiveApi "github.com/jdcloud-api/jdcloud-sdk-go/services/live/apis"
-	jdLiveClient "github.com/jdcloud-api/jdcloud-sdk-go/services/live/client"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-)
-
-type DeployerConfig struct {
-	// 京东云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 京东云 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 直播播放域名（不支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config    *DeployerConfig
-	logger    logger.Logger
-	sdkClient *jdLiveClient.LiveClient
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	return &DeployerProvider{
-		config:    config,
-		logger:    logger.NewNilLogger(),
-		sdkClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 设置直播证书
-	// REF: https://docs.jdcloud.com/cn/live-video/api/setlivedomaincertificate
-	setLiveDomainCertificateReq := jdLiveApi.NewSetLiveDomainCertificateRequest(d.config.Domain, "on")
-	setLiveDomainCertificateReq.SetCert(certPem)
-	setLiveDomainCertificateReq.SetKey(privkeyPem)
-	setLiveDomainCertificateResp, err := d.sdkClient.SetLiveDomainCertificate(setLiveDomainCertificateReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'live.SetLiveDomainCertificate'")
-	} else {
-		d.logger.Logt("已设置直播证书", setLiveDomainCertificateResp)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret string) (*jdLiveClient.LiveClient, error) {
-	clientCredentials := jdCore.NewCredentials(accessKeyId, accessKeySecret)
-	client := jdLiveClient.NewLiveClient(clientCredentials)
-	client.SetLogger(jdCore.NewDefaultLogger(jdCore.LogWarn))
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/jdcloud-vod/jdcloud_vod.go
+++ b/internal/pkg/core/deployer/providers/jdcloud-vod/jdcloud_vod.go
@@ -1,123 +0,0 @@
-package jdcloudvod
-
-import (
-	"context"
-	"fmt"
-	"strconv"
-	"time"
-
-	jdCore "github.com/jdcloud-api/jdcloud-sdk-go/core"
-	jdVodApi "github.com/jdcloud-api/jdcloud-sdk-go/services/vod/apis"
-	jdVodClient "github.com/jdcloud-api/jdcloud-sdk-go/services/vod/client"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-)
-
-type DeployerConfig struct {
-	// 京东云 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 京东云 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 点播加速域名（不支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config    *DeployerConfig
-	logger    logger.Logger
-	sdkClient *jdVodClient.VodClient
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	return &DeployerProvider{
-		config:    config,
-		logger:    logger.NewNilLogger(),
-		sdkClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 查询域名列表
-	// REF: https://docs.jdcloud.com/cn/video-on-demand/api/listdomains
-	var domainId int
-	listDomainsPageNumber := 1
-	listDomainsPageSize := 100
-	for {
-		listDomainsReq := jdVodApi.NewListDomainsRequest()
-		listDomainsReq.SetPageNumber(1)
-		listDomainsReq.SetPageSize(100)
-		listDomainsResp, err := d.sdkClient.ListDomains(listDomainsReq)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to execute sdk request 'vod.ListDomains'")
-		}
-
-		for _, domain := range listDomainsResp.Result.Content {
-			if domain.Name == d.config.Domain {
-				domainId, _ = strconv.Atoi(domain.Id)
-				break
-			}
-		}
-
-		if len(listDomainsResp.Result.Content) < listDomainsPageSize {
-			break
-		} else {
-			listDomainsPageNumber++
-		}
-	}
-	if domainId == 0 {
-		return nil, xerrors.New("domain not found")
-	}
-
-	// 查询域名 SSL 配置
-	// REF: https://docs.jdcloud.com/cn/video-on-demand/api/gethttpssl
-	getHttpSslReq := jdVodApi.NewGetHttpSslRequest(domainId)
-	getHttpSslResp, err := d.sdkClient.GetHttpSsl(getHttpSslReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'vod.GetHttpSsl'")
-	} else {
-		d.logger.Logt("已查询到域名 SSL 配置", getHttpSslResp)
-	}
-
-	// 设置域名 SSL 配置
-	// REF: https://docs.jdcloud.com/cn/video-on-demand/api/sethttpssl
-	setHttpSslReq := jdVodApi.NewSetHttpSslRequest(domainId)
-	setHttpSslReq.SetTitle(fmt.Sprintf("certimate-%d", time.Now().UnixMilli()))
-	setHttpSslReq.SetSslCert(certPem)
-	setHttpSslReq.SetSslKey(privkeyPem)
-	setHttpSslReq.SetSource("default")
-	setHttpSslReq.SetJumpType(getHttpSslResp.Result.JumpType)
-	setHttpSslReq.SetEnabled(true)
-	setHttpSslResp, err := d.sdkClient.SetHttpSsl(setHttpSslReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'vod.SetHttpSsl'")
-	} else {
-		d.logger.Logt("已设置域名 SSL 配置", setHttpSslResp)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret string) (*jdVodClient.VodClient, error) {
-	clientCredentials := jdCore.NewCredentials(accessKeyId, accessKeySecret)
-	client := jdVodClient.NewVodClient(clientCredentials)
-	client.SetLogger(jdCore.NewDefaultLogger(jdCore.LogWarn))
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/local/local.go
+++ b/internal/pkg/core/deployer/providers/local/local.go
@@ -1,174 +0,0 @@
-package local
-
-import (
-	"bytes"
-	"context"
-	"fmt"
-	"os/exec"
-	"runtime"
-
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/utils/certs"
-	"github.com/usual2970/certimate/internal/pkg/utils/files"
-)
-
-type DeployerConfig struct {
-	// Shell 执行环境。
-	// 零值时默认根据操作系统决定。
-	ShellEnv ShellEnvType `json:"shellEnv,omitempty"`
-	// 前置命令。
-	PreCommand string `json:"preCommand,omitempty"`
-	// 后置命令。
-	PostCommand string `json:"postCommand,omitempty"`
-	// 输出证书格式。
-	OutputFormat OutputFormatType `json:"outputFormat,omitempty"`
-	// 输出证书文件路径。
-	OutputCertPath string `json:"outputCertPath,omitempty"`
-	// 输出私钥文件路径。
-	OutputKeyPath string `json:"outputKeyPath,omitempty"`
-	// PFX 导出密码。
-	// 证书格式为 PFX 时必填。
-	PfxPassword string `json:"pfxPassword,omitempty"`
-	// JKS 别名。
-	// 证书格式为 JKS 时必填。
-	JksAlias string `json:"jksAlias,omitempty"`
-	// JKS 密钥密码。
-	// 证书格式为 JKS 时必填。
-	JksKeypass string `json:"jksKeypass,omitempty"`
-	// JKS 存储密码。
-	// 证书格式为 JKS 时必填。
-	JksStorepass string `json:"jksStorepass,omitempty"`
-}
-
-type DeployerProvider struct {
-	config *DeployerConfig
-	logger logger.Logger
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	return &DeployerProvider{
-		config: config,
-		logger: logger.NewNilLogger(),
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 执行前置命令
-	if d.config.PreCommand != "" {
-		stdout, stderr, err := execCommand(d.config.ShellEnv, d.config.PreCommand)
-		if err != nil {
-			return nil, xerrors.Wrapf(err, "failed to execute pre-command, stdout: %s, stderr: %s", stdout, stderr)
-		}
-
-		d.logger.Logt("pre-command executed", stdout)
-	}
-
-	// 写入证书和私钥文件
-	switch d.config.OutputFormat {
-	case OUTPUT_FORMAT_PEM:
-		if err := files.WriteString(d.config.OutputCertPath, certPem); err != nil {
-			return nil, xerrors.Wrap(err, "failed to save certificate file")
-		}
-
-		d.logger.Logt("certificate file saved")
-
-		if err := files.WriteString(d.config.OutputKeyPath, privkeyPem); err != nil {
-			return nil, xerrors.Wrap(err, "failed to save private key file")
-		}
-
-		d.logger.Logt("private key file saved")
-
-	case OUTPUT_FORMAT_PFX:
-		pfxData, err := certs.TransformCertificateFromPEMToPFX(certPem, privkeyPem, d.config.PfxPassword)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to transform certificate to PFX")
-		}
-
-		d.logger.Logt("certificate transformed to PFX")
-
-		if err := files.Write(d.config.OutputCertPath, pfxData); err != nil {
-			return nil, xerrors.Wrap(err, "failed to save certificate file")
-		}
-
-		d.logger.Logt("certificate file saved")
-
-	case OUTPUT_FORMAT_JKS:
-		jksData, err := certs.TransformCertificateFromPEMToJKS(certPem, privkeyPem, d.config.JksAlias, d.config.JksKeypass, d.config.JksStorepass)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to transform certificate to JKS")
-		}
-
-		d.logger.Logt("certificate transformed to JKS")
-
-		if err := files.Write(d.config.OutputCertPath, jksData); err != nil {
-			return nil, xerrors.Wrap(err, "failed to save certificate file")
-		}
-
-		d.logger.Logt("certificate file uploaded")
-
-	default:
-		return nil, fmt.Errorf("unsupported output format: %s", d.config.OutputFormat)
-	}
-
-	// 执行后置命令
-	if d.config.PostCommand != "" {
-		stdout, stderr, err := execCommand(d.config.ShellEnv, d.config.PostCommand)
-		if err != nil {
-			return nil, xerrors.Wrapf(err, "failed to execute post-command, stdout: %s, stderr: %s", stdout, stderr)
-		}
-
-		d.logger.Logt("post-command executed", stdout)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func execCommand(shellEnv ShellEnvType, command string) (string, string, error) {
-	var cmd *exec.Cmd
-
-	switch shellEnv {
-	case SHELL_ENV_SH:
-		cmd = exec.Command("sh", "-c", command)
-
-	case SHELL_ENV_CMD:
-		cmd = exec.Command("cmd", "/C", command)
-
-	case SHELL_ENV_POWERSHELL:
-		cmd = exec.Command("powershell", "-Command", command)
-
-	case ShellEnvType(""):
-		if runtime.GOOS == "windows" {
-			cmd = exec.Command("cmd", "/C", command)
-		} else {
-			cmd = exec.Command("sh", "-c", command)
-		}
-
-	default:
-		return "", "", fmt.Errorf("unsupported shell env: %s", shellEnv)
-	}
-
-	stdoutBuf := bytes.NewBuffer(nil)
-	cmd.Stdout = stdoutBuf
-	stderrBuf := bytes.NewBuffer(nil)
-	cmd.Stderr = stderrBuf
-	err := cmd.Run()
-	if err != nil {
-		return stdoutBuf.String(), stderrBuf.String(), xerrors.Wrap(err, "failed to execute command")
-	}
-
-	return stdoutBuf.String(), stderrBuf.String(), nil
-}
--- a/internal/pkg/core/deployer/providers/qiniu-cdn/qiniu_cdn.go
+++ b/internal/pkg/core/deployer/providers/qiniu-cdn/qiniu_cdn.go
@@ -1,103 +0,0 @@
-package qiniucdn
-
-import (
-	"context"
-	"strings"
-
-	xerrors "github.com/pkg/errors"
-	"github.com/qiniu/go-sdk/v7/auth"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/qiniu-sslcert"
-	qiniusdk "github.com/usual2970/certimate/internal/pkg/vendors/qiniu-sdk"
-)
-
-type DeployerConfig struct {
-	// 七牛云 AccessKey。
-	AccessKey string `json:"accessKey"`
-	// 七牛云 SecretKey。
-	SecretKey string `json:"secretKey"`
-	// 加速域名（支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *qiniusdk.Client
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client := qiniusdk.NewClient(auth.New(config.AccessKey, config.SecretKey))
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKey: config.AccessKey,
-		SecretKey: config.SecretKey,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 CDN
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// "*.example.com" → ".example.com"，适配七牛云 CDN 要求的泛域名格式
-	domain := strings.TrimPrefix(d.config.Domain, "*")
-
-	// 获取域名信息
-	// REF: https://developer.qiniu.com/fusion/4246/the-domain-name
-	getDomainInfoResp, err := d.sdkClient.GetDomainInfo(context.TODO(), domain)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.GetDomainInfo'")
-	}
-
-	d.logger.Logt("已获取域名信息", getDomainInfoResp)
-
-	// 判断域名是否已启用 HTTPS。如果已启用，修改域名证书；否则，启用 HTTPS
-	// REF: https://developer.qiniu.com/fusion/4246/the-domain-name
-	if getDomainInfoResp.Https != nil && getDomainInfoResp.Https.CertID != "" {
-		modifyDomainHttpsConfResp, err := d.sdkClient.ModifyDomainHttpsConf(context.TODO(), domain, upres.CertId, getDomainInfoResp.Https.ForceHttps, getDomainInfoResp.Https.Http2Enable)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.ModifyDomainHttpsConf'")
-		}
-
-		d.logger.Logt("已修改域名证书", modifyDomainHttpsConfResp)
-	} else {
-		enableDomainHttpsResp, err := d.sdkClient.EnableDomainHttps(context.TODO(), domain, upres.CertId, true, true)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.EnableDomainHttps'")
