Request and renew free certificates from let's encrypt for Aliyun CDN domains.
Install certbot
with aliyun DNS plugin and aliyun-cert
pip3 install aliyun-cert
Create config file ~/.secrets/aliyun.ini
for aliyun access key
dns_aliyun_key_id = xxx
dns_aliyun_key_secret = yyy
# request new cert
certbot certonly \
--authenticator dns-aliyun \
--dns-aliyun-propagation-seconds 30 \
--dns-aliyun-credentials ~/.secrets/aliyun.ini \
-d example.com -d *.example.com
# upload certificate
aliyun-cert upload-cert --domain example.com /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem
# deploy certificates with certificates id returned from last command
aliyun-cert set-cert --cert-id 123456 --domain cdn.example.com --service cdn
# check all SSL-enabled CDN domains and their certificates
aliyun-cert list-domains --cdn
Create crontab file /etc/cron.d/certbot
0 0,12 * * * root sleep 1471 && certbot renew -q
Create deploy hook to update aliyun CDN's certification in /etc/letsencrypt/renewal-hooks/deploy/09-deploy-aliyun.sh
#!/bin/bash
aliyun-cert certbot-deploy-hook --cdn --delete-old-cert