前言
阿里云的 ESA 可以在域名备案的情况下使用国内节点,在这之前我一般是国外使用 Cloudflare ,国内使用 Amazon CloudFront ,尝试使用阿里云 ESA 后,发现需要将域名解析到 ESA 上,博主需要国外节点 Cloudflare ,国内节点 ESA ,这样 ESA 使用 HTTP 申请证书就会遇到问题,阿里云可以手动上传证书,就萌生了制作一个用 GitHub Actions 续签证书并上传到阿里云的想法,博主查找一些资料并在 AI 的帮助下创建一个项目 lego-esa-renew 以下是详细说明。
运行
环境变量说明
Lego运行所需要的变量
| 变量名称 | 默认值 | 是否必须 | 备注 |
|---|---|---|---|
| ALICLOUD_ACCESS_KEY | 是 | 阿里云的访问密钥,用于 API 调用,需要阿里云的AliyunDNSFullAccess权限 |
|
| ALICLOUD_SECRET_KEY | 是 | 阿里云的安全密钥,与访问密钥配对使用,需要阿里云的AliyunDNSFullAccess权限 |
|
| 是 | 用于 Let’s Encrypt 证书续签的电子邮件地址 | ||
| DOMAIN | 是 | 需要续签的 SSL 证书的域名 | |
| CERT_PATH | certs |
否 | 存储证书的路径,默认值为 certs |
| RENEW_OPTION | renew |
否 | Lego是续签证书或申请证书,值有renew或run |
注意:CERT_PATH是证书保存位置,只能是字符或字符+数字,尽可能不要加特殊字符。 RENEW_OPTION变量是指明lego运行方式,默认为 renew续签,当为 run时,需要特殊处理,这个会之后说明。
阿里云CLI运行所需变量
| 变量名称 | 默认值 | 是否必须 | 备注 |
|---|---|---|---|
| ALICLOUD_ACCESS_KEY_ID | 是 | 阿里云的访问密钥,用于 API 调用 ,需要阿里云的AliyunYundunCertFullAccess 和AliyunESAFullAccess 权限 |
|
| ALICLOUD_ACCESS_KEY_SECRET | 是 | 阿里云的安全密钥,与访问密钥配对使用,需要阿里云的AliyunYundunCertFullAccess 和AliyunESAFullAccess 权限 |
|
| ALIYUN_REGION | ap-southeast-1 |
否 | 阿里云证书管理所在区域 |
| NAME | lego-ssl |
否 | 上传到阿里云证书管理和ESA绑定证书的名称,实际上是NAME变量 +运行时的日期 |
| SITE_ID | 是 | 要更新证书的ESA站点,ESA站点绑定的证书必须与域名相匹配。 |
流程图
仓库树形图
lego-esa-renew
├─ site-id # ESA站点 ID ,解决更改SITE_ID变量时没有原始记录问题
├─ Dockerfile # 用于制作Docker镜像的 Dockerfile
├─ time # GitHub Actions 运行时间,用于解决仓库未长时间变动导致GitHub Actions被封禁问题
├─ docker-compose.yml # 运行Docker镜像
├─ ssl-certid # 上传到阿里云的证书返回的信息。
├─ domain # 要用Lego申请证书时用到的域名,这是备份,方便修改
└─ .github
└─ workflows
└─ lego-esa-renew.yml # GitHub Actions 运行文件
操作流程
- 创建私有仓库,并导入项目 lego-esa-renew。
- 再次检测是否是私有仓库,进行一些必要的 Github 仓库配置,比如:允许 GitHub Actions 读写Github仓库,配置环境变量等。
首次运行时必须配置 GitHub Actions 环境变量 RENEW_OPTION 为 run, RENEW_OPTION 为 run时是申请证书。
申请证书后必须删除 RENEW_OPTION 变量,否则 GitHub Actions 每 7 天运行一次,每次都会申请证书,再加上其他服务申请的证书,可能会触发 Let’s Encrypt 滥用。
阿里云账号 AccessKey 申请
GitHub Actions 环境变量中有两组有关阿里云 AccessKey ,分别是ALICLOUD_ACCESS_KEY、ALICLOUD_SECRET_KEY和ALICLOUD_ACCESS_KEY_ID、ALICLOUD_ACCESS_KEY_SECRET,其中ALICLOUD_ACCESS_KEY、ALICLOUD_SECRET_KEY是 Lego 申请 Let’s Encrypt 证书再 DNS 中添加 TXT 验证所需要的,ALICLOUD_ACCESS_KEY_ID、ALICLOUD_ACCESS_KEY_SECRET是向阿里云上传申请的 Let’s Encrypt 证书,并与ESA站点绑定所需要的,两者可以相同,也可以使用不同的阿里云账户使用不同阿里云 AccessKey,博主就是使用DNS使用一个阿里云,ESA 在另一个阿里云账户,在演示中 DNS 账户和 ESA 账户是同一个账户并且是阿里云国际版。