-		}
-
-		d.logger.Logt("已将域名升级为 HTTPS", enableDomainHttpsResp)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
--- a/internal/pkg/core/deployer/providers/qiniu-pili/qiniu_pili.go
+++ b/internal/pkg/core/deployer/providers/qiniu-pili/qiniu_pili.go
@@ -1,87 +0,0 @@
-package qiniupili
-
-import (
-	"context"
-
-	xerrors "github.com/pkg/errors"
-	"github.com/qiniu/go-sdk/v7/pili"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/qiniu-sslcert"
-)
-
-type DeployerConfig struct {
-	// 七牛云 AccessKey。
-	AccessKey string `json:"accessKey"`
-	// 七牛云 SecretKey。
-	SecretKey string `json:"secretKey"`
-	// 直播空间名。
-	Hub string `json:"hub"`
-	// 直播流域名（不支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *pili.Manager
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	manager := pili.NewManager(pili.ManagerConfig{AccessKey: config.AccessKey, SecretKey: config.SecretKey})
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKey: config.AccessKey,
-		SecretKey: config.SecretKey,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   manager,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 CDN
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 修改域名证书配置
-	// REF: https://developer.qiniu.com/pili/9910/pili-service-sdk#66
-	setDomainCertReq := pili.SetDomainCertRequest{
-		Hub:      d.config.Hub,
-		Domain:   d.config.Domain,
-		CertName: upres.CertName,
-	}
-	err = d.sdkClient.SetDomainCert(context.TODO(), setDomainCertReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'pili.SetDomainCert'")
-	}
-
-	d.logger.Logt("已修改域名证书配置")
-
-	return &deployer.DeployResult{}, nil
-}
--- a/internal/pkg/core/deployer/providers/safeline/safeline.go
+++ b/internal/pkg/core/deployer/providers/safeline/safeline.go
@@ -1,108 +0,0 @@
-package safeline
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/url"
-
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	safelinesdk "github.com/usual2970/certimate/internal/pkg/vendors/safeline-sdk"
-)
-
-type DeployerConfig struct {
-	// 雷池 URL。
-	ApiUrl string `json:"apiUrl"`
-	// 雷池 API Token。
-	ApiToken string `json:"apiToken"`
-	// 部署资源类型。
-	ResourceType ResourceType `json:"resourceType"`
-	// 证书 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_CERTIFICATE] 时必填。
-	CertificateId int32 `json:"certificateId,omitempty"`
-}
-
-type DeployerProvider struct {
-	config    *DeployerConfig
-	logger    logger.Logger
-	sdkClient *safelinesdk.Client
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.ApiUrl, config.ApiToken)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk clients")
-	}
-
-	return &DeployerProvider{
-		config:    config,
-		logger:    logger.NewNilLogger(),
-		sdkClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 根据部署资源类型决定部署方式
-	switch d.config.ResourceType {
-	case RESOURCE_TYPE_CERTIFICATE:
-		if err := d.deployToCertificate(ctx, certPem, privkeyPem); err != nil {
-			return nil, err
-		}
-
-	default:
-		return nil, fmt.Errorf("unsupported resource type: %s", d.config.ResourceType)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func (d *DeployerProvider) deployToCertificate(ctx context.Context, certPem string, privkeyPem string) error {
-	if d.config.CertificateId == 0 {
-		return errors.New("config `certificateId` is required")
-	}
-
-	// 更新证书
-	updateCertificateReq := &safelinesdk.UpdateCertificateRequest{
-		Id:   d.config.CertificateId,
-		Type: 2,
-		Manual: &safelinesdk.UpdateCertificateRequestBodyManul{
-			Crt: certPem,
-			Key: privkeyPem,
-		},
-	}
-	updateCertificateResp, err := d.sdkClient.UpdateCertificate(updateCertificateReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'safeline.UpdateCertificate'")
-	} else {
-		d.logger.Logt("已更新证书", updateCertificateResp)
-	}
-
-	return nil
-}
-
-func createSdkClient(apiUrl, apiToken string) (*safelinesdk.Client, error) {
-	if _, err := url.Parse(apiUrl); err != nil {
-		return nil, errors.New("invalid safeline api url")
-	}
-
-	if apiToken == "" {
-		return nil, errors.New("invalid safeline api token")
-	}
-
-	client := safelinesdk.NewClient(apiUrl, apiToken)
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/ssh/ssh.go
+++ b/internal/pkg/core/deployer/providers/ssh/ssh.go
@@ -1,288 +0,0 @@
-package ssh
-
-import (
-	"bytes"
-	"context"
-	"fmt"
-	"os"
-	"path/filepath"
-
-	xerrors "github.com/pkg/errors"
-	"github.com/pkg/sftp"
-	"github.com/povsister/scp"
-	"golang.org/x/crypto/ssh"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/utils/certs"
-)
-
-type DeployerConfig struct {
-	// SSH 主机。
-	// 零值时默认为 "localhost"。
-	SshHost string `json:"sshHost,omitempty"`
-	// SSH 端口。
-	// 零值时默认为 22。
-	SshPort int32 `json:"sshPort,omitempty"`
-	// SSH 登录用户名。
-	SshUsername string `json:"sshUsername,omitempty"`
-	// SSH 登录密码。
-	SshPassword string `json:"sshPassword,omitempty"`
-	// SSH 登录私钥。
-	SshKey string `json:"sshKey,omitempty"`
-	// SSH 登录私钥口令。
-	SshKeyPassphrase string `json:"sshKeyPassphrase,omitempty"`
-	// 是否回退使用 SCP。
-	UseSCP bool `json:"useSCP,omitempty"`
-	// 前置命令。
-	PreCommand string `json:"preCommand,omitempty"`
-	// 后置命令。
-	PostCommand string `json:"postCommand,omitempty"`
-	// 输出证书格式。
-	OutputFormat OutputFormatType `json:"outputFormat,omitempty"`
-	// 输出证书文件路径。
-	OutputCertPath string `json:"outputCertPath,omitempty"`
-	// 输出私钥文件路径。
-	OutputKeyPath string `json:"outputKeyPath,omitempty"`
-	// PFX 导出密码。
-	// 证书格式为 PFX 时必填。
-	PfxPassword string `json:"pfxPassword,omitempty"`
-	// JKS 别名。
-	// 证书格式为 JKS 时必填。
-	JksAlias string `json:"jksAlias,omitempty"`
-	// JKS 密钥密码。
-	// 证书格式为 JKS 时必填。
-	JksKeypass string `json:"jksKeypass,omitempty"`
-	// JKS 存储密码。
-	// 证书格式为 JKS 时必填。
-	JksStorepass string `json:"jksStorepass,omitempty"`
-}
-
-type DeployerProvider struct {
-	config *DeployerConfig
-	logger logger.Logger
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	return &DeployerProvider{
-		config: config,
-		logger: logger.NewNilLogger(),
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 连接
-	client, err := createSshClient(
-		d.config.SshHost,
-		d.config.SshPort,
-		d.config.SshUsername,
-		d.config.SshPassword,
-		d.config.SshKey,
-		d.config.SshKeyPassphrase,
-	)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssh client")
-	}
-	defer client.Close()
-
-	d.logger.Logt("SSH connected")
-
-	// 执行前置命令
-	if d.config.PreCommand != "" {
-		stdout, stderr, err := execSshCommand(client, d.config.PreCommand)
-		if err != nil {
-			return nil, xerrors.Wrapf(err, "failed to execute pre-command: stdout: %s, stderr: %s", stdout, stderr)
-		}
-
-		d.logger.Logt("SSH pre-command executed", stdout)
-	}
-
-	// 上传证书和私钥文件
-	switch d.config.OutputFormat {
-	case OUTPUT_FORMAT_PEM:
-		if err := writeFileString(client, d.config.UseSCP, d.config.OutputCertPath, certPem); err != nil {
-			return nil, xerrors.Wrap(err, "failed to upload certificate file")
-		}
-
-		d.logger.Logt("certificate file uploaded")
-
-		if err := writeFileString(client, d.config.UseSCP, d.config.OutputKeyPath, privkeyPem); err != nil {
-			return nil, xerrors.Wrap(err, "failed to upload private key file")
-		}
-
-		d.logger.Logt("private key file uploaded")
-
-	case OUTPUT_FORMAT_PFX:
-		pfxData, err := certs.TransformCertificateFromPEMToPFX(certPem, privkeyPem, d.config.PfxPassword)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to transform certificate to PFX")
-		}
-
-		d.logger.Logt("certificate transformed to PFX")
-
-		if err := writeFile(client, d.config.UseSCP, d.config.OutputCertPath, pfxData); err != nil {
-			return nil, xerrors.Wrap(err, "failed to upload certificate file")
-		}
-
-		d.logger.Logt("certificate file uploaded")
-
-	case OUTPUT_FORMAT_JKS:
-		jksData, err := certs.TransformCertificateFromPEMToJKS(certPem, privkeyPem, d.config.JksAlias, d.config.JksKeypass, d.config.JksStorepass)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to transform certificate to JKS")
-		}
-
-		d.logger.Logt("certificate transformed to JKS")
-
-		if err := writeFile(client, d.config.UseSCP, d.config.OutputCertPath, jksData); err != nil {
-			return nil, xerrors.Wrap(err, "failed to upload certificate file")
-		}
-
-		d.logger.Logt("certificate file uploaded")
-
-	default:
-		return nil, fmt.Errorf("unsupported output format: %s", d.config.OutputFormat)
-	}
-
-	// 执行后置命令
-	if d.config.PostCommand != "" {
-		stdout, stderr, err := execSshCommand(client, d.config.PostCommand)
-		if err != nil {
-			return nil, xerrors.Wrapf(err, "failed to execute post-command, stdout: %s, stderr: %s", stdout, stderr)
-		}
-
-		d.logger.Logt("SSH post-command executed", stdout)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSshClient(host string, port int32, username string, password string, key string, keyPassphrase string) (*ssh.Client, error) {
-	if host == "" {
-		host = "localhost"
-	}
-
-	if port == 0 {
-		port = 22
-	}
-
-	var authMethod ssh.AuthMethod
-	if key != "" {
-		var signer ssh.Signer
-		var err error
-
-		if keyPassphrase != "" {
-			signer, err = ssh.ParsePrivateKeyWithPassphrase([]byte(key), []byte(keyPassphrase))
-		} else {
-			signer, err = ssh.ParsePrivateKey([]byte(key))
-		}
-
-		if err != nil {
-			return nil, err
-		}
-		authMethod = ssh.PublicKeys(signer)
-	} else {
-		authMethod = ssh.Password(password)
-	}
-
-	return ssh.Dial("tcp", fmt.Sprintf("%s:%d", host, port), &ssh.ClientConfig{
-		User:            username,
-		Auth:            []ssh.AuthMethod{authMethod},
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-	})
-}
-
-func execSshCommand(sshCli *ssh.Client, command string) (string, string, error) {
-	session, err := sshCli.NewSession()
-	if err != nil {
-		return "", "", err
-	}
-	defer session.Close()
-
-	stdoutBuf := bytes.NewBuffer(nil)
-	session.Stdout = stdoutBuf
-	stderrBuf := bytes.NewBuffer(nil)
-	session.Stderr = stderrBuf
-	err = session.Run(command)
-	if err != nil {
-		return stdoutBuf.String(), stderrBuf.String(), xerrors.Wrap(err, "failed to execute ssh command")
-	}
-
-	return stdoutBuf.String(), stderrBuf.String(), nil
-}
-
-func writeFileString(sshCli *ssh.Client, useSCP bool, path string, content string) error {
-	if useSCP {
-		return writeFileStringWithSCP(sshCli, path, content)
-	}
-
-	return writeFileStringWithSFTP(sshCli, path, content)
-}
-
-func writeFile(sshCli *ssh.Client, useSCP bool, path string, data []byte) error {
-	if useSCP {
-		return writeFileWithSCP(sshCli, path, data)
-	}
-
-	return writeFileWithSFTP(sshCli, path, data)
-}
-
-func writeFileStringWithSCP(sshCli *ssh.Client, path string, content string) error {
-	return writeFileWithSCP(sshCli, path, []byte(content))
-}
-
-func writeFileWithSCP(sshCli *ssh.Client, path string, data []byte) error {
-	scpCli, err := scp.NewClientFromExistingSSH(sshCli, &scp.ClientOption{})
-	if err != nil {
-		return xerrors.Wrap(err, "failed to create scp client")
-	}
-	defer scpCli.Close()
-
-	reader := bytes.NewReader(data)
-	err = scpCli.CopyToRemote(reader, path, &scp.FileTransferOption{})
-	if err != nil {
-		return xerrors.Wrap(err, "failed to write to remote file")
-	}
-
-	return nil
-}
-
-func writeFileStringWithSFTP(sshCli *ssh.Client, path string, content string) error {
-	return writeFileWithSFTP(sshCli, path, []byte(content))
-}
-
-func writeFileWithSFTP(sshCli *ssh.Client, path string, data []byte) error {
