1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
Alibaba Cloud DNS Authenticator plugin for Certbot.
This plugin automates the process of completing a ``dns-01`` challenge by
creating, and subsequently removing, TXT records using the Alibaba Cloud DNS
API.
.. note::
This plugin utilizes the official Alibaba Cloud SDK (specifically
``alibabacloud_alidns20150109``) to interact with the DNS service.
Installation
------------
.. code-block:: bash
pip install certbot-dns-alibabacloud
Named Arguments
---------------
========================================== ==================================================
``--dns-alibabacloud-credentials`` Alibaba Cloud credentials_ INI file. (Required)
``--dns-alibabacloud-propagation-seconds`` The number of seconds to wait for DNS to propagate
before asking the ACME server to verify the DNS
record. (Default: 30)
========================================== ==================================================
Credentials
-----------
You need to provide a credentials file containing your Alibaba Cloud
AccessKey to Certbot so that it can communicate with Alibaba Cloud and
complete the DNS-01 domain validation on your behalf. The Access Key can
be created through the Alibaba Cloud RAM (Resource Access Management)
console.
An example credentials file is shown below:
.. code-block:: ini
# Alibaba Cloud API credentials used by Certbot
dns_alibabacloud_access_key_id = LTAI5txxxxxxxxxxxxxxxxxx
dns_alibabacloud_access_key_secret = yyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
To manage the DNS records required for the challenge, the plugin first
needs to locate the corresponding managed domain in Alibaba Cloud DNS
for the requested certificate domain name.
The Access Key must have permission to list managed domains in Alibaba
Cloud DNS, create and delete DNS records, and query existing records for
challenge cleanup after the validation completes:
* ``alidns:DescribeDomains``
* ``alidns:AddDomainRecord``
* ``alidns:DeleteDomainRecord``
* ``alidns:DescribeDomainRecords``
Here is an example RAM policy that follows the Principle of Least
Privilege:
.. code-block:: json
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "alidns:DescribeDomains",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"alidns:AddDomainRecord",
"alidns:DeleteDomainRecord",
"alidns:DescribeDomainRecords"
],
"Resource": "acs:alidns:*:*:domain/YOUR-DOMAIN-NAME.COM"
}
]
}
.. caution::
You should protect the credentials file as you would protect your
passwords by setting restrictive file permissions (for example,
``chmod 600``), preventing other users or programs on the system
from reading the sensitive file.
Certbot will also warn you if the credentials file has overly
permissive permissions.
Leaked credentials could allow malicious users to manipulate your
DNS records and issue certificates for domains under your control.
Examples
--------
To acquire a certificate for ``example.com``:
.. code-block:: bash
certbot certonly \
--authenticator dns-alibabacloud \
--dns-alibabacloud-credentials ~/.secrets/certbot/alibabacloud.ini \
-d example.com
To acquire a single certificate for both ``example.com`` and ``www.example.com``:
.. code-block:: bash
certbot certonly \
--authenticator dns-alibabacloud \
--dns-alibabacloud-credentials ~/.secrets/certbot/alibabacloud.ini \
-d example.com \
-d www.example.com
To acquire a certificate for ``example.com``, waiting 60 seconds for DNS
propagation:
.. code-block:: bash
certbot certonly \
--authenticator dns-alibabacloud \
--dns-alibabacloud-credentials ~/.secrets/certbot/alibabacloud.ini \
--dns-alibabacloud-propagation-seconds 60 \
-d example.com
|