- 打开阿里云 RAM 访问控制并创建新用户。
- 为创建的新用户添加权限
注意:博主创建的用户权限是PowerUserAccess,权限大,安全要求高的请自行查询搜索权限如何设置。
申请证书
在 Github 仓库确认环境变量 RENEW_OPTION 为 run,编辑time文件,触发 GitHub Actions 运行,首次运行如下:
续签运行如下:
如果正常,可以到阿里云的数字证书管理服务查看上传的证书,在ESA中查看绑定的证书。
使用Docker手动运行( GitHub Actions运行前推荐)
可以先在 Docker 运行,防止出错。
- 克隆私有仓库,将 lego-esa-renew导入私有仓库,并通过SSH同步到本地,以
aaro-n/ys1私有仓库为例:
www@debian:~$ git clone [email protected]:aaro-n/ys1.git
正克隆到 'ys1'...
remote: Enumerating objects: 16, done.
remote: Counting objects: 100% (16/16), done.
remote: Compressing objects: 100% (6/6), done.
接收对象中: 100% (16/16), 5.93 KiB | 5.93 MiB/s, 完成.
处理 delta 中: 100% (5/5), 完成.
remote: Total 16 (delta 5), reused 16 (delta 5), pack-reused 0 (from 0)
- 进入 ys1 仓库,并根据自己的需求修改
docker-compose.yml文件
www@debian:~$ cd ys1/
www@debian:~/ys1$ cat docker-compose.yml
services:
lego-esa-renew:
build:
context: .
image: lego-esa-renew
container_name: lego-esa-renew
environment:
# 以下是Lego运行所需要的变量,请根据自己的需求进行调整
# 设置申请的证书存储在 certs 文件夹
- CERT_PATH=certs
# 设置 Lego 用阿里云DNS申请通配符证书,具体请参考 Lego文档
- ALICLOUD_ACCESS_KEY=LTAaxzzc
- ALICLOUD_SECRET_KEY=asdsdff
# 用 Lego 申请证书所使用的邮件地址
- [email protected]
# 用 Lego 为那些域名申请证书
- DOMAIN=domain1.com,*.domain1.com,domain2.com,*.domain2.com,domain3.com,*.domain3.com,domain4.com,*.domain4.com,domain5.com,*.domain5.com,domain6.com,*.domain6.com,domain7.com,*.domain7.com,domain8.com,*.domain8.com,domain9.com,*.domain9.com,domain10.com,*.domain10.com,actions.github.domain10.com
# Lego 运行方式,是申请证书(run)还是续签证书
# 参数: run 或 renew
# 首次申请证书使用 run
- RENEW_OPTION=run
# 以下变量是上传到阿里云所需要的变量
# 阿里云上传并更新 ESA 所需要的参数
- ALICLOUD_ACCESS_KEY_ID=werrt
- ALICLOUD_ACCESS_KEY_SECRET=ssdsdfffg
# 阿里云上传证书到哪里,中国大陆(cn-hangzhou)或海外(ap-southeast-1)
# 参数: cn-hangzhou 或 ap-southeast-1
# 阿里云国际版ESA账户一般用 ap-southeast-1
- ALIYUN_REGION=ap-southeast-1
# 上传到阿里云证书的文件名
# 实际上传的文件名是文件名+日期
# 例子:NAME变量为lego-ssl,时间是20250801,则上传到阿里云的证书名为lego-ssl-20250801
- NAME=lego-ssl
volumes:
# /home/www/certs 的certs文件夹名要根据 CERT_PATH 变量来
# ./CERT_PATH:/home/www/CERT_PATH
- ./certs:/home/www/certs
www@debian:~/ys1$ vim docker-compose.yml
www@debian:~/ys1$ cat docker-compose.yml
services:
lego-esa-renew:
build:
context: .