-	sftpCli, err := sftp.NewClient(sshCli)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to create sftp client")
-	}
-	defer sftpCli.Close()
-
-	if err := sftpCli.MkdirAll(filepath.Dir(path)); err != nil {
-		return xerrors.Wrap(err, "failed to create remote directory")
-	}
-
-	file, err := sftpCli.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to open remote file")
-	}
-	defer file.Close()
-
-	_, err = file.Write(data)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to write to remote file")
-	}
-
-	return nil
-}
--- a/internal/pkg/core/deployer/providers/tencentcloud-cdn/tencentcloud_cdn.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-cdn/tencentcloud_cdn.go
@@ -1,195 +0,0 @@
-package tencentcloudcdn
-
-import (
-	"context"
-	"strings"
-
-	xerrors "github.com/pkg/errors"
-	tcCdn "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cdn/v20180606"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
-	tcSsl "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl/v20191205"
-	"golang.org/x/exp/slices"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/tencentcloud-ssl"
-)
-
-type DeployerConfig struct {
-	// 腾讯云 SecretId。
-	SecretId string `json:"secretId"`
-	// 腾讯云 SecretKey。
-	SecretKey string `json:"secretKey"`
-	// 加速域名（支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClients  *wSdkClients
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-type wSdkClients struct {
-	ssl *tcSsl.Client
-	cdn *tcCdn.Client
-}
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	clients, err := createSdkClients(config.SecretId, config.SecretKey)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk clients")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		SecretId:  config.SecretId,
-		SecretKey: config.SecretKey,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClients:  clients,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 SSL
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 获取待部署的 CDN 实例
-	// 如果是泛域名，根据证书匹配 CDN 实例
-	instanceIds := make([]string, 0)
-	if strings.HasPrefix(d.config.Domain, "*.") {
-		domains, err := d.getDomainsByCertificateId(upres.CertId)
-		if err != nil {
-			return nil, err
-		}
-
-		instanceIds = domains
-	} else {
-		instanceIds = append(instanceIds, d.config.Domain)
-	}
-
-	// 跳过已部署的 CDN 实例
-	if len(instanceIds) > 0 {
-		deployedDomains, err := d.getDeployedDomainsByCertificateId(upres.CertId)
-		if err != nil {
-			return nil, err
-		}
-
-		temp := make([]string, 0)
-		for _, instanceId := range instanceIds {
-			if !slices.Contains(deployedDomains, instanceId) {
-				temp = append(temp, instanceId)
-			}
-		}
-		instanceIds = temp
-	}
-
-	if len(instanceIds) == 0 {
-		d.logger.Logt("已部署过或没有要部署的 CDN 实例")
-	} else {
-		// 证书部署到 CDN 实例
-		// REF: https://cloud.tencent.com/document/product/400/91667
-		deployCertificateInstanceReq := tcSsl.NewDeployCertificateInstanceRequest()
-		deployCertificateInstanceReq.CertificateId = common.StringPtr(upres.CertId)
-		deployCertificateInstanceReq.ResourceType = common.StringPtr("cdn")
-		deployCertificateInstanceReq.Status = common.Int64Ptr(1)
-		deployCertificateInstanceReq.InstanceIdList = common.StringPtrs(instanceIds)
-		deployCertificateInstanceResp, err := d.sdkClients.ssl.DeployCertificateInstance(deployCertificateInstanceReq)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to execute sdk request 'ssl.DeployCertificateInstance'")
-		}
-
-		d.logger.Logt("已部署证书到云资源实例", deployCertificateInstanceResp.Response)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func (d *DeployerProvider) getDomainsByCertificateId(cloudCertId string) ([]string, error) {
-	// 获取证书中的可用域名
-	// REF: https://cloud.tencent.com/document/product/228/42491
-	describeCertDomainsReq := tcCdn.NewDescribeCertDomainsRequest()
-	describeCertDomainsReq.CertId = common.StringPtr(cloudCertId)
-	describeCertDomainsReq.Product = common.StringPtr("cdn")
-	describeCertDomainsResp, err := d.sdkClients.cdn.DescribeCertDomains(describeCertDomainsReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.DescribeCertDomains'")
-	}
-
-	domains := make([]string, 0)
-	if describeCertDomainsResp.Response.Domains != nil {
-		for _, domain := range describeCertDomainsResp.Response.Domains {
-			domains = append(domains, *domain)
-		}
-	}
-
-	return domains, nil
-}
-
-func (d *DeployerProvider) getDeployedDomainsByCertificateId(cloudCertId string) ([]string, error) {
-	// 根据证书查询关联 CDN 域名
-	// REF: https://cloud.tencent.com/document/product/400/62674
-	describeDeployedResourcesReq := tcSsl.NewDescribeDeployedResourcesRequest()
-	describeDeployedResourcesReq.CertificateIds = common.StringPtrs([]string{cloudCertId})
-	describeDeployedResourcesReq.ResourceType = common.StringPtr("cdn")
-	describeDeployedResourcesResp, err := d.sdkClients.ssl.DescribeDeployedResources(describeDeployedResourcesReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.DescribeDeployedResources'")
-	}
-
-	domains := make([]string, 0)
-	if describeDeployedResourcesResp.Response.DeployedResources != nil {
-		for _, deployedResource := range describeDeployedResourcesResp.Response.DeployedResources {
-			for _, resource := range deployedResource.Resources {
-				domains = append(domains, *resource)
-			}
-		}
-	}
-
-	return domains, nil
-}
-
-func createSdkClients(secretId, secretKey string) (*wSdkClients, error) {
-	credential := common.NewCredential(secretId, secretKey)
-
-	sslClient, err := tcSsl.NewClient(credential, "", profile.NewClientProfile())
-	if err != nil {
-		return nil, err
-	}
-
-	cdnClient, err := tcCdn.NewClient(credential, "", profile.NewClientProfile())
-	if err != nil {
-		return nil, err
-	}
-
-	return &wSdkClients{
-		ssl: sslClient,
-		cdn: cdnClient,
-	}, nil
-}
--- a/internal/pkg/core/deployer/providers/tencentcloud-clb/tencentcloud_clb.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-clb/tencentcloud_clb.go
@@ -1,304 +0,0 @@
-package tencentcloudclb
-
-import (
-	"context"
-	"errors"
-	"fmt"
-
-	xerrors "github.com/pkg/errors"
-	tcClb "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/clb/v20180317"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
-	tcSsl "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl/v20191205"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/tencentcloud-ssl"
-)
-
-type DeployerConfig struct {
-	// 腾讯云 SecretId。
-	SecretId string `json:"secretId"`
-	// 腾讯云 SecretKey。
-	SecretKey string `json:"secretKey"`
-	// 腾讯云地域。
-	Region string `json:"region"`
-	// 部署资源类型。
-	ResourceType ResourceType `json:"resourceType"`
-	// 负载均衡器 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_SSLDEPLOY]、[RESOURCE_TYPE_LOADBALANCER]、[RESOURCE_TYPE_RULEDOMAIN] 时必填。
-	LoadbalancerId string `json:"loadbalancerId,omitempty"`
-	// 负载均衡监听 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_SSLDEPLOY]、[RESOURCE_TYPE_LOADBALANCER]、[RESOURCE_TYPE_LISTENER]、[RESOURCE_TYPE_RULEDOMAIN] 时必填。
-	ListenerId string `json:"listenerId,omitempty"`
-	// SNI 域名或七层转发规则域名（支持泛域名）。
-	// 部署资源类型为 [RESOURCE_TYPE_SSLDEPLOY] 时选填；部署资源类型为 [RESOURCE_TYPE_RULEDOMAIN] 时必填。
-	Domain string `json:"domain,omitempty"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClients  *wSdkClients
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-type wSdkClients struct {
-	ssl *tcSsl.Client
-	clb *tcClb.Client
-}
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	clients, err := createSdkClients(config.SecretId, config.SecretKey, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk clients")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		SecretId:  config.SecretId,
-		SecretKey: config.SecretKey,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClients:  clients,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 SSL
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 根据部署资源类型决定部署方式
-	switch d.config.ResourceType {
-	case RESOURCE_TYPE_VIA_SSLDEPLOY:
-		if err := d.deployViaSslService(ctx, upres.CertId); err != nil {
-			return nil, err
-		}
-
-	case RESOURCE_TYPE_LOADBALANCER:
-		if err := d.deployToLoadbalancer(ctx, upres.CertId); err != nil {
-			return nil, err
-		}
-
-	case RESOURCE_TYPE_LISTENER:
-		if err := d.deployToListener(ctx, upres.CertId); err != nil {
-			return nil, err
-		}
-
-	case RESOURCE_TYPE_RULEDOMAIN:
-		if err := d.deployToRuleDomain(ctx, upres.CertId); err != nil {
-			return nil, err
-		}
-
-	default:
-		return nil, fmt.Errorf("unsupported resource type: %s", d.config.ResourceType)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func (d *DeployerProvider) deployViaSslService(ctx context.Context, cloudCertId string) error {
-	if d.config.LoadbalancerId == "" {
-		return errors.New("config `loadbalancerId` is required")
-	}
-	if d.config.ListenerId == "" {
-		return errors.New("config `listenerId` is required")
-	}
-
-	// 证书部署到 CLB 实例
-	// REF: https://cloud.tencent.com/document/product/400/91667
-	deployCertificateInstanceReq := tcSsl.NewDeployCertificateInstanceRequest()
-	deployCertificateInstanceReq.CertificateId = common.StringPtr(cloudCertId)
-	deployCertificateInstanceReq.ResourceType = common.StringPtr("clb")
-	deployCertificateInstanceReq.Status = common.Int64Ptr(1)
-	if d.config.Domain == "" {
-		// 未指定 SNI，只需部署到监听器
-		deployCertificateInstanceReq.InstanceIdList = common.StringPtrs([]string{fmt.Sprintf("%s|%s", d.config.LoadbalancerId, d.config.ListenerId)})
-	} else {
-		// 指定 SNI，需部署到域名
-		deployCertificateInstanceReq.InstanceIdList = common.StringPtrs([]string{fmt.Sprintf("%s|%s|%s", d.config.LoadbalancerId, d.config.ListenerId, d.config.Domain)})
-	}
-	deployCertificateInstanceResp, err := d.sdkClients.ssl.DeployCertificateInstance(deployCertificateInstanceReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'ssl.DeployCertificateInstance'")
-	}
-
-	d.logger.Logt("已部署证书到云资源实例", deployCertificateInstanceResp.Response)
-
-	return nil
-}
-
-func (d *DeployerProvider) deployToLoadbalancer(ctx context.Context, cloudCertId string) error {
-	if d.config.LoadbalancerId == "" {
-		return errors.New("config `loadbalancerId` is required")
-	}
-
-	// 查询监听器列表
-	// REF: https://cloud.tencent.com/document/api/214/30686
-	listenerIds := make([]string, 0)
-	describeListenersReq := tcClb.NewDescribeListenersRequest()
-	describeListenersReq.LoadBalancerId = common.StringPtr(d.config.LoadbalancerId)
-	describeListenersResp, err := d.sdkClients.clb.DescribeListeners(describeListenersReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'clb.DescribeListeners'")
-	} else {
-		if describeListenersResp.Response.Listeners != nil {
-			for _, listener := range describeListenersResp.Response.Listeners {
-				if listener.Protocol == nil || (*listener.Protocol != "HTTPS" && *listener.Protocol != "TCP_SSL" && *listener.Protocol != "QUIC") {
-					continue
-				}
-
-				listenerIds = append(listenerIds, *listener.ListenerId)
-			}
-		}
-	}
-
-	d.logger.Logt("已查询到负载均衡器下的监听器", listenerIds)
-
-	// 遍历更新监听器证书
-	if len(listenerIds) == 0 {
-		return errors.New("listener not found")
-	} else {
-		var errs []error
-
-		for _, listenerId := range listenerIds {
-			if err := d.modifyListenerCertificate(ctx, d.config.LoadbalancerId, listenerId, cloudCertId); err != nil {
-				errs = append(errs, err)
-			}
-		}
-
-		if len(errs) > 0 {
-			return errors.Join(errs...)
