From de3232e05ef9a4744fb2de62928bc5b7056d24c1 Mon Sep 17 00:00:00 2001 From: Zhineng Li Date: Thu, 28 May 2026 18:31:38 +0800 Subject: add acme-alibabacloud post --- 2026-05-28-acme-alibabacloud.txt | 191 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 191 insertions(+) create mode 100644 2026-05-28-acme-alibabacloud.txt (limited to '2026-05-28-acme-alibabacloud.txt') diff --git a/2026-05-28-acme-alibabacloud.txt b/2026-05-28-acme-alibabacloud.txt new file mode 100644 index 0000000..ec3db57 --- /dev/null +++ b/2026-05-28-acme-alibabacloud.txt @@ -0,0 +1,191 @@ +Certbot is one of the most popular choices for issuing SSL certificates +and was originally developed by Let's Encrypt. It comes with a variety +of DNS plugins that help automate the certificate renewal process. + +Behind the scenes, these plugins handle provisioning the DNS challenge +records and cleaning them up afterward so that domain verification can +pass on the ACME server. + +However, there is no official Certbot plugin for Alibaba Cloud. Manually +running the renewal command and adding or deleting DNS records is both +tedious and error-prone. Why not have a dedicated plugin to handle the +entire process automatically? I spent a few days building the plugin, +and I hope it can help you as well–and hopefully save you from +forgetting to renew your certificate. + +In this blog post, I will walk you through the process of issuing an SSL +certificate. The web server is nginx running on Ubuntu, and the DNS is +hosted on Alibaba Cloud. + + +Install Certbot +--------------- + +Feel free to check out the official Certbot website. It provides an +interactive guide that walks you through the installation process step +by step. Below are the commands I copied from the instructions: + + $ sudo apt update + $ sudo apt install python3 python3-dev python3-venv libaugeas-dev gcc + + $ sudo python3 -m venv /opt/certbot/ + $ sudo /opt/certbot/bin/pip install --upgrade pip + + $ sudo /opt/certbot/bin/pip install certbot + $ sudo ln -s /opt/certbot/bin/certbot /usr/local/bin/certbot + $ echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null + +At this point, Python is installed, a virtual environment has been +configured for Certbot, Certbot itself is installed, and the renewal +cron job is ready. + + +Prepare an AccessKey pair +------------------------- + +Before we move on, let's generate an AccessKey pair from Alibaba Cloud +and grant the required permissions. + +0) Head to the RAM console + +RAM stands for Resource Access Management. Alibaba Cloud provides both +an international console and a mainland China console: + +- https://ram.console.alibabacloud.com +- https://ram.console.aliyun.com + +1) Create a dedicated user for Certbot + +You can find the user creation page under Identities -> Users in the +left sidebar. Fill out the form with something similar to the following: + +- Login name: certbot +- Access Configuration: Permanent AccessKey + +After the user is created, Alibaba Cloud will show you the AccessKey ID +and AccessKey secret. Save them securely. + +2) Create a policy to the `certbot` user + +The user does not have any permissions yet, so we need to create a +policy and attach it. + +Navigate to Permissions -> Policies in the left sidebar and create a +policy with the following JSON document: + + { + "Version": "1", + "Statement": [ + { + "Effect": "Allow", + "Action": "alidns:DescribeDomains", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "alidns:AddDomainRecord", + "alidns:DeleteDomainRecord", + "alidns:DescribeDomainRecords" + ], + "Resource": "acs:alidns:*:*:domain/YOUR-DOMAIN-NAME.COM" + } + ] + } + +Do not forget to replace the domain name in the JSON document with your +own. + +When issuing a certificate, the plugin first needs to locate the managed +domain in Alibaba Cloud DNS. For example, if the requested certificate +domain is `sub.example.com`, the managed domain in your account could be +either `sub.example.com` or `example.com`. That is why the +`DescribeDomains` permission is required. + +DNS record operations are scoped to the specific domain name you +provided. The plugin uses the `DescribeDomainRecords` API to query the +challenge records it previously created so that they can be cleaned up +after validation. + +According to the authorization documentation, Alibaba Cloud DNS does not +support applying conditions to these resources. This means we cannot +limit the API operations specifically to records beginning with +`_acme-challenge.`. The current policy already follows the Principle of +Least Privilege. + +I named the policy `certbot-policy`, which is straightforward enough. +You will probably appreciate the naming three months later. + +3) Grant permissions to the user + +At this point, we have created both the user and the policy. Now we need +to associate them. + +Open the `certbot` user details page and locate the Permissions section. +Grant the `certbot-policy` policy to the user. + +4) Create the credentials file + +Using the AccessKey pair we generated earlier, let's create a +restrictive credentials file so Certbot can communicate with Alibaba +Cloud on our behalf. + +You can store the file wherever you like, but remember that it contains +sensitive credentials. You must prevent other users or programs from +reading it. Anyone with access to the AccessKey pair can perform any +operations granted to that user. + +I am going to store the file at `~/.secrets/certbot/alibabacloud.ini` +and edit it with Neovim, feel free to adjust the path to your own +preference: + + mkdir -p ~/.secrets/certbot + umask 077 + nvim ~/.secrets/certbot/alibabacloud.ini + +Here is an example credentials file: + + # Alibaba Cloud API credentials used by Certbot + dns_alibabacloud_access_key_id = LTAI5txxxxxxxxxxxxxxxxxx + dns_alibabacloud_access_key_secret = yyyyyyyyyyyyyyyyyyyyyyyyyyyyyy + + +Install the plugin +------------------ + +Didn't I mention that we still haven't installed the plugin yet? Here is +the package that handles all the Alibaba Cloud DNS integration magic: + + $ sudo /opt/certbot/bin/pip install certbot-dns-alibabacloud + + +Issue a certificate +------------------- + +We finally made it here. Everything is now set up: Certbot, the plugin, +and the credentials. It's time to obtain the certificate. + +I am using the example domain `example.com` here. Replace it with your +own domain name: + + certbot certonly \ + --authenticator dns-alibabacloud \ + --dns-alibabacloud-credentials ~/.secrets/certbot/alibabacloud.ini \ + --deploy-hook 'nginx -s reload' \ + -d example.com + +Certbot supports deploy hooks after a certificate is issued. We can use +this hook to reload nginx so that the new certificate takes effect +immediately. + +Certbot will also remember the parameters used to obtain the +certificate, and the same parameters will automatically be reused during +future renewals. + +Now you can declare the certificate directives in your nginx +configuration. + +You can also make use of Mozilla's SSL Configuration Generator to tune +your SSL settings: + +* https://ssl-config.mozilla.org/ -- cgit v1.2.3