image: lego-esa-renew
container_name: lego-esa-renew
environment:
# 以下是Lego运行所需要的变量,请根据自己的需求进行调整
# 设置申请的证书存储在 certs 文件夹
- CERT_PATH=certs
# 设置 Lego 用阿里云DNS申请通配符证书,具体请参考 Lego文档
- ALICLOUD_ACCESS_KEY=LTAI5tFLZzjNdcmgn7wwHqcS
- ALICLOUD_SECRET_KEY=4vEJIzyqgtPc6Z4YHAHrTdTM5WYbNW
# 用 Lego 申请证书所使用的邮件地址
- [email protected]
# 用 Lego 为那些域名申请证书
- DOMAIN=yanshi.aaz.ee,*.yanshi.aaz.ee,yanshi.8w.ee,*.yanshi.8w.ee,yanshi.ip94.cn,*.yanshi.ip94.cn,yanshi.211987.xyz,*.yanshi.211987.xyz,yanshi.itansuo.info,*.yanshi.itansuo.info,ssl.itansuo.info,*.ssl.itansuo.info
# Lego 运行方式,是申请证书(run)还是续签证书
# 参数: run 或 renew
# 首次申请证书使用 run
- RENEW_OPTION=run
# 以下变量是上传到阿里云所需要的变量
# 阿里云上传并更新 ESA 所需要的参数
- ALICLOUD_ACCESS_KEY_ID=LTAI5tFLZzjNdcmgn7wwHqcS
- ALICLOUD_ACCESS_KEY_SECRET=4vEJIzyqgtPc6Z4YHAHrTdTM5WYbNW
# 阿里云上传证书到哪里,中国大陆(cn-hangzhou)或海外(ap-southeast-1)
# 参数: cn-hangzhou 或 ap-southeast-1
# 阿里云国际版ESA账户一般用 ap-southeast-1
- ALIYUN_REGION=ap-southeast-1
# 上传到阿里云证书的文件名
# 实际上传的文件名是文件名+日期
# 例子:NAME变量为lego-ssl,时间是20250801,则上传到阿里云的证书名为lego-ssl-20250801
- NAME=lego-ssl
volumes:
# /home/www/certs 的certs文件夹名要根据 CERT_PATH 变量来
# ./CERT_PATH:/home/www/CERT_PATH
- ./certs:/home/www/certs
3, 制作Docker镜像并运行
www@debian:~/ys1$ ls
docker-compose.yml Dockerfile domain site-id ssl-certid time
www@debian:~/ys1$ mkdir certs
www@debian:~/ys1$ ls
certs docker-compose.yml Dockerfile domain site-id ssl-certid time
www@debian:~/ys1$ docker-compose build
Building lego-esa-renew
Sending build context to Docker daemon 84.99kB
Step 1/4 : FROM alpine:latest
---> 9234e8fb04c4
Step 2/4 : WORKDIR /home/www
---> Using cache
---> 3fbff363cd04
Step 3/4 : RUN apk update && apk add --no-cache curl && curl -L https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz -o aliyun-cli.tgz && tar -xzf aliyun-cli.tgz && mv aliyun /usr/local/bin/ && chmod +x /usr/local/bin/aliyun && latest_version=$(curl -s https://api.github.com/repos/go-acme/lego/releases/latest | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/') && download_url="https://github.com/go-acme/lego/releases/download/${latest_version}/lego_${latest_version}_linux_amd64.tar.gz" && wget -O lego_linux_amd64.tar.gz "$download_url" && tar -xzf lego_linux_amd64.tar.gz && mv lego /usr/local/bin/ && chmod +x /usr/local/bin/lego && rm -rf /var/cache/apk/*
---> Using cache
---> 5aa22c8af6eb
Step 4/4 : CMD ["tail", "-f", "/dev/null"]
---> Using cache
---> 027b74ba9fc9
Successfully built 027b74ba9fc9
Successfully tagged lego-esa-renew:latest
www@debian:~/ys1$ docker-compose up -d
Creating lego-esa-renew ... done
4, 进入容器,申请证书。
www@debian:~/ys1$ docker exec -it lego-esa-renew /bin/sh
/home/www # ls
CHANGELOG.md LICENSE aliyun-cli.tgz certs lego_linux_amd64.tar.gz
/home/www # lego --email="$EMAIL" --domains="$DOMAIN" --path="$CERT_PATH" --dns alidns --accept-tos $RENEW_OPTION
2025/08/11 17:31:45 No key found for account [email protected]. Generating a P256 key.