-		}
-	}
-
-	return nil
-}
-
-func (d *DeployerProvider) deployToListener(ctx context.Context, cloudCertId string) error {
-	if d.config.LoadbalancerId == "" {
-		return errors.New("config `loadbalancerId` is required")
-	}
-	if d.config.ListenerId == "" {
-		return errors.New("config `listenerId` is required")
-	}
-
-	// 更新监听器证书
-	if err := d.modifyListenerCertificate(ctx, d.config.LoadbalancerId, d.config.ListenerId, cloudCertId); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (d *DeployerProvider) deployToRuleDomain(ctx context.Context, cloudCertId string) error {
-	if d.config.LoadbalancerId == "" {
-		return errors.New("config `loadbalancerId` is required")
-	}
-	if d.config.ListenerId == "" {
-		return errors.New("config `listenerId` is required")
-	}
-	if d.config.Domain == "" {
-		return errors.New("config `domain` is required")
-	}
-
-	// 修改负载均衡七层监听器转发规则的域名级别属性
-	// REF: https://cloud.tencent.com/document/api/214/38092
-	modifyDomainAttributesReq := tcClb.NewModifyDomainAttributesRequest()
-	modifyDomainAttributesReq.LoadBalancerId = common.StringPtr(d.config.LoadbalancerId)
-	modifyDomainAttributesReq.ListenerId = common.StringPtr(d.config.ListenerId)
-	modifyDomainAttributesReq.Domain = common.StringPtr(d.config.Domain)
-	modifyDomainAttributesReq.Certificate = &tcClb.CertificateInput{
-		SSLMode: common.StringPtr("UNIDIRECTIONAL"),
-		CertId:  common.StringPtr(cloudCertId),
-	}
-	modifyDomainAttributesResp, err := d.sdkClients.clb.ModifyDomainAttributes(modifyDomainAttributesReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'clb.ModifyDomainAttributes'")
-	}
-
-	d.logger.Logt("已修改七层监听器转发规则的域名级别属性", modifyDomainAttributesResp.Response)
-
-	return nil
-}
-
-func (d *DeployerProvider) modifyListenerCertificate(ctx context.Context, cloudLoadbalancerId, cloudListenerId, cloudCertId string) error {
-	// 查询监听器列表
-	// REF: https://cloud.tencent.com/document/api/214/30686
-	describeListenersReq := tcClb.NewDescribeListenersRequest()
-	describeListenersReq.LoadBalancerId = common.StringPtr(cloudLoadbalancerId)
-	describeListenersReq.ListenerIds = common.StringPtrs([]string{cloudListenerId})
-	describeListenersResp, err := d.sdkClients.clb.DescribeListeners(describeListenersReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'clb.DescribeListeners'")
-	}
-	if len(describeListenersResp.Response.Listeners) == 0 {
-		return errors.New("listener not found")
-	}
-
-	d.logger.Logt("已查询到监听器属性", describeListenersResp.Response)
-
-	// 修改监听器属性
-	// REF: https://cloud.tencent.com/document/product/214/30681
-	modifyListenerReq := tcClb.NewModifyListenerRequest()
-	modifyListenerReq.LoadBalancerId = common.StringPtr(cloudLoadbalancerId)
-	modifyListenerReq.ListenerId = common.StringPtr(cloudListenerId)
-	modifyListenerReq.Certificate = &tcClb.CertificateInput{CertId: common.StringPtr(cloudCertId)}
-	if describeListenersResp.Response.Listeners[0].Certificate != nil && describeListenersResp.Response.Listeners[0].Certificate.SSLMode != nil {
-		modifyListenerReq.Certificate.SSLMode = describeListenersResp.Response.Listeners[0].Certificate.SSLMode
-		modifyListenerReq.Certificate.CertCaId = describeListenersResp.Response.Listeners[0].Certificate.CertCaId
-	} else {
-		modifyListenerReq.Certificate.SSLMode = common.StringPtr("UNIDIRECTIONAL")
-	}
-	modifyListenerResp, err := d.sdkClients.clb.ModifyListener(modifyListenerReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'clb.ModifyListener'")
-	}
-
-	d.logger.Logt("已修改监听器属性", modifyListenerResp.Response)
-
-	return nil
-}
-
-func createSdkClients(secretId, secretKey, region string) (*wSdkClients, error) {
-	credential := common.NewCredential(secretId, secretKey)
-
-	// 注意虽然官方文档中地域无需指定，但实际需要部署到 CLB 时必传
-	sslClient, err := tcSsl.NewClient(credential, region, profile.NewClientProfile())
-	if err != nil {
-		return nil, err
-	}
-
-	clbClient, err := tcClb.NewClient(credential, region, profile.NewClientProfile())
-	if err != nil {
-		return nil, err
-	}
-
-	return &wSdkClients{
-		ssl: sslClient,
-		clb: clbClient,
-	}, nil
-}
--- a/internal/pkg/core/deployer/providers/tencentcloud-cos/tencentcloud_cos.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-cos/tencentcloud_cos.go
@@ -1,113 +0,0 @@
-package tencentcloudcos
-
-import (
-	"context"
-	"errors"
-	"fmt"
-
-	xerrors "github.com/pkg/errors"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
-	tcSsl "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl/v20191205"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/tencentcloud-ssl"
-)
-
-type DeployerConfig struct {
-	// 腾讯云 SecretId。
-	SecretId string `json:"secretId"`
-	// 腾讯云 SecretKey。
-	SecretKey string `json:"secretKey"`
-	// 腾讯云地域。
-	Region string `json:"region"`
-	// 存储桶名。
-	Bucket string `json:"bucket"`
-	// 自定义域名（不支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *tcSsl.Client
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.SecretId, config.SecretKey, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk clients")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		SecretId:  config.SecretId,
-		SecretKey: config.SecretKey,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	if d.config.Bucket == "" {
-		return nil, errors.New("config `bucket` is required")
-	}
-	if d.config.Domain == "" {
-		return nil, errors.New("config `domain` is required")
-	}
-
-	// 上传证书到 SSL
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 证书部署到 COS 实例
-	// REF: https://cloud.tencent.com/document/product/400/91667
-	deployCertificateInstanceReq := tcSsl.NewDeployCertificateInstanceRequest()
-	deployCertificateInstanceReq.CertificateId = common.StringPtr(upres.CertId)
-	deployCertificateInstanceReq.ResourceType = common.StringPtr("cos")
-	deployCertificateInstanceReq.Status = common.Int64Ptr(1)
-	deployCertificateInstanceReq.InstanceIdList = common.StringPtrs([]string{fmt.Sprintf("%s#%s#%s", d.config.Region, d.config.Bucket, d.config.Domain)})
-	deployCertificateInstanceResp, err := d.sdkClient.DeployCertificateInstance(deployCertificateInstanceReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'ssl.DeployCertificateInstance'")
-	}
-
-	d.logger.Logt("已部署证书到云资源实例", deployCertificateInstanceResp.Response)
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(secretId, secretKey, region string) (*tcSsl.Client, error) {
-	credential := common.NewCredential(secretId, secretKey)
-	client, err := tcSsl.NewClient(credential, region, profile.NewClientProfile())
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/tencentcloud-css/tencentcloud_css.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-css/tencentcloud_css.go
@@ -1,105 +0,0 @@
-package tencentcloudcss
-
-import (
-	"context"
-
-	xerrors "github.com/pkg/errors"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
-	tcLive "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/live/v20180801"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/tencentcloud-ssl"
-)
-
-type DeployerConfig struct {
-	// 腾讯云 SecretId。
-	SecretId string `json:"secretId"`
-	// 腾讯云 SecretKey。
-	SecretKey string `json:"secretKey"`
-	// 直播播放域名（不支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *tcLive.Client
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.SecretId, config.SecretKey)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		SecretId:  config.SecretId,
-		SecretKey: config.SecretKey,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 SSL
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 绑定证书对应的播放域名
-	// REF: https://cloud.tencent.com/document/product/267/78655
-	modifyLiveDomainCertBindingsReq := &tcLive.ModifyLiveDomainCertBindingsRequest{
-		DomainInfos: []*tcLive.LiveCertDomainInfo{
-			{
-				DomainName: common.StringPtr(d.config.Domain),
-				Status:     common.Int64Ptr(1),
-			},
-		},
-		CloudCertId: common.StringPtr(upres.CertId),
-	}
-	modifyLiveDomainCertBindingsResp, err := d.sdkClient.ModifyLiveDomainCertBindings(modifyLiveDomainCertBindingsReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'live.ModifyLiveDomainCertBindings'")
-	}
-
-	d.logger.Logt("已部署证书到云资源实例", modifyLiveDomainCertBindingsResp.Response)
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(secretId, secretKey string) (*tcLive.Client, error) {
-	credential := common.NewCredential(secretId, secretKey)
-
-	client, err := tcLive.NewClient(credential, "", profile.NewClientProfile())
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/tencentcloud-ecdn/tencentcloud_ecdn.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-ecdn/tencentcloud_ecdn.go
@@ -1,155 +0,0 @@
-package tencentcloudecdn
-
-import (
-	"context"
-	"strings"
-
-	xerrors "github.com/pkg/errors"
-	tcCdn "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/cdn/v20180606"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
-	tcSsl "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl/v20191205"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/tencentcloud-ssl"
-)
-
-type DeployerConfig struct {
-	// 腾讯云 SecretId。
-	SecretId string `json:"secretId"`
-	// 腾讯云 SecretKey。
-	SecretKey string `json:"secretKey"`
-	// 加速域名（支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClients  *wSdkClients
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-type wSdkClients struct {
-	ssl *tcSsl.Client
-	cdn *tcCdn.Client
-}
