This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Alibaba Cloud Series

  • _index

How to obtain a wildcard certificate in CNAME mode with ESA

Your domain is hosted on Alibaba Cloud DNS or a third-party provider, and you cannot move the domain’s NS, yet you need a wildcard certificate. Alibaba Cloud ESA provides a quota of 10 certificates, which is clearly insufficient.

Here is a method to obtain a wildcard certificate, followed by an explanation of the principle.

You’ll need to work in two separate consoles:

  1. ESA
  2. DNS (Cloud Resolution or third-party DNS)

Steps

  1. ESA: DNS → Settings: Switch to NS mode, confirm directly—no additional action needed.
  2. ESA: apply for a free edge certificate, request only *.example.com, using your own domain.
  3. ESA: expand the dropdown next to the pending certificate to obtain the TXT record: host record _acme-challenge.example.com, value -PewtWrH93avbM_bScUILtcNwCHifNvjZIa2VgT9seQ.
  4. DNS: add a TXT record with the host record and value from the previous step.
  5. Wait for the wildcard certificate to be issued; if it hasn’t been obtained within ten minutes, something went wrong—check manually.
  6. ESA: DNS → Settings: Switch back to CNAME mode, confirm directly—no additional action needed.

Principle

Free certificates come from Let’s Encrypt, which offers two validation methods:

  1. HTTP-01 Challenge: Let’s Encrypt’s validation server makes an HTTP request to a specific file on your server (at the path .well-known/acme-challenge/) to confirm domain control.
  2. DNS-01 Challenge: you must add a TXT record to your domain’s DNS. By adding the required TXT record you prove control of the domain.

Wildcard certificates can only be obtained via DNS-01 Challenge; hence they require DNS records. Consequently, ESA insists that domains must be hosted on the ESA platform in order to apply for wildcard certificates. The step “ESA: DNS → Settings: Switch to NS mode” is derived from analysing the return of ESA’s ApplyCertificate interface; this step has no practical effect other than bypassing Alibaba Cloud’s validation.

The core procedure is to place a pre-defined TXT record on the domain’s authoritative nameservers when requesting a certificate from Let’s Encrypt. Whether those nameservers belong to DNS (Cloud Resolution) or ESA is irrelevant—the TXT record suffices to prove domain ownership.

Summary

ESA and Cloud Resolution are both under the Alibaba Cloud umbrella, yet they cannot share data. ESA already has the ability to verify domain ownership for your account; obtaining a wildcard certificate could be as simple as adding a DNS record via Cloud Resolution and granting permission, but this is not implemented. There is still room for better UX.

Be aware that certificates acquired this way may fail to auto-renew. You can use the API to synchronise a certificate into ESA externally: https://api.aliyun.com/api/ESA/2024-09-10/SetCertificate