2025/08/11 17:31:45 Saved key to certs/accounts/acme-v02.api.letsencrypt.org/[email protected]/keys/[email protected]
2025/08/11 17:31:45 [INFO] acme: Registering account for [email protected]
!!!! HEADS UP !!!!
Your account credentials have been saved in your
configuration directory at "certs/accounts".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from the ACME server so making regular
backups of this folder is ideal.
2025/08/11 17:31:46 [INFO] [yanshi.aaz.ee, *.yanshi.aaz.ee, yanshi.8w.ee, *.yanshi.8w.ee, yanshi.ip94.cn, *.yanshi.ip94.cn, yanshi.211987.xyz, *.yanshi.211987.xyz, yanshi.itansuo.info, *.yanshi.itansuo.info, ssl.itansuo.info, *.ssl.itansuo.info] acme: Obtaining bundled SAN certificate
2025/08/11 17:31:47 [INFO] [*.ssl.itansuo.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:31:47 [INFO] [*.yanshi.211987.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:31:47 [INFO] [*.yanshi.8w.ee] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:31:47 [INFO] [*.yanshi.aaz.ee] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:31:47 [INFO] [*.yanshi.ip94.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:31:47 [INFO] [*.yanshi.itansuo.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:31:47 [INFO] [ssl.itansuo.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:31:47 [INFO] [yanshi.211987.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:31:47 [INFO] [yanshi.8w.ee] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:31:47 [INFO] [yanshi.aaz.ee] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:31:47 [INFO] [yanshi.ip94.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:31:47 [INFO] [yanshi.itansuo.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:31:47 [INFO] [*.ssl.itansuo.info] acme: use dns-01 solver
2025/08/11 17:31:47 [INFO] [*.yanshi.211987.xyz] acme: use dns-01 solver
2025/08/11 17:31:47 [INFO] [*.yanshi.8w.ee] acme: use dns-01 solver
2025/08/11 17:31:47 [INFO] [*.yanshi.aaz.ee] acme: use dns-01 solver
2025/08/11 17:31:47 [INFO] [*.yanshi.ip94.cn] acme: use dns-01 solver
2025/08/11 17:31:47 [INFO] [*.yanshi.itansuo.info] acme: use dns-01 solver
2025/08/11 17:31:47 [INFO] [ssl.itansuo.info] acme: Could not find solver for: tls-alpn-01
2025/08/11 17:31:47 [INFO] [ssl.itansuo.info] acme: Could not find solver for: http-01
2025/08/11 17:31:47 [INFO] [ssl.itansuo.info] acme: use dns-01 solver
2025/08/11 17:31:47 [INFO] [yanshi.211987.xyz] acme: Could not find solver for: tls-alpn-01
2025/08/11 17:31:47 [INFO] [yanshi.211987.xyz] acme: Could not find solver for: http-01
2025/08/11 17:31:47 [INFO] [yanshi.211987.xyz] acme: use dns-01 solver
2025/08/11 17:31:47 [INFO] [yanshi.8w.ee] acme: Could not find solver for: tls-alpn-01
2025/08/11 17:31:47 [INFO] [yanshi.8w.ee] acme: Could not find solver for: http-01
2025/08/11 17:31:47 [INFO] [yanshi.8w.ee] acme: use dns-01 solver
2025/08/11 17:31:47 [INFO] [yanshi.aaz.ee] acme: Could not find solver for: tls-alpn-01
2025/08/11 17:31:47 [INFO] [yanshi.aaz.ee] acme: Could not find solver for: http-01
2025/08/11 17:31:47 [INFO] [yanshi.aaz.ee] acme: use dns-01 solver
2025/08/11 17:31:47 [INFO] [yanshi.ip94.cn] acme: Could not find solver for: tls-alpn-01
2025/08/11 17:31:47 [INFO] [yanshi.ip94.cn] acme: Could not find solver for: http-01
2025/08/11 17:31:47 [INFO] [yanshi.ip94.cn] acme: use dns-01 solver
2025/08/11 17:31:47 [INFO] [yanshi.itansuo.info] acme: Could not find solver for: tls-alpn-01
2025/08/11 17:31:47 [INFO] [yanshi.itansuo.info] acme: Could not find solver for: http-01
2025/08/11 17:31:47 [INFO] [yanshi.itansuo.info] acme: use dns-01 solver
2025/08/11 17:31:47 [INFO] [*.ssl.itansuo.info] acme: Preparing to solve DNS-01