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	clients, err := createSdkClients(config.SecretId, config.SecretKey)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk clients")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		SecretId:  config.SecretId,
-		SecretKey: config.SecretKey,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClients:  clients,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 SSL
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 获取待部署的 CDN 实例
-	// 如果是泛域名，根据证书匹配 CDN 实例
-	instanceIds := make([]string, 0)
-	if strings.HasPrefix(d.config.Domain, "*.") {
-		domains, err := d.getDomainsByCertificateId(upres.CertId)
-		if err != nil {
-			return nil, err
-		}
-
-		instanceIds = domains
-	} else {
-		instanceIds = append(instanceIds, d.config.Domain)
-	}
-
-	if len(instanceIds) == 0 {
-		d.logger.Logt("已部署过或没有要部署的 ECDN 实例")
-	} else {
-		// 证书部署到 ECDN 实例
-		// REF: https://cloud.tencent.com/document/product/400/91667
-		deployCertificateInstanceReq := tcSsl.NewDeployCertificateInstanceRequest()
-		deployCertificateInstanceReq.CertificateId = common.StringPtr(upres.CertId)
-		deployCertificateInstanceReq.ResourceType = common.StringPtr("ecdn")
-		deployCertificateInstanceReq.Status = common.Int64Ptr(1)
-		deployCertificateInstanceReq.InstanceIdList = common.StringPtrs(instanceIds)
-		deployCertificateInstanceResp, err := d.sdkClients.ssl.DeployCertificateInstance(deployCertificateInstanceReq)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to execute sdk request 'ssl.DeployCertificateInstance'")
-		}
-
-		d.logger.Logt("已部署证书到云资源实例", deployCertificateInstanceResp.Response)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func (d *DeployerProvider) getDomainsByCertificateId(cloudCertId string) ([]string, error) {
-	// 获取证书中的可用域名
-	// REF: https://cloud.tencent.com/document/product/228/42491
-	describeCertDomainsReq := tcCdn.NewDescribeCertDomainsRequest()
-	describeCertDomainsReq.CertId = common.StringPtr(cloudCertId)
-	describeCertDomainsReq.Product = common.StringPtr("ecdn")
-	describeCertDomainsResp, err := d.sdkClients.cdn.DescribeCertDomains(describeCertDomainsReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.DescribeCertDomains'")
-	}
-
-	domains := make([]string, 0)
-	if describeCertDomainsResp.Response.Domains != nil {
-		for _, domain := range describeCertDomainsResp.Response.Domains {
-			domains = append(domains, *domain)
-		}
-	}
-
-	return domains, nil
-}
-
-func createSdkClients(secretId, secretKey string) (*wSdkClients, error) {
-	credential := common.NewCredential(secretId, secretKey)
-
-	sslClient, err := tcSsl.NewClient(credential, "", profile.NewClientProfile())
-	if err != nil {
-		return nil, err
-	}
-
-	cdnClient, err := tcCdn.NewClient(credential, "", profile.NewClientProfile())
-	if err != nil {
-		return nil, err
-	}
-
-	return &wSdkClients{
-		ssl: sslClient,
-		cdn: cdnClient,
-	}, nil
-}
--- a/internal/pkg/core/deployer/providers/tencentcloud-eo/tencentcloud_eo.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-eo/tencentcloud_eo.go
@@ -1,122 +0,0 @@
-package tencentcloudeo
-
-import (
-	"context"
-	"errors"
-
-	xerrors "github.com/pkg/errors"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
-	tcSsl "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl/v20191205"
-	tcTeo "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/teo/v20220901"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/tencentcloud-ssl"
-)
-
-type DeployerConfig struct {
-	// 腾讯云 SecretId。
-	SecretId string `json:"secretId"`
-	// 腾讯云 SecretKey。
-	SecretKey string `json:"secretKey"`
-	// 站点 ID。
-	ZoneId string `json:"zoneId"`
-	// 加速域名（不支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClients  *wSdkClients
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-type wSdkClients struct {
-	ssl *tcSsl.Client
-	teo *tcTeo.Client
-}
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	clients, err := createSdkClients(config.SecretId, config.SecretKey)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk clients")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		SecretId:  config.SecretId,
-		SecretKey: config.SecretKey,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClients:  clients,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	if d.config.ZoneId == "" {
-		return nil, errors.New("config `zoneId` is required")
-	}
-
-	// 上传证书到 SSL
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 配置域名证书
-	// REF: https://cloud.tencent.com/document/product/1552/80764
-	modifyHostsCertificateReq := tcTeo.NewModifyHostsCertificateRequest()
-	modifyHostsCertificateReq.ZoneId = common.StringPtr(d.config.ZoneId)
-	modifyHostsCertificateReq.Mode = common.StringPtr("sslcert")
-	modifyHostsCertificateReq.Hosts = common.StringPtrs([]string{d.config.Domain})
-	modifyHostsCertificateReq.ServerCertInfo = []*tcTeo.ServerCertInfo{{CertId: common.StringPtr(upres.CertId)}}
-	modifyHostsCertificateResp, err := d.sdkClients.teo.ModifyHostsCertificate(modifyHostsCertificateReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'teo.ModifyHostsCertificate'")
-	}
-
-	d.logger.Logt("已配置域名证书", modifyHostsCertificateResp.Response)
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClients(secretId, secretKey string) (*wSdkClients, error) {
-	credential := common.NewCredential(secretId, secretKey)
-
-	sslClient, err := tcSsl.NewClient(credential, "", profile.NewClientProfile())
-	if err != nil {
-		return nil, err
-	}
-
-	teoClient, err := tcTeo.NewClient(credential, "", profile.NewClientProfile())
-	if err != nil {
-		return nil, err
-	}
-
-	return &wSdkClients{
-		ssl: sslClient,
-		teo: teoClient,
-	}, nil
-}
--- a/internal/pkg/core/deployer/providers/tencentcloud-ssl-deploy/tencentcloud_ssl_deploy.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-ssl-deploy/tencentcloud_ssl_deploy.go
@@ -1,153 +0,0 @@
-package tencentcloudssldeploy
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"time"
-
-	xerrors "github.com/pkg/errors"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
-	tcSsl "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/ssl/v20191205"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/tencentcloud-ssl"
-)
-
-type DeployerConfig struct {
-	// 腾讯云 SecretId。
-	SecretId string `json:"secretId"`
-	// 腾讯云 SecretKey。
-	SecretKey string `json:"secretKey"`
-	// 腾讯云地域。
-	Region string `json:"region"`
-	// 腾讯云云资源类型。
-	ResourceType string `json:"resourceType"`
-	// 腾讯云云资源 ID 数组。
-	ResourceIds []string `json:"resourceIds"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *tcSsl.Client
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.SecretId, config.SecretKey, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		SecretId:  config.SecretId,
-		SecretKey: config.SecretKey,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	if d.config.ResourceType == "" {
-		return nil, errors.New("config `resourceType` is required")
-	}
-	if len(d.config.ResourceIds) == 0 {
-		return nil, errors.New("config `resourceIds` is required")
-	}
-
-	// 上传证书到 SSL
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 证书部署到云资源实例列表
-	// REF: https://cloud.tencent.com/document/product/400/91667
-	deployCertificateInstanceReq := tcSsl.NewDeployCertificateInstanceRequest()
-	deployCertificateInstanceReq.CertificateId = common.StringPtr(upres.CertId)
-	deployCertificateInstanceReq.ResourceType = common.StringPtr(d.config.ResourceType)
-	deployCertificateInstanceReq.InstanceIdList = common.StringPtrs(d.config.ResourceIds)
-	deployCertificateInstanceReq.Status = common.Int64Ptr(1)
-	deployCertificateInstanceResp, err := d.sdkClient.DeployCertificateInstance(deployCertificateInstanceReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'ssl.DeployCertificateInstance'")
-	} else if deployCertificateInstanceResp.Response == nil || deployCertificateInstanceResp.Response.DeployRecordId == nil {
-		return nil, errors.New("failed to create deploy record")
-	}
-
-	d.logger.Logt("已部署证书到云资源实例", deployCertificateInstanceResp.Response)
-
-	// 循环获取部署任务详情，等待任务状态变更
-	// REF: https://cloud.tencent.com.cn/document/api/400/91658
-	for {
-		if ctx.Err() != nil {
-			return nil, ctx.Err()
-		}
-
-		describeHostDeployRecordDetailReq := tcSsl.NewDescribeHostDeployRecordDetailRequest()
-		describeHostDeployRecordDetailReq.DeployRecordId = common.StringPtr(fmt.Sprintf("%d", *deployCertificateInstanceResp.Response.DeployRecordId))
-		describeHostDeployRecordDetailReq.Limit = common.Uint64Ptr(100)
-		describeHostDeployRecordDetailResp, err := d.sdkClient.DescribeHostDeployRecordDetail(describeHostDeployRecordDetailReq)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to execute sdk request 'ssl.DescribeHostDeployRecordDetail'")
-		}
-
-		if describeHostDeployRecordDetailResp.Response.TotalCount == nil {
-			return nil, errors.New("部署任务状态异常")
-		} else {
-			acc := int64(0)
-			if describeHostDeployRecordDetailResp.Response.SuccessTotalCount != nil {
-				acc += *describeHostDeployRecordDetailResp.Response.SuccessTotalCount
-			}
-			if describeHostDeployRecordDetailResp.Response.FailedTotalCount != nil {
-				acc += *describeHostDeployRecordDetailResp.Response.FailedTotalCount
-			}
-
-			if acc == *describeHostDeployRecordDetailResp.Response.TotalCount {
-				d.logger.Logt("已获取部署任务详情", describeHostDeployRecordDetailResp)
-				break
-			}
-		}
-
-		d.logger.Logt("部署任务未完成 ...")
