Platform Engineering

Appearance

How I Issued My Certificate with ACME.sh and Aliyun DNS

Initial Setup

I cloned the ACME.sh repository to my local machine:

bash
git clone https://github.com/acmesh-official/acme.sh.git ~/code/acme.sh
cd ~/code/acme.sh

Then I installed it to my home directory:

bash
./acme.sh --install --home ~/.acme.sh --accountemail my-email@example.com

Configuring Aliyun DNS

I stored my Aliyun API credentials in the ~/.acme.sh/account.conf file, which was automatically created during installation:

# Contents of ~/.acme.sh/account.conf
Ali_Key='YOUR_ALIYUN_ACCESS_KEY_ID'
Ali_Secret='YOUR_ALIYUN_ACCESS_KEY_SECRET'

Custom Modification

I ran into an issue with the Aliyun DNS API integration described in GitHub issue #2786 (https://github.com/acmesh-official/acme.sh/issues/2786), and issue #6246 (https://github.com/acmesh-official/acme.sh/issues/6246).

I did the following

  • turn off autoupdate by setting AUTO_UPGRADE='0' in account.conf
  • add on a line to sleep in _ali_nonce()
bash
_ali_nonce() {
  #_head_n 1 </dev/urandom | _digest "sha256" hex | cut -c 1-31
  #Not so good...
  sleep 1s
  date +"%s%N" | sed 's/%N//g'
}

Issuing the Certificate

bash
cd ~/.acme.sh
./acme.sh --issue --dns dns_ali -d func.truewatch.com -d '*.func.truewatch.com'

The certificate was successfully issued and saved to ~/.acme.sh/func.truewatch.com_ecc/.

Checking the Certificate

I verified my certificate was properly issued:

bash
openssl x509 -in ~/.acme.sh/func.truewatch.com_ecc/func.truewatch.com.cer -noout -dates

The certificate showed the correct validity dates, confirming it was properly issued.