2025/08/11 17:31:51 [INFO] [*.yanshi.211987.xyz] acme: Preparing to solve DNS-01
2025/08/11 17:31:55 [INFO] [*.yanshi.8w.ee] acme: Preparing to solve DNS-01
2025/08/11 17:31:59 [INFO] [*.yanshi.aaz.ee] acme: Preparing to solve DNS-01
2025/08/11 17:32:02 [INFO] [*.yanshi.ip94.cn] acme: Preparing to solve DNS-01
2025/08/11 17:32:06 [INFO] [*.yanshi.itansuo.info] acme: Preparing to solve DNS-01
2025/08/11 17:32:09 [INFO] [ssl.itansuo.info] acme: Preparing to solve DNS-01
2025/08/11 17:32:12 [INFO] [yanshi.211987.xyz] acme: Preparing to solve DNS-01
2025/08/11 17:32:14 [INFO] [yanshi.8w.ee] acme: Preparing to solve DNS-01
2025/08/11 17:32:17 [INFO] [yanshi.aaz.ee] acme: Preparing to solve DNS-01
2025/08/11 17:32:19 [INFO] [yanshi.ip94.cn] acme: Preparing to solve DNS-01
2025/08/11 17:32:22 [INFO] [yanshi.itansuo.info] acme: Preparing to solve DNS-01
2025/08/11 17:32:24 [INFO] [*.ssl.itansuo.info] acme: Trying to solve DNS-01
2025/08/11 17:32:24 [INFO] [*.ssl.itansuo.info] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2025/08/11 17:32:26 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/08/11 17:33:10 [INFO] [*.ssl.itansuo.info] The server validated our request
2025/08/11 17:33:10 [INFO] [*.yanshi.211987.xyz] acme: Trying to solve DNS-01
2025/08/11 17:33:10 [INFO] [*.yanshi.211987.xyz] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2025/08/11 17:33:12 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/08/11 17:33:18 [INFO] [*.yanshi.8w.ee] acme: Trying to solve DNS-01
2025/08/11 17:33:18 [INFO] [*.yanshi.8w.ee] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2025/08/11 17:33:20 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/08/11 17:33:34 [INFO] [*.yanshi.8w.ee] The server validated our request
2025/08/11 17:33:34 [INFO] [*.yanshi.aaz.ee] acme: Trying to solve DNS-01
2025/08/11 17:33:34 [INFO] [*.yanshi.aaz.ee] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2025/08/11 17:33:36 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/08/11 17:33:51 [INFO] [*.yanshi.aaz.ee] The server validated our request
2025/08/11 17:33:51 [INFO] [*.yanshi.ip94.cn] acme: Trying to solve DNS-01
2025/08/11 17:33:51 [INFO] [*.yanshi.ip94.cn] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2025/08/11 17:33:53 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/08/11 17:33:59 [INFO] [*.yanshi.ip94.cn] The server validated our request
2025/08/11 17:33:59 [INFO] [*.yanshi.itansuo.info] acme: Trying to solve DNS-01
2025/08/11 17:33:59 [INFO] [*.yanshi.itansuo.info] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2025/08/11 17:34:01 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/08/11 17:34:07 [INFO] [*.yanshi.itansuo.info] The server validated our request
2025/08/11 17:34:07 [INFO] [ssl.itansuo.info] acme: Trying to solve DNS-01
2025/08/11 17:34:07 [INFO] [ssl.itansuo.info] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2025/08/11 17:34:09 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/08/11 17:34:21 [INFO] [ssl.itansuo.info] The server validated our request
2025/08/11 17:34:21 [INFO] [yanshi.211987.xyz] acme: Trying to solve DNS-01
2025/08/11 17:34:21 [INFO] [yanshi.211987.xyz] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2025/08/11 17:34:23 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/08/11 17:34:51 [INFO] [yanshi.211987.xyz] The server validated our request
2025/08/11 17:34:51 [INFO] [yanshi.8w.ee] acme: Trying to solve DNS-01
2025/08/11 17:34:51 [INFO] [yanshi.8w.ee] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2025/08/11 17:34:53 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/08/11 17:34:59 [INFO] [yanshi.8w.ee] The server validated our request
2025/08/11 17:34:59 [INFO] [yanshi.aaz.ee] acme: Trying to solve DNS-01
2025/08/11 17:34:59 [INFO] [yanshi.aaz.ee] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2025/08/11 17:35:01 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/08/11 17:35:25 [INFO] [yanshi.aaz.ee] The server validated our request
2025/08/11 17:35:25 [INFO] [yanshi.ip94.cn] acme: Trying to solve DNS-01
2025/08/11 17:35:25 [INFO] [yanshi.ip94.cn] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2025/08/11 17:35:27 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/08/11 17:35:30 [INFO] [yanshi.ip94.cn] The server validated our request
2025/08/11 17:35:30 [INFO] [yanshi.itansuo.info] acme: Trying to solve DNS-01
2025/08/11 17:35:30 [INFO] [yanshi.itansuo.info] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2025/08/11 17:35:32 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/08/11 17:35:40 [INFO] [yanshi.itansuo.info] The server validated our request
2025/08/11 17:35:40 [INFO] [*.ssl.itansuo.info] acme: Cleaning DNS-01 challenge
2025/08/11 17:35:46 [INFO] [*.yanshi.211987.xyz] acme: Cleaning DNS-01 challenge
2025/08/11 17:35:50 [INFO] [*.yanshi.8w.ee] acme: Cleaning DNS-01 challenge
2025/08/11 17:35:55 [INFO] [*.yanshi.aaz.ee] acme: Cleaning DNS-01 challenge
2025/08/11 17:35:59 [INFO] [*.yanshi.ip94.cn] acme: Cleaning DNS-01 challenge
2025/08/11 17:36:03 [INFO] [*.yanshi.itansuo.info] acme: Cleaning DNS-01 challenge
2025/08/11 17:36:08 [INFO] [ssl.itansuo.info] acme: Cleaning DNS-01 challenge
2025/08/11 17:36:10 [INFO] [yanshi.211987.xyz] acme: Cleaning DNS-01 challenge
2025/08/11 17:36:11 [INFO] [yanshi.8w.ee] acme: Cleaning DNS-01 challenge
2025/08/11 17:36:13 [INFO] [yanshi.aaz.ee] acme: Cleaning DNS-01 challenge
2025/08/11 17:36:15 [INFO] [yanshi.ip94.cn] acme: Cleaning DNS-01 challenge
2025/08/11 17:36:17 [INFO] [yanshi.itansuo.info] acme: Cleaning DNS-01 challenge
2025/08/11 17:36:19 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:19 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:19 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:19 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:19 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:19 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:19 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:19 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:19 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:19 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:19 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:19 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:19 Could not obtain certificates:
error: one or more domains had a problem:
[*.yanshi.211987.xyz] invalid authorization: acme: error: 0 :: urn:ietf:params:acme:error:dns :: While processing CAA for *.yanshi.211987.xyz: DNS problem: SERVFAIL looking up CAA for yanshi.211987.xyz - the domain's nameservers may be malfunctioning
/home/www # lego --email="$EMAIL" --domains="$DOMAIN" --path="$CERT_PATH" --dns alidns --accept-tos $RENEW_OPTION
2025/08/11 17:36:45 [INFO] [yanshi.aaz.ee, *.yanshi.aaz.ee, yanshi.8w.ee, *.yanshi.8w.ee, yanshi.ip94.cn, *.yanshi.ip94.cn, yanshi.211987.xyz, *.yanshi.211987.xyz, yanshi.itansuo.info, *.yanshi.itansuo.info, ssl.itansuo.info, *.ssl.itansuo.info] acme: Obtaining bundled SAN certificate
2025/08/11 17:36:46 [INFO] [*.ssl.itansuo.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:46 [INFO] [*.yanshi.211987.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:46 [INFO] [*.yanshi.8w.ee] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:46 [INFO] [*.yanshi.aaz.ee] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:46 [INFO] [*.yanshi.ip94.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:46 [INFO] [*.yanshi.itansuo.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:46 [INFO] [ssl.itansuo.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:46 [INFO] [yanshi.211987.xyz] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:46 [INFO] [yanshi.8w.ee] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:46 [INFO] [yanshi.aaz.ee] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:46 [INFO] [yanshi.ip94.cn] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:46 [INFO] [yanshi.itansuo.info] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/REDACTED
2025/08/11 17:36:46 [INFO] [*.ssl.itansuo.info] acme: authorization already valid; skipping challenge
2025/08/11 17:36:46 [INFO] [*.yanshi.8w.ee] acme: authorization already valid; skipping challenge
2025/08/11 17:36:46 [INFO] [*.yanshi.aaz.ee] acme: authorization already valid; skipping challenge
2025/08/11 17:36:46 [INFO] [*.yanshi.ip94.cn] acme: authorization already valid; skipping challenge
2025/08/11 17:36:46 [INFO] [*.yanshi.itansuo.info] acme: authorization already valid; skipping challenge
2025/08/11 17:36:46 [INFO] [ssl.itansuo.info] acme: authorization already valid; skipping challenge
2025/08/11 17:36:46 [INFO] [yanshi.211987.xyz] acme: authorization already valid; skipping challenge
2025/08/11 17:36:46 [INFO] [yanshi.8w.ee] acme: authorization already valid; skipping challenge
2025/08/11 17:36:46 [INFO] [yanshi.aaz.ee] acme: authorization already valid; skipping challenge
2025/08/11 17:36:46 [INFO] [yanshi.ip94.cn] acme: authorization already valid; skipping challenge
2025/08/11 17:36:46 [INFO] [yanshi.itansuo.info] acme: authorization already valid; skipping challenge
2025/08/11 17:36:46 [INFO] [*.yanshi.211987.xyz] acme: use dns-01 solver
2025/08/11 17:36:46 [INFO] [*.yanshi.211987.xyz] acme: Preparing to solve DNS-01
2025/08/11 17:36:49 [INFO] [*.yanshi.211987.xyz] acme: Trying to solve DNS-01
2025/08/11 17:36:49 [INFO] [*.yanshi.211987.xyz] acme: Checking DNS record propagation. [nameservers=127.0.0.11:53]
2025/08/11 17:36:51 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/08/11 17:36:57 [INFO] [*.yanshi.211987.xyz] The server validated our request
2025/08/11 17:36:57 [INFO] [*.yanshi.211987.xyz] acme: Cleaning DNS-01 challenge
2025/08/11 17:37:00 [INFO] [yanshi.aaz.ee, *.yanshi.aaz.ee, yanshi.8w.ee, *.yanshi.8w.ee, yanshi.ip94.cn, *.yanshi.ip94.cn, yanshi.211987.xyz, *.yanshi.211987.xyz, yanshi.itansuo.info, *.yanshi.itansuo.info, ssl.itansuo.info, *.ssl.itansuo.info] acme: Validations succeeded; requesting certificates
2025/08/11 17:37:03 [INFO] [yanshi.aaz.ee] Server responded with a certificate.
- 将证书上传到阿里云
/home/www # ls -al certs/certificates/
total 24
drwx------ 2 root root 4096 Aug 11 17:37 .
drwxr-xr-x 4 1000 1000 4096 Aug 11 17:31 ..
-rw------- 1 root root 3129 Aug 11 17:37 yanshi.aaz.ee.crt
-rw------- 1 root root 1567 Aug 11 17:37 yanshi.aaz.ee.issuer.crt
-rw------- 1 root root 234 Aug 11 17:37 yanshi.aaz.ee.json
-rw------- 1 root root 227 Aug 11 17:37 yanshi.aaz.ee.key
/home/www # aliyun configure set --access-key-id "$ALICLOUD_ACCESS_KEY_ID" --access-key-secret "$ALICLOUD_ACCESS_KEY_SECRET" --region "$ALIYUN_REGION"
/home/www # aliyun cas UploadUserCertificate \
> --Cert "$(cat ./$CERT_PATH/certificates/yanshi.aaz.ee.crt)" \
> --Key "$(cat ./$CERT_PATH/certificates/yanshi.aaz.ee.key)" \
> --Name "$NAME"
{
"CertId": 237257,
"RequestId": "EE7108AB-70D6-36DD-A97A-0CC7260E1CB1",
"ResourceId": "cas-upload-68j5ur"
}
- 接下来可以去阿里云数字证书管理服务和ESA中查看和绑定证书,同时可以验证Lego和阿里云都可以正常运行。