-		time.Sleep(time.Second * 5)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(secretId, secretKey, region string) (*tcSsl.Client, error) {
-	credential := common.NewCredential(secretId, secretKey)
-
-	client, err := tcSsl.NewClient(credential, region, profile.NewClientProfile())
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/tencentcloud-vod/tencentcloud_vod.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-vod/tencentcloud_vod.go
@@ -1,104 +0,0 @@
-package tencentcloudvod
-
-import (
-	"context"
-
-	xerrors "github.com/pkg/errors"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
-	tcVod "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/vod/v20180717"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/tencentcloud-ssl"
-)
-
-type DeployerConfig struct {
-	// 腾讯云 SecretId。
-	SecretId string `json:"secretId"`
-	// 腾讯云 SecretKey。
-	SecretKey string `json:"secretKey"`
-	// 点播应用 ID。
-	SubAppId int64 `json:"subAppId"`
-	// 点播加速域名（不支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *tcVod.Client
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.SecretId, config.SecretKey)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk clients")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		SecretId:  config.SecretId,
-		SecretKey: config.SecretKey,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 SSL
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	} else {
-		d.logger.Logt("certificate file uploaded", upres)
-	}
-
-	// 设置点播域名 HTTPS 证书
-	// REF: https://cloud.tencent.com/document/api/266/102015
-	setVodDomainCertificateReq := tcVod.NewSetVodDomainCertificateRequest()
-	setVodDomainCertificateReq.Domain = common.StringPtr(d.config.Domain)
-	setVodDomainCertificateReq.Operation = common.StringPtr("Set")
-	setVodDomainCertificateReq.CertID = common.StringPtr(upres.CertId)
-	if d.config.SubAppId != 0 {
-		setVodDomainCertificateReq.SubAppId = common.Uint64Ptr(uint64(d.config.SubAppId))
-	}
-	setVodDomainCertificateResp, err := d.sdkClient.SetVodDomainCertificate(setVodDomainCertificateReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'vod.SetVodDomainCertificate'")
-	} else {
-		d.logger.Logt("已设置点播域名 HTTPS 证书", setVodDomainCertificateResp.Response)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(secretId, secretKey string) (*tcVod.Client, error) {
-	credential := common.NewCredential(secretId, secretKey)
-	client, err := tcVod.NewClient(credential, "", profile.NewClientProfile())
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/tencentcloud-waf/tencentcloud_waf.go
+++ b/internal/pkg/core/deployer/providers/tencentcloud-waf/tencentcloud_waf.go
@@ -1,131 +0,0 @@
-package tencentcloudwaf
-
-import (
-	"context"
-	"errors"
-
-	xerrors "github.com/pkg/errors"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common"
-	"github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common/profile"
-	tcWaf "github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/waf/v20180125"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/tencentcloud-ssl"
-)
-
-type DeployerConfig struct {
-	// 腾讯云 SecretId。
-	SecretId string `json:"secretId"`
-	// 腾讯云 SecretKey。
-	SecretKey string `json:"secretKey"`
-	// 腾讯云地域。
-	Region string `json:"region"`
-	// 防护域名（不支持泛域名）。
-	Domain string `json:"domain"`
-	// 防护域名 ID。
-	DomainId string `json:"domainId"`
-	// 防护域名所属实例 ID。
-	InstanceId string `json:"instanceId"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *tcWaf.Client
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.SecretId, config.SecretKey, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk clients")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		SecretId:  config.SecretId,
-		SecretKey: config.SecretKey,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	if d.config.Domain == "" {
-		return nil, errors.New("config `domain` is required")
-	}
-	if d.config.DomainId == "" {
-		return nil, errors.New("config `domainId` is required")
-	}
-	if d.config.InstanceId == "" {
-		return nil, errors.New("config `instanceId` is required")
-	}
-
-	// 上传证书到 SSL
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	} else {
-		d.logger.Logt("certificate file uploaded", upres)
-	}
-
-	// 查询单个 SaaS 型 WAF 域名详情
-	// REF: https://cloud.tencent.com/document/api/627/82938
-	describeDomainDetailsSaasReq := tcWaf.NewDescribeDomainDetailsSaasRequest()
-	describeDomainDetailsSaasReq.Domain = common.StringPtr(d.config.Domain)
-	describeDomainDetailsSaasReq.DomainId = common.StringPtr(d.config.DomainId)
-	describeDomainDetailsSaasReq.InstanceId = common.StringPtr(d.config.InstanceId)
-	describeDomainDetailsSaasResp, err := d.sdkClient.DescribeDomainDetailsSaas(describeDomainDetailsSaasReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'waf.DescribeDomainDetailsSaas'")
-	} else {
-		d.logger.Logt("已查询到 SaaS 型 WAF 域名详情", describeDomainDetailsSaasResp.Response)
-	}
-
-	// 编辑 SaaS 型 WAF 域名
-	// REF: https://cloud.tencent.com/document/api/627/94309
-	modifySpartaProtectionReq := tcWaf.NewModifySpartaProtectionRequest()
-	modifySpartaProtectionReq.Domain = common.StringPtr(d.config.Domain)
-	modifySpartaProtectionReq.DomainId = common.StringPtr(d.config.DomainId)
-	modifySpartaProtectionReq.InstanceID = common.StringPtr(d.config.InstanceId)
-	modifySpartaProtectionReq.CertType = common.Int64Ptr(2)
-	modifySpartaProtectionReq.SSLId = common.StringPtr(upres.CertId)
-	modifySpartaProtectionResp, err := d.sdkClient.ModifySpartaProtection(modifySpartaProtectionReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'waf.ModifySpartaProtection'")
-	} else {
-		d.logger.Logt("已编辑 SaaS 型 WAF 域名", modifySpartaProtectionResp.Response)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(secretId, secretKey, region string) (*tcWaf.Client, error) {
-	credential := common.NewCredential(secretId, secretKey)
-	client, err := tcWaf.NewClient(credential, region, profile.NewClientProfile())
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/ucloud-ucdn/ucloud_ucdn.go
+++ b/internal/pkg/core/deployer/providers/ucloud-ucdn/ucloud_ucdn.go
@@ -1,129 +0,0 @@
-package uclouducdn
-
-import (
-	"context"
-	"errors"
-	"strconv"
-
-	xerrors "github.com/pkg/errors"
-	uCdn "github.com/ucloud/ucloud-sdk-go/services/ucdn"
-	usdk "github.com/ucloud/ucloud-sdk-go/ucloud"
-	uAuth "github.com/ucloud/ucloud-sdk-go/ucloud/auth"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/ucloud-ussl"
-)
-
-type DeployerConfig struct {
-	// 优刻得 API 私钥。
-	PrivateKey string `json:"privateKey"`
-	// 优刻得 API 公钥。
-	PublicKey string `json:"publicKey"`
-	// 优刻得项目 ID。
-	ProjectId string `json:"projectId,omitempty"`
-	// 加速域名 ID。
-	DomainId string `json:"domainId"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *uCdn.UCDNClient
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.PrivateKey, config.PublicKey)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		PrivateKey: config.PrivateKey,
-		PublicKey:  config.PublicKey,
-		ProjectId:  config.ProjectId,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 USSL
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 获取加速域名配置
-	// REF: https://docs.ucloud.cn/api/ucdn-api/get_ucdn_domain_config
-	getUcdnDomainConfigReq := d.sdkClient.NewGetUcdnDomainConfigRequest()
-	getUcdnDomainConfigReq.DomainId = []string{d.config.DomainId}
-	if d.config.ProjectId != "" {
-		getUcdnDomainConfigReq.ProjectId = usdk.String(d.config.ProjectId)
-	}
-	getUcdnDomainConfigResp, err := d.sdkClient.GetUcdnDomainConfig(getUcdnDomainConfigReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'ucdn.GetUcdnDomainConfig'")
-	} else if len(getUcdnDomainConfigResp.DomainList) == 0 {
-		return nil, errors.New("no domain found")
-	}
-
-	d.logger.Logt("已查询到加速域名配置", getUcdnDomainConfigResp)
-
-	// 更新 HTTPS 加速配置
-	// REF: https://docs.ucloud.cn/api/ucdn-api/update_ucdn_domain_https_config_v2
-	certId, _ := strconv.Atoi(upres.CertId)
-	updateUcdnDomainHttpsConfigV2Req := d.sdkClient.NewUpdateUcdnDomainHttpsConfigV2Request()
-	updateUcdnDomainHttpsConfigV2Req.DomainId = usdk.String(d.config.DomainId)
-	updateUcdnDomainHttpsConfigV2Req.HttpsStatusCn = usdk.String(getUcdnDomainConfigResp.DomainList[0].HttpsStatusCn)
-	updateUcdnDomainHttpsConfigV2Req.HttpsStatusAbroad = usdk.String(getUcdnDomainConfigResp.DomainList[0].HttpsStatusAbroad)
-	updateUcdnDomainHttpsConfigV2Req.HttpsStatusAbroad = usdk.String(getUcdnDomainConfigResp.DomainList[0].HttpsStatusAbroad)
-	updateUcdnDomainHttpsConfigV2Req.CertId = usdk.Int(certId)
-	updateUcdnDomainHttpsConfigV2Req.CertName = usdk.String(upres.CertName)
-	updateUcdnDomainHttpsConfigV2Req.CertType = usdk.String("ussl")
-	if d.config.ProjectId != "" {
-		updateUcdnDomainHttpsConfigV2Req.ProjectId = usdk.String(d.config.ProjectId)
-	}
-	updateUcdnDomainHttpsConfigV2Resp, err := d.sdkClient.UpdateUcdnDomainHttpsConfigV2(updateUcdnDomainHttpsConfigV2Req)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'ucdn.UpdateUcdnDomainHttpsConfigV2'")
-	}
-
-	d.logger.Logt("已更新 HTTPS 加速配置", updateUcdnDomainHttpsConfigV2Resp)
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(privateKey, publicKey string) (*uCdn.UCDNClient, error) {
-	cfg := usdk.NewConfig()
-
-	credential := uAuth.NewCredential()
-	credential.PrivateKey = privateKey
-	credential.PublicKey = publicKey
-
-	client := uCdn.NewClient(&cfg, &credential)
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/ucloud-us3/ucloud_us3.go
+++ b/internal/pkg/core/deployer/providers/ucloud-us3/ucloud_us3.go
@@ -1,112 +0,0 @@
-package ucloudus3
-
-import (
-	"context"
-
-	xerrors "github.com/pkg/errors"
-	usdk "github.com/ucloud/ucloud-sdk-go/ucloud"
-	uAuth "github.com/ucloud/ucloud-sdk-go/ucloud/auth"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/ucloud-ussl"
-	usdkFile "github.com/usual2970/certimate/internal/pkg/vendors/ucloud-sdk/ufile"
-)
-
-type DeployerConfig struct {
-	// 优刻得 API 私钥。
-	PrivateKey string `json:"privateKey"`
-	// 优刻得 API 公钥。
-	PublicKey string `json:"publicKey"`
-	// 优刻得项目 ID。
-	ProjectId string `json:"projectId,omitempty"`
-	// 优刻得地域。
-	Region string `json:"region"`
-	// 存储桶名。
-	Bucket string `json:"bucket"`
-	// 自定义域名（不支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *usdkFile.UFileClient
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.PrivateKey, config.PublicKey, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		PrivateKey: config.PrivateKey,
-		PublicKey:  config.PublicKey,
-		ProjectId:  config.ProjectId,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 USSL
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 添加 SSL 证书
-	// REF: https://docs.ucloud.cn/api/ufile-api/add_ufile_ssl_cert
-	addUFileSSLCertReq := d.sdkClient.NewAddUFileSSLCertRequest()
-	addUFileSSLCertReq.BucketName = usdk.String(d.config.Bucket)
-	addUFileSSLCertReq.Domain = usdk.String(d.config.Domain)
-	addUFileSSLCertReq.USSLId = usdk.String(upres.CertId)
-	addUFileSSLCertReq.CertificateName = usdk.String(upres.CertName)
-	if d.config.ProjectId != "" {
-		addUFileSSLCertReq.ProjectId = usdk.String(d.config.ProjectId)
-	}
-	addUFileSSLCertResp, err := d.sdkClient.AddUFileSSLCert(addUFileSSLCertReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'ucdn.AddUFileSSLCert'")
-	}
-
-	d.logger.Logt("添加 SSL 证书", addUFileSSLCertResp)
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(privateKey, publicKey, region string) (*usdkFile.UFileClient, error) {
-	cfg := usdk.NewConfig()
-	cfg.Region = region
-
-	credential := uAuth.NewCredential()
-	credential.PrivateKey = privateKey
-	credential.PublicKey = publicKey
-
-	client := usdkFile.NewClient(&cfg, &credential)
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/volcengine-cdn/volcengine_cdn.go
+++ b/internal/pkg/core/deployer/providers/volcengine-cdn/volcengine_cdn.go
@@ -1,134 +0,0 @@
-package volcenginecdn
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strings"
-
-	xerrors "github.com/pkg/errors"
-	veCdn "github.com/volcengine/volc-sdk-golang/service/cdn"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/volcengine-cdn"
-)
-
-type DeployerConfig struct {
-	// 火山引擎 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 火山引擎 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 加速域名（支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *veCdn.CDN
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client := veCdn.NewInstance()
-	client.Client.SetAccessKey(config.AccessKeyId)
-	client.Client.SetSecretKey(config.AccessKeySecret)
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		AccessKeySecret: config.AccessKeySecret,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 CDN
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	domains := make([]string, 0)
-	if strings.HasPrefix(d.config.Domain, "*.") {
-		// 获取指定证书可关联的域名
-		// REF: https://www.volcengine.com/docs/6454/125711
-		describeCertConfigReq := &veCdn.DescribeCertConfigRequest{
-			CertId: upres.CertId,
-		}
-		describeCertConfigResp, err := d.sdkClient.DescribeCertConfig(describeCertConfigReq)
-		if err != nil {
-			return nil, xerrors.Wrap(err, "failed to execute sdk request 'cdn.DescribeCertConfig'")
-		}
-
-		if describeCertConfigResp.Result.CertNotConfig != nil {
-			for i := range describeCertConfigResp.Result.CertNotConfig {
-				domains = append(domains, describeCertConfigResp.Result.CertNotConfig[i].Domain)
-			}
-		}
-
-		if describeCertConfigResp.Result.OtherCertConfig != nil {
-			for i := range describeCertConfigResp.Result.OtherCertConfig {
-				domains = append(domains, describeCertConfigResp.Result.OtherCertConfig[i].Domain)
-			}
-		}
-
-		if len(domains) == 0 {
-			if len(describeCertConfigResp.Result.SpecifiedCertConfig) > 0 {
-				// 所有可关联的域名都配置了该证书，跳过部署
-			} else {
-				return nil, errors.New("domain not found")
-			}
-		}
-	} else {
-		domains = append(domains, d.config.Domain)
-	}
-
-	if len(domains) > 0 {
-		var errs []error
-
-		for _, domain := range domains {
-			// 关联证书与加速域名
-			// REF: https://www.volcengine.com/docs/6454/125712
-			batchDeployCertReq := &veCdn.BatchDeployCertRequest{
-				CertId: upres.CertId,
-				Domain: domain,
-			}
-			batchDeployCertResp, err := d.sdkClient.BatchDeployCert(batchDeployCertReq)
-			if err != nil {
-				errs = append(errs, err)
-			} else {
-				d.logger.Logt(fmt.Sprintf("已关联证书到域名 %s", domain), batchDeployCertResp)
-			}
-		}
-
-		if len(errs) > 0 {
-			return nil, errors.Join(errs...)
-		}
-	}
-
-	return &deployer.DeployResult{}, nil
-}
--- a/internal/pkg/core/deployer/providers/volcengine-clb/volcengine_clb.go
+++ b/internal/pkg/core/deployer/providers/volcengine-clb/volcengine_clb.go
@@ -1,129 +0,0 @@
-package volcengineclb
-
-import (
-	"context"
-	"errors"
-	"fmt"
-
-	xerrors "github.com/pkg/errors"
-	veClb "github.com/volcengine/volcengine-go-sdk/service/clb"
-	ve "github.com/volcengine/volcengine-go-sdk/volcengine"
-	veSession "github.com/volcengine/volcengine-go-sdk/volcengine/session"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/volcengine-certcenter"
-)
-
-type DeployerConfig struct {
-	// 火山引擎 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 火山引擎 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 火山引擎地域。
-	Region string `json:"region"`
-	// 部署资源类型。
-	ResourceType ResourceType `json:"resourceType"`
-	// 负载均衡监听器 ID。
-	// 部署资源类型为 [RESOURCE_TYPE_LISTENER] 时必填。
-	ListenerId string `json:"listenerId,omitempty"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *veClb.CLB
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		AccessKeySecret: config.AccessKeySecret,
-		Region:          config.Region,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到证书中心
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 根据部署资源类型决定部署方式
-	switch d.config.ResourceType {
-	case RESOURCE_TYPE_LISTENER:
-		if err := d.deployToListener(ctx, upres.CertId); err != nil {
-			return nil, err
-		}
-
-	default:
-		return nil, fmt.Errorf("unsupported resource type: %s", d.config.ResourceType)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func (d *DeployerProvider) deployToListener(ctx context.Context, cloudCertId string) error {
-	if d.config.ListenerId == "" {
-		return errors.New("config `listenerId` is required")
-	}
-
-	// 修改监听器
-	// REF: https://www.volcengine.com/docs/6406/71775
-	modifyListenerAttributesReq := &veClb.ModifyListenerAttributesInput{
-		ListenerId:              ve.String(d.config.ListenerId),
-		CertificateSource:       ve.String("cert_center"),
-		CertCenterCertificateId: ve.String(cloudCertId),
-	}
-	modifyListenerAttributesResp, err := d.sdkClient.ModifyListenerAttributes(modifyListenerAttributesReq)
-	if err != nil {
-		return xerrors.Wrap(err, "failed to execute sdk request 'clb.ModifyListenerAttributes'")
-	} else {
-		d.logger.Logt("已修改监听器", modifyListenerAttributesResp)
-	}
-
-	return nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret, region string) (*veClb.CLB, error) {
-	config := ve.NewConfig().WithRegion(region).WithAkSk(accessKeyId, accessKeySecret)
-
-	session, err := veSession.NewSession(config)
-	if err != nil {
-		return nil, err
-	}
-
-	client := veClb.New(session)
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/volcengine-dcdn/volcengine_dcdn.go
+++ b/internal/pkg/core/deployer/providers/volcengine-dcdn/volcengine_dcdn.go
@@ -1,113 +0,0 @@
-package volcenginedcdn
-
-import (
-	"context"
-	"strings"
-
-	xerrors "github.com/pkg/errors"
-	veDcdn "github.com/volcengine/volcengine-go-sdk/service/dcdn"
-	ve "github.com/volcengine/volcengine-go-sdk/volcengine"
-	veSession "github.com/volcengine/volcengine-go-sdk/volcengine/session"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/volcengine-certcenter"
-)
-
-type DeployerConfig struct {
-	// 火山引擎 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 火山引擎 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 火山引擎地域。
-	Region string `json:"region"`
-	// 加速域名（支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *veDcdn.DCDN
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		AccessKeySecret: config.AccessKeySecret,
-		Region:          config.Region,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到证书中心
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// "*.example.com" → ".example.com"，适配火山引擎 DCDN 要求的泛域名格式
-	domain := strings.TrimPrefix(d.config.Domain, "*")
-
-	// 绑定证书
-	// REF: https://www.volcengine.com/docs/6559/1250189
-	createCertBindReq := &veDcdn.CreateCertBindInput{
-		CertSource:  ve.String("volc"),
-		CertId:      ve.String(upres.CertId),
-		DomainNames: ve.StringSlice([]string{domain}),
-	}
-	createCertBindResp, err := d.sdkClient.CreateCertBind(createCertBindReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'dcdn.CreateCertBind'")
-	} else {
-		d.logger.Logt("已绑定证书", createCertBindResp)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret, region string) (*veDcdn.DCDN, error) {
-	if region == "" {
-		region = "cn-beijing" // DCDN 服务默认区域：北京
-	}
-
-	config := ve.NewConfig().WithRegion(region).WithAkSk(accessKeyId, accessKeySecret)
-
-	session, err := veSession.NewSession(config)
-	if err != nil {
-		return nil, err
-	}
-
-	client := veDcdn.New(session)
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/volcengine-imagex/volcengine_imagex.go
+++ b/internal/pkg/core/deployer/providers/volcengine-imagex/volcengine_imagex.go
@@ -1,144 +0,0 @@
-package volcengineimagex
-
-import (
-	"context"
-	"errors"
-
-	xerrors "github.com/pkg/errors"
-	veBase "github.com/volcengine/volc-sdk-golang/base"
-	veImageX "github.com/volcengine/volc-sdk-golang/service/imagex/v2"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/volcengine-certcenter"
-)
-
-type DeployerConfig struct {
-	// 火山引擎 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 火山引擎 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 火山引擎地域。
-	Region string `json:"region"`
-	// 服务 ID。
-	ServiceId string `json:"serviceId"`
-	// 自定义域名（不支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *veImageX.Imagex
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		AccessKeySecret: config.AccessKeySecret,
-		Region:          config.Region,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	if d.config.ServiceId == "" {
-		return nil, errors.New("config `serviceId` is required")
-	}
-	if d.config.Domain == "" {
-		return nil, errors.New("config `domain` is required")
-	}
-
-	// 上传证书到证书中心
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	} else {
-		d.logger.Logt("certificate file uploaded", upres)
-	}
-
-	// 获取域名配置
-	// REF: https://www.volcengine.com/docs/508/9366
-	getDomainConfigReq := &veImageX.GetDomainConfigQuery{
-		ServiceID:  d.config.ServiceId,
-		DomainName: d.config.Domain,
-	}
-	getDomainConfigResp, err := d.sdkClient.GetDomainConfig(context.TODO(), getDomainConfigReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'imagex.GetDomainConfig'")
-	} else {
-		d.logger.Logt("已获取域名配置", getDomainConfigResp)
-	}
-
-	// 更新 HTTPS 配置
-	// REF: https://www.volcengine.com/docs/508/66012
-	updateHttpsReq := &veImageX.UpdateHTTPSReq{
-		UpdateHTTPSQuery: &veImageX.UpdateHTTPSQuery{
-			ServiceID: d.config.ServiceId,
-		},
-		UpdateHTTPSBody: &veImageX.UpdateHTTPSBody{
-			Domain: getDomainConfigResp.Result.Domain,
-			HTTPS: &veImageX.UpdateHTTPSBodyHTTPS{
-				CertID:              upres.CertId,
-				EnableHTTP2:         getDomainConfigResp.Result.HTTPSConfig.EnableHTTP2,
-				EnableHTTPS:         getDomainConfigResp.Result.HTTPSConfig.EnableHTTPS,
-				EnableOcsp:          getDomainConfigResp.Result.HTTPSConfig.EnableOcsp,
-				TLSVersions:         getDomainConfigResp.Result.HTTPSConfig.TLSVersions,
-				EnableForceRedirect: getDomainConfigResp.Result.HTTPSConfig.EnableForceRedirect,
-				ForceRedirectType:   getDomainConfigResp.Result.HTTPSConfig.ForceRedirectType,
-				ForceRedirectCode:   getDomainConfigResp.Result.HTTPSConfig.ForceRedirectCode,
-			},
-		},
-	}
-	updateHttpsResp, err := d.sdkClient.UpdateHTTPS(context.TODO(), updateHttpsReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'imagex.UpdateHttps'")
-	} else {
-		d.logger.Logt("已更新 HTTPS 配置", updateHttpsResp)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret, region string) (*veImageX.Imagex, error) {
-	var instance *veImageX.Imagex
-	if region == "" {
-		instance = veImageX.NewInstance()
-	} else {
-		instance = veImageX.NewInstanceWithRegion(region)
-	}
-
-	instance.SetCredential(veBase.Credentials{
-		AccessKeyID:     accessKeyId,
-		SecretAccessKey: accessKeySecret,
-	})
-
-	return instance, nil
-}
--- a/internal/pkg/core/deployer/providers/volcengine-live/volcengine_live.go
+++ b/internal/pkg/core/deployer/providers/volcengine-live/volcengine_live.go
@@ -1,144 +0,0 @@
-package volcenginelive
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strings"
-
-	xerrors "github.com/pkg/errors"
-	veLive "github.com/volcengine/volc-sdk-golang/service/live/v20230101"
-	ve "github.com/volcengine/volcengine-go-sdk/volcengine"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/volcengine-live"
-)
-
-type DeployerConfig struct {
-	// 火山引擎 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 火山引擎 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 直播流域名（支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *veLive.Live
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client := veLive.NewInstance()
-	client.SetAccessKey(config.AccessKeyId)
-	client.SetSecretKey(config.AccessKeySecret)
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		AccessKeySecret: config.AccessKeySecret,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	// 上传证书到 Live
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	domains := make([]string, 0)
-	if strings.HasPrefix(d.config.Domain, "*.") {
-		listDomainDetailPageNum := int32(1)
-		listDomainDetailPageSize := int32(1000)
-		listDomainDetailTotal := 0
-		for {
-			// 查询域名列表
-			// REF: https://www.volcengine.com/docs/6469/1186277#%E6%9F%A5%E8%AF%A2%E5%9F%9F%E5%90%8D%E5%88%97%E8%A1%A8
-			listDomainDetailReq := &veLive.ListDomainDetailBody{
-				PageNum:  listDomainDetailPageNum,
-				PageSize: listDomainDetailPageSize,
-			}
-			listDomainDetailResp, err := d.sdkClient.ListDomainDetail(ctx, listDomainDetailReq)
-			if err != nil {
-				return nil, xerrors.Wrap(err, "failed to execute sdk request 'live.ListDomainDetail'")
-			}
-
-			if listDomainDetailResp.Result.DomainList != nil {
-				for _, item := range listDomainDetailResp.Result.DomainList {
-					// 仅匹配泛域名的下一级子域名
-					wildcardDomain := strings.TrimPrefix(d.config.Domain, "*")
-					if strings.HasSuffix(item.Domain, wildcardDomain) && !strings.Contains(strings.TrimSuffix(item.Domain, wildcardDomain), ".") {
-						domains = append(domains, item.Domain)
-					}
-				}
-			}
-
-			listDomainDetailLen := len(listDomainDetailResp.Result.DomainList)
-			if listDomainDetailLen < int(listDomainDetailPageSize) || int(listDomainDetailResp.Result.Total) <= listDomainDetailTotal+listDomainDetailLen {
-				break
-			} else {
-				listDomainDetailPageNum++
-				listDomainDetailTotal += listDomainDetailLen
-			}
-		}
-
-		if len(domains) == 0 {
-			return nil, xerrors.Errorf("未查询到匹配的域名: %s", d.config.Domain)
-		}
-	} else {
-		domains = append(domains, d.config.Domain)
-	}
-
-	if len(domains) > 0 {
-		var errs []error
-
-		for _, domain := range domains {
-			// 绑定证书
-			// REF: https://www.volcengine.com/docs/6469/1186278#%E7%BB%91%E5%AE%9A%E8%AF%81%E4%B9%A6
-			bindCertReq := &veLive.BindCertBody{
-				ChainID: upres.CertId,
-				Domain:  domain,
-				HTTPS:   ve.Bool(true),
-			}
-			bindCertResp, err := d.sdkClient.BindCert(ctx, bindCertReq)
-			if err != nil {
-				errs = append(errs, err)
-			} else {
-				d.logger.Logt(fmt.Sprintf("已绑定证书到域名 %s", domain), bindCertResp)
-			}
-		}
-
-		if len(errs) > 0 {
-			return nil, errors.Join(errs...)
