Automating Let’s Encrypt SSL for Alibaba Cloud CDN with acme.sh

ByAmos Lee

Due to recent policy changes from upstream SSL certificate providers, Alibaba Cloud CDN no longer supports direct application for free SSL certificates. However, with powerful tools like acme.sh and Let’s Encrypt, we can still automate the entire process of certificate issuance, renewal, and deployment to Alibaba Cloud CDN without manual intervention.

Step 1: Install Alibaba Cloud CLI

The Alibaba Cloud CLI allows us to programmatically upload SSL certificates to your account. Follow the official documentation to install it on your server:

wget https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz 
tar xzvf aliyun-cli-linux-latest-amd64.tgz 
chmod +x aliyun 
cp aliyun /usr/local/bin

Once installed, run aliyun configure and enter your AccessKey ID, AccessKey Secret, and Region Id. Verify the configuration with aliyun configure list.

Step 2: Create the Auto-Upload Renew Hook Script

Create an executable script (e.g., /root/sh/cdnssl.sh) to handle the upload and CDN update logic. Replace the placeholders with your actual Alibaba Cloud credentials and target CDN domains.

#!/usr/bin/env bash
# Using OpenAPI for CAS and CDN
# CAS: https://help.aliyun.com/document_detail/126507.html
# CDN: https://help.aliyun.com/document_detail/106661.html

AliAccessKeyId="YOUR_ACCESS_KEY_ID"
AliAccessKeySecret="YOUR_ACCESS_KEY_SECRET"

# ACME global variables
ACME_ENV_LIST=("CERT_KEY_PATH" "CERT_FULLCHAIN_PATH" "Le_Domain")
for value in "${ACME_ENV_LIST[@]}" ; do
   [[ -v "$value" ]] || exit 1
done

get_cert() {
    sed -e "/^$/d" "$CERT_FULLCHAIN_PATH"
}
get_key() {
    cat "$CERT_KEY_PATH"
}

DOMAIN=$Le_Domain
CERT_NAME="${DOMAIN//./_}-$(date +%s)"
DOMAIN_LIST=("cdn.yourdomain.com")

for _domain in "${DOMAIN_LIST[@]}"; do
    aliyun cdn SetCdnDomainSSLCertificate --DomainName "$_domain" --SSLPub="$(get_cert)" --SSLPri="$(get_key)" --CertType upload --SSLProtocol on || exit 103
done

Step 3: Issue the SSL Certificate

First, export your Alibaba Cloud credentials. acme.sh will save these in account.conf for future renewals.

export Ali_Key="YOUR_ACCESS_KEY_ID"
export Ali_Secret="YOUR_ACCESS_KEY_SECRET"

Now, issue the certificate using the DNS-01 challenge and specify the renew-hook script created in Step 2.

acme.sh --issue --dns dns_ali -d cdn.yourdomain.com --renew-hook /root/sh/cdnssl.sh

After a successful run, your new certificate will be automatically uploaded to Alibaba Cloud and applied to your CDN domain. You can verify the configuration with acme.sh --info -d cdn.yourdomain.com. Set up a cron job for acme.sh --cron to keep your certificates updated indefinitely.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *