1 files changed, 191 insertions, 0 deletions

diff --git a/2026-05-28-acme-alibabacloud.txt b/2026-05-28-acme-alibabacloud.txt
new file mode 100644
index 0000000..ec3db57
--- /dev/null
+++ b/2026-05-28-acme-alibabacloud.txt
@@ -0,0 +1,191 @@
+Certbot is one of the most popular choices for issuing SSL certificates
+and was originally developed by Let's Encrypt. It comes with a variety
+of DNS plugins that help automate the certificate renewal process.
+
+Behind the scenes, these plugins handle provisioning the DNS challenge
+records and cleaning them up afterward so that domain verification can
+pass on the ACME server.
+
+However, there is no official Certbot plugin for Alibaba Cloud. Manually
+running the renewal command and adding or deleting DNS records is both
+tedious and error-prone. Why not have a dedicated plugin to handle the
+entire process automatically? I spent a few days building the plugin,
+and I hope it can help you as well–and hopefully save you from
+forgetting to renew your certificate.
+
+In this blog post, I will walk you through the process of issuing an SSL
+certificate. The web server is nginx running on Ubuntu, and the DNS is
+hosted on Alibaba Cloud.
+
+
+Install Certbot
+---------------
+
+Feel free to check out the official Certbot website. It provides an
+interactive guide that walks you through the installation process step
+by step. Below are the commands I copied from the instructions:
+
+  $ sudo apt update
+  $ sudo apt install python3 python3-dev python3-venv libaugeas-dev gcc
+
+  $ sudo python3 -m venv /opt/certbot/
+  $ sudo /opt/certbot/bin/pip install --upgrade pip
+
+  $ sudo /opt/certbot/bin/pip install certbot
+  $ sudo ln -s /opt/certbot/bin/certbot /usr/local/bin/certbot
+  $ echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
+
+At this point, Python is installed, a virtual environment has been
+configured for Certbot, Certbot itself is installed, and the renewal
+cron job is ready.
+
+
+Prepare an AccessKey pair
+-------------------------
+
+Before we move on, let's generate an AccessKey pair from Alibaba Cloud
+and grant the required permissions.
+
+0) Head to the RAM console
+
+RAM stands for Resource Access Management. Alibaba Cloud provides both
+an international console and a mainland China console:
+
+- https://ram.console.alibabacloud.com
+- https://ram.console.aliyun.com
+
+1) Create a dedicated user for Certbot
+
+You can find the user creation page under Identities -> Users in the
+left sidebar. Fill out the form with something similar to the following:
+
+- Login name: certbot
+- Access Configuration: Permanent AccessKey
+
+After the user is created, Alibaba Cloud will show you the AccessKey ID
+and AccessKey secret. Save them securely.
+
+2) Create a policy to the `certbot` user
+
+The user does not have any permissions yet, so we need to create a
+policy and attach it.
+
+Navigate to Permissions -> Policies in the left sidebar and create a
+policy with the following JSON document:
+
+  {
+    "Version": "1",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": "alidns:DescribeDomains",
+        "Resource": "*"
+      },
+      {
+        "Effect": "Allow",
+        "Action": [
+          "alidns:AddDomainRecord",
+          "alidns:DeleteDomainRecord",
+          "alidns:DescribeDomainRecords"
+        ],
+        "Resource": "acs:alidns:*:*:domain/YOUR-DOMAIN-NAME.COM"
+      }
+    ]
+  }
+
+Do not forget to replace the domain name in the JSON document with your
+own.
+
+When issuing a certificate, the plugin first needs to locate the managed
+domain in Alibaba Cloud DNS. For example, if the requested certificate
+domain is `sub.example.com`, the managed domain in your account could be
+either `sub.example.com` or `example.com`. That is why the
+`DescribeDomains` permission is required.
+
+DNS record operations are scoped to the specific domain name you
+provided. The plugin uses the `DescribeDomainRecords` API to query the
+challenge records it previously created so that they can be cleaned up
+after validation.
+
+According to the authorization documentation, Alibaba Cloud DNS does not
+support applying conditions to these resources. This means we cannot
+limit the API operations specifically to records beginning with
+`_acme-challenge.`. The current policy already follows the Principle of
+Least Privilege.
+
+I named the policy `certbot-policy`, which is straightforward enough.
+You will probably appreciate the naming three months later.
+
+3) Grant permissions to the user
+
+At this point, we have created both the user and the policy. Now we need
+to associate them.
+
+Open the `certbot` user details page and locate the Permissions section.
+Grant the `certbot-policy` policy to the user.
+
+4) Create the credentials file
+
+Using the AccessKey pair we generated earlier, let's create a
+restrictive credentials file so Certbot can communicate with Alibaba
+Cloud on our behalf.
+
+You can store the file wherever you like, but remember that it contains
+sensitive credentials. You must prevent other users or programs from
+reading it. Anyone with access to the AccessKey pair can perform any
+operations granted to that user.
+
+I am going to store the file at `~/.secrets/certbot/alibabacloud.ini`
+and edit it with Neovim, feel free to adjust the path to your own
+preference:
+
+  mkdir -p ~/.secrets/certbot
+  umask 077
+  nvim ~/.secrets/certbot/alibabacloud.ini
+
+Here is an example credentials file:
+
+  # Alibaba Cloud API credentials used by Certbot
+  dns_alibabacloud_access_key_id = LTAI5txxxxxxxxxxxxxxxxxx
+  dns_alibabacloud_access_key_secret = yyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
+
+
+Install the plugin
+------------------
+
+Didn't I mention that we still haven't installed the plugin yet? Here is
+the package that handles all the Alibaba Cloud DNS integration magic:
+
+  $ sudo /opt/certbot/bin/pip install certbot-dns-alibabacloud
+
+
+Issue a certificate
+-------------------
+
+We finally made it here. Everything is now set up: Certbot, the plugin,
+and the credentials. It's time to obtain the certificate.
+
+I am using the example domain `example.com` here. Replace it with your
+own domain name:
+
+  certbot certonly \
+    --authenticator dns-alibabacloud \
+    --dns-alibabacloud-credentials ~/.secrets/certbot/alibabacloud.ini \
+    --deploy-hook 'nginx -s reload' \
+    -d example.com
+
+Certbot supports deploy hooks after a certificate is issued. We can use
+this hook to reload nginx so that the new certificate takes effect
+immediately.
+
+Certbot will also remember the parameters used to obtain the
+certificate, and the same parameters will automatically be reused during
+future renewals.
+
+Now you can declare the certificate directives in your nginx
+configuration.
+
+You can also make use of Mozilla's SSL Configuration Generator to tune
+your SSL settings:
+
+* https://ssl-config.mozilla.org/