-		}
-	}
-
-	return &deployer.DeployResult{}, nil
-}
--- a/internal/pkg/core/deployer/providers/volcengine-tos/volcengine_tos.go
+++ b/internal/pkg/core/deployer/providers/volcengine-tos/volcengine_tos.go
@@ -1,119 +0,0 @@
-package volcenginetos
-
-import (
-	"context"
-	"errors"
-	"fmt"
-
-	xerrors "github.com/pkg/errors"
-	veTos "github.com/volcengine/ve-tos-golang-sdk/v2/tos"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/core/uploader"
-	uploadersp "github.com/usual2970/certimate/internal/pkg/core/uploader/providers/volcengine-certcenter"
-)
-
-type DeployerConfig struct {
-	// 火山引擎 AccessKeyId。
-	AccessKeyId string `json:"accessKeyId"`
-	// 火山引擎 AccessKeySecret。
-	AccessKeySecret string `json:"accessKeySecret"`
-	// 火山引擎地域。
-	Region string `json:"region"`
-	// 存储桶名。
-	Bucket string `json:"bucket"`
-	// 自定义域名（不支持泛域名）。
-	Domain string `json:"domain"`
-}
-
-type DeployerProvider struct {
-	config      *DeployerConfig
-	logger      logger.Logger
-	sdkClient   *veTos.ClientV2
-	sslUploader uploader.Uploader
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client, err := createSdkClient(config.AccessKeyId, config.AccessKeySecret, config.Region)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create sdk client")
-	}
-
-	uploader, err := uploadersp.NewUploader(&uploadersp.UploaderConfig{
-		AccessKeyId:     config.AccessKeyId,
-		AccessKeySecret: config.AccessKeySecret,
-		Region:          config.Region,
-	})
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to create ssl uploader")
-	}
-
-	return &DeployerProvider{
-		config:      config,
-		logger:      logger.NewNilLogger(),
-		sdkClient:   client,
-		sslUploader: uploader,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	if d.config.Bucket == "" {
-		return nil, errors.New("config `bucket` is required")
-	}
-	if d.config.Domain == "" {
-		return nil, errors.New("config `domain` is required")
-	}
-
-	// 上传证书到证书中心
-	upres, err := d.sslUploader.Upload(ctx, certPem, privkeyPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to upload certificate file")
-	}
-
-	d.logger.Logt("certificate file uploaded", upres)
-
-	// 设置自定义域名
-	// REF: https://www.volcengine.com/docs/6559/1250189
-	putBucketCustomDomainReq := &veTos.PutBucketCustomDomainInput{
-		Bucket: d.config.Bucket,
-		Rule: veTos.CustomDomainRule{
-			Domain: d.config.Domain,
-			CertID: upres.CertId,
-		},
-	}
-	putBucketCustomDomainResp, err := d.sdkClient.PutBucketCustomDomain(context.TODO(), putBucketCustomDomainReq)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to execute sdk request 'tos.PutBucketCustomDomain'")
-	} else {
-		d.logger.Logt("已设置自定义域名", putBucketCustomDomainResp)
-	}
-
-	return &deployer.DeployResult{}, nil
-}
-
-func createSdkClient(accessKeyId, accessKeySecret, region string) (*veTos.ClientV2, error) {
-	endpoint := fmt.Sprintf("tos-%s.ivolces.com", region)
-
-	client, err := veTos.NewClientV2(
-		endpoint,
-		veTos.WithRegion(region),
-		veTos.WithCredentials(veTos.NewStaticCredentials(accessKeyId, accessKeySecret)),
-	)
-	if err != nil {
-		return nil, err
-	}
-
-	return client, nil
-}
--- a/internal/pkg/core/deployer/providers/webhook/webhook.go
+++ b/internal/pkg/core/deployer/providers/webhook/webhook.go
@@ -1,102 +0,0 @@
-package webhook
-
-import (
-	"context"
-	"encoding/json"
-	"strings"
-	"time"
-
-	"github.com/go-resty/resty/v2"
-	xerrors "github.com/pkg/errors"
-
-	"github.com/usual2970/certimate/internal/pkg/core/deployer"
-	"github.com/usual2970/certimate/internal/pkg/core/logger"
-	"github.com/usual2970/certimate/internal/pkg/utils/certs"
-)
-
-type DeployerConfig struct {
-	// Webhook URL。
-	WebhookUrl string `json:"webhookUrl"`
-	// Webhook 回调数据（JSON 格式）。
-	WebhookData string `json:"webhookData,omitempty"`
-}
-
-type DeployerProvider struct {
-	config     *DeployerConfig
-	logger     logger.Logger
-	httpClient *resty.Client
-}
-
-var _ deployer.Deployer = (*DeployerProvider)(nil)
-
-func NewDeployer(config *DeployerConfig) (*DeployerProvider, error) {
-	if config == nil {
-		panic("config is nil")
-	}
-
-	client := resty.New().
-		SetTimeout(30 * time.Second).
-		SetRetryCount(3).
-		SetRetryWaitTime(5 * time.Second)
-
-	return &DeployerProvider{
-		config:     config,
-		logger:     logger.NewNilLogger(),
-		httpClient: client,
-	}, nil
-}
-
-func (d *DeployerProvider) WithLogger(logger logger.Logger) *DeployerProvider {
-	d.logger = logger
-	return d
-}
-
-func (d *DeployerProvider) Deploy(ctx context.Context, certPem string, privkeyPem string) (*deployer.DeployResult, error) {
-	certX509, err := certs.ParseCertificateFromPEM(certPem)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to parse x509")
-	}
-
-	var webhookData interface{}
-	err = json.Unmarshal([]byte(d.config.WebhookData), &webhookData)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to unmarshall webhook data")
-	}
-
-	replaceJsonValueRecursively(webhookData, "${DOMAIN}", certX509.Subject.CommonName)
-	replaceJsonValueRecursively(webhookData, "${DOMAINS}", strings.Join(certX509.DNSNames, ";"))
-	replaceJsonValueRecursively(webhookData, "${SUBJECT_ALT_NAMES}", strings.Join(certX509.DNSNames, ";"))
-	replaceJsonValueRecursively(webhookData, "${CERTIFICATE}", certPem)
-	replaceJsonValueRecursively(webhookData, "${PRIVATE_KEY}", privkeyPem)
-
-	resp, err := d.httpClient.R().
-		SetContext(ctx).
-		SetHeader("Content-Type", "application/json").
-		SetBody(webhookData).
-		Post(d.config.WebhookUrl)
-	if err != nil {
-		return nil, xerrors.Wrap(err, "failed to send webhook request")
-	} else if resp.StatusCode() != 200 {
-		return nil, xerrors.Errorf("unexpected webhook response status code: %d", resp.StatusCode())
-	}
-
-	d.logger.Logt("Webhook request sent", resp.String())
-
-	return &deployer.DeployResult{}, nil
-}
-
-func replaceJsonValueRecursively(data interface{}, oldStr, newStr string) interface{} {
-	switch v := data.(type) {
-	case map[string]interface{}:
-		for k, val := range v {
-			v[k] = replaceJsonValueRecursively(val, oldStr, newStr)
-		}
-	case []interface{}:
-		for i, val := range v {
-			v[i] = replaceJsonValueRecursively(val, oldStr, newStr)
-		}
-	case string:
-		return strings.ReplaceAll(v, oldStr, newStr)
-	}
-	return data
-}
--- a/internal/pkg/core/logger/builtin.go
+++ b/internal/pkg/core/logger/builtin.go
@@ -1,94 +0,0 @@
-package logger
-
-import (
-	"encoding/json"
-	"fmt"
-	"reflect"
-	"strings"
-
-	"github.com/usual2970/certimate/internal/pkg/utils/types"
-)
-
-// 表示默认的日志记录器类型。
-type DefaultLogger struct {
-	records []string
-}
-
-var _ Logger = (*DefaultLogger)(nil)
-
-func (l *DefaultLogger) Logt(tag string, data ...any) {
-	l.ensureInitialized()
-
-	temp := make([]string, len(data)+1)
-	temp[0] = tag
-	for i, v := range data {
-		s := ""
-		if types.IsNil(v) {
-			s = "<nil>"
-		} else {
-			switch reflect.ValueOf(v).Kind() {
-			case reflect.String:
-				s = v.(string)
-			case reflect.Bool,
-				reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
-				reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64,
-				reflect.Float32, reflect.Float64:
-				s = fmt.Sprintf("%v", v)
-			default:
-				jbytes, _ := json.Marshal(v)
-				s = string(jbytes)
-			}
-		}
-
-		temp[i+1] = s
-	}
-
-	l.records = append(l.records, strings.Join(temp, ": "))
-}
-
-func (l *DefaultLogger) Logf(format string, args ...any) {
-	l.ensureInitialized()
-
-	l.records = append(l.records, fmt.Sprintf(format, args...))
-}
-
-func (l *DefaultLogger) GetRecords() []string {
-	l.ensureInitialized()
-
-	temp := make([]string, len(l.records))
-	copy(temp, l.records)
-	return temp
-}
-
-func (l *DefaultLogger) FlushRecords() {
-	l.records = make([]string, 0)
-}
-
-func (l *DefaultLogger) ensureInitialized() {
-	if l.records == nil {
-		l.records = make([]string, 0)
-	}
-}
-
-func NewDefaultLogger() *DefaultLogger {
-	return &DefaultLogger{
-		records: make([]string, 0),
-	}
-}
-
-// 表示空的日志记录器类型。
-// 该日志记录器不会执行任何操作。
-type NilLogger struct{}
-
-var _ Logger = (*NilLogger)(nil)
-
-func (l *NilLogger) Logt(string, ...any) {}
-func (l *NilLogger) Logf(string, ...any) {}
-func (l *NilLogger) GetRecords() []string {
-	return make([]string, 0)
-}
-func (l *NilLogger) FlushRecords() {}
-
-func NewNilLogger() *NilLogger {
-	return &NilLogger{}
-}
--- a/Show More
+++ b/Show More