Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

Automated Wildcard SSL Certificate Deployment with Let's Encrypt on Alibaba Cloud

Tech 1

Prerequisites

Before initiating the certificate provisioning process, ensure you have:

  • A Linux server (Ubuntu 20.04+ or Debian 11+ recommended) with root privileges
  • A registered domain name with DNS hosted on Alibaba Cloud
  • A RAM user configured with AliyunDNSFullAccess permissions and generated AccessKey credentials

Installing Certbot in Virtual Environment

Rather than installing Certbot via system packages, which may contain outdated versions, create an isolated Python environment:

sudo apt update && sudo apt install -y python3-venv python3-dev gcc libaugeas0
sudo python3 -m venv /usr/local/lib/certbot-env
sudo /usr/local/lib/certbot-env/bin/pip install --upgrade pip setuptools
sudo /usr/local/lib/certbot-env/bin/pip install certbot certbot-nginx
sudo ln -sf /usr/local/lib/certbot-env/bin/certbot /usr/local/bin/certbot
certbot --version

Configuring Alibaba Cloud Authentication

Download and install the Alibaba Cloud CLI tool:

curl -L https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz -o /tmp/aliyun-cli.tgz
tar -xzf /tmp/aliyun-cli.tgz -C /tmp
sudo mv /tmp/aliyun /usr/local/bin/aliyun
rm /tmp/aliyun-cli.tgz

Configure credentials using the RAM user's AccessKey. Since Certbot requires elevated privileges, store the configuration in root's home directory:

sudo aliyun configure --mode AK --profile certbot-profile
# Enter Access Key ID, Access Key Secret, and region (e.g., cn-hangzhou)

DNS-01 Challenge Hook Setup

Create a DNS validation hook script that interfaces with Alibaba Cloud DNS API:

sudo tee /usr/local/bin/ali-dns-auth << 'EOF'
#!/bin/bash
# Authenticate hook for Alibaba Cloud DNS
aliyun alidns AddDomainRecord \
    --DomainName ${CERTBOT_DOMAIN#*.} \
    --RR "_acme-challenge.${CERTBOT_DOMAIN%%.*}" \
    --Type TXT \
    --Value "$CERTBOT_VALIDATION"
sleep 10
EOF

sudo tee /usr/local/bin/ali-dns-cleanup << 'EOF'
#!/bin/bash
# Cleanup hook for Alibaba Cloud DNS
RECORD_ID=$(aliyun alidns DescribeDomainRecords \
    --DomainName ${CERTBOT_DOMAIN#*.} \
    --RRKeyWord "_acme-challenge.${CERTBOT_DOMAIN%%.*}" \
    --Type TXT | grep -o '"RecordId": "[^"]*"' | cut -d'"' -f4)
aliyun alidns DeleteDomainRecord --RecordId $RECORD_ID
EOF

sudo chmod +x /usr/local/bin/ali-dns-auth /usr/local/bin/ali-dns-cleanup

Issuing the Wildcard Certificate

First, verify the configuration against Let's Encrypt staging environment to avoid rate limits:

sudo certbot certonly \
    --non-interactive \
    --agree-tos \
    --manual \
    --preferred-challenges dns \
    --manual-auth-hook /usr/local/bin/ali-dns-auth \
    --manual-cleanup-hook /usr/local/bin/ali-dns-cleanup \
    --server https://acme-staging-v02.api.letsencrypt.org/directory \
    -d "*.example.com" \
    -d "example.com"

Replace example.com with your actual domain. If successful, proceed to production:

sudo certbot certonly \
    --non-interactive \
    --agree-tos \
    --manual \
    --preferred-challenges dns \
    --manual-auth-hook /usr/local/bin/ali-dns-auth \
    --manual-cleanup-hook /usr/local/bin/ali-dns-cleanup \
    -d "*.example.com" \
    -d "example.com"

Certificates are stored in /etc/letsencrypt/live/example.com/ containing:

  • fullchain.pem: Server certificate with intermediates
  • privkey.pem: Private key

Nginx Integration

Deploy the certificate to Nginx virtual hosts:

sudo certbot install --nginx \
    --cert-name example.com \
    -d example.com \
    -d www.example.com \
    -d api.example.com

For manual configuration, reference the certificate paths in your server block:

server {
    listen 443 ssl;
    server_name *.example.com;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    # SSL security settings...
}

Automated Renewal

Let's Encrypt certificates expire every 90 days. Configure auotmatic renewal using cron:

sudo crontab -e

Add the following entry to attempt renewal twice daily:

0 4,16 * * * /usr/local/bin/certbot renew --quiet --manual-auth-hook /usr/local/bin/ali-dns-auth --manual-cleanup-hook /usr/local/bin/ali-dns-cleanup --deploy-hook "systemctl reload nginx"

Alternatively, create a systemd timer for modern systems:

sudo tee /etc/systemd/system/certbot-renew.service << EOF
[Unit]
Description=Renew Let's Encrypt certificates
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/certbot renew --quiet --manual-auth-hook /usr/local/bin/ali-dns-auth --manual-cleanup-hook /usr/local/bin/ali-dns-cleanup --deploy-hook "systemctl reload nginx"
EOF

sudo tee /etc/systemd/system/certbot-renew.timer << EOF
[Unit]
Description=Run certbot renewal twice daily
[Timer]
OnCalendar=*-*-* 04:00,16:00:00
RandomizedDelaySec=3600
Persistent=true
[Install]
WantedBy=timers.target
EOF

sudo systemctl enable --now certbot-renew.timer
Tags: SSL/TLSLet's EncryptWildcard CertificateAlibaba Cloud
Back to List

Prev: Function Default Arguments, Placeholder Parameters, and Overloading in C++

Next: Island Submersion by Rising Sea Levels - BFS Solution

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

Comprehensive Guide to SSTI Explained with Payload Bypass Techniques

Introduction Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can r...

Implement Image Upload Functionality for Django Integrated TinyMCE Editor

Django’s Admin panel is highly user-friendly, and pairing it with TinyMCE, an effective rich text editor, simplifies content management significantly. Combining the two is particular useful for bloggi...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top