Use acme.sh to apply for Let's Encrypt SSL certificate and upload it to AliCloud CDN automatically.

Due to changes in the policy of upstream SSL certificate service providers, AliCloud CDN no longer supports the application of free SSL certificates, there is Let's Encrypt such a convenient and easy to use certificate service can be used, there is no reason for us to buy a paid SSL, just a little bit of setup in the server, you can let acme.sh to help us apply for Let 's Encrypt free SSL certificates, and you can set the auto-renewal function through the renew-hook. Let's take a look at the steps below.

I. Install AliCloud CLI on the server

AliCloud CLI allows us to easily upload SSL certificates to AliCloud, we just need to follow theAliCloud Official DocumentationYou can easily install the AliCloud CLI by doing this.

wget https://aliyuncli.alicdn.com/aliyun-cli-linux-latest-amd64.tgz
    && tar xzvf aliyun-cli-linux-latest-amd64.tgz
    && chmod +x aliyun
    && cp aliyun /usr/local/bin

After installation, run aliyun configure command, enter the AccessKey ID, AccessKey Secret as required,Region Id This information, once configured, can be accessed by running aliyun configure list command to verify that the installation was successful.

II. Setting up the Renew Hook script for automatic certificate uploading

Directly copy the following code as an executable file, modify the AliCloud key and the domain name of the certificate that needs to be renewed, and put it in the appropriate location on the server (/root/sh/cdnssl.sh in the sample code).

#!/usr/bin/env bash

OpenAPI used by #
# CAS: https://help.aliyun.com/document_detail/126507.html
# CDN: https://help.aliyun.com/document_detail/106661.html

# renewHook script that can be used with acme.sh: Automatically uploads a new certificate to Aliyun and renews the corresponding CDN domain, then deletes the old certificate of the corresponding domain.
# will check if it fails every time the API executes, if it fails, it will interrupt the script execution and return a customized error code.

# RIBO: Modify to your own AccessKey
AliAccessKeyId="AliCloud Access Key ID"
AliAccessKeySecret="AliCloud Access Key Secret"

# acme.sh list of environment variables exported when renewHook is executed
ACME_ENV_LIST=(
    "CERT_KEY_PATH"
    "CERT_FULLCHAIN_PATH"
    "Le_Domain"
)
# Check for the existence of the environment variable
for value in "${ACME_ENV_LIST[@]}" ; do
   [[ -v "$value" ] ] || exit 1
unset value
unset value
# Get certificate custom function
get_cert() {
    # Use sed to remove blank lines from the certificate file
    sed -e "/^$/d" "$CERT_FULLCHAIN_PATH"
}
# Get key custom function
get_key() {
    cat "$CERT_KEY_PATH"
}

# shellcheck disable=SC2154
DOMAIN=$Le_Domain

# Certificate Name (Replace the domain name's . for _ to conform to AliCloud certificate name specification)
CERT_NAME="${DOMAIN//. /_}-$(date +%s)"

# List of CDN domains requiring certificate renewal
# RIBO: Modify the list of CDN domains here
DOMAIN_LIST=(
    "cdn.wpzhiku.com"
)

# Set the CDN domain list to use the new certificate
for _domain in "${DOMAIN_LIST[@]}"; do
    aliyun cdn SetCdnDomainSSLCertificate --DomainName "$_domain" --SSLPub="$(get_cert)" --SSLPri="$(get_key)" --CertType upload -- SSLProtocol on || exit 103
unset _domain
unset _domain

Execute the SSL Certificate Request command

First, you need to export the AliCloud key and secret information on the command line, just execute it once. acme.sh will record this information in /root/.acme.sh/account.conf and use it when renewing the certificate.

export Ali_Key="AliCloud Access Key ID"
export Ali_Secret="AliCloud Access Key Secret"

Execute the following command, acme.sh will automatically execute the renew-hook script (a.k.a. cdnssl.sh) to upload the renewed certificate to Aliyun when renewing the SSL certificate.

acme.sh --issue --dns dns_ali -d cdn.wpzhiku.com --renew-hook /root/sh/cdnssl.sh

After successful execution, you should be able to see the automatically uploaded certificate in the background of AliCloud SSL certificate, if not, it is surely fine to execute the renewal command once.

acme.sh --cron --home "/usr/local/acme.sh" > /dev/null

View configuration information for acme.sh

Use the following commands to view and verify the configuration information automatically logged by acme.sh for use in renewing SSL.

acme.sh --info -d cdn.wpzhiku.com

Fixed the above configuration, and then set up a Cron task, you can let acme.sh automatically help us to renew the certificate and automatically uploaded by Aliyun, and then used in the CDN, as long as the server does not shut down, Aliyun Key and Secret does not change, theoretically, the certificate will always be valid, very convenient and very efficient.