Aliyun ESA DNS Authenticator plugin for Certbot
Project description
certbot-dns-aliyun-esa
Aliyun ESA DNS authenticator plugin for Certbot. It creates and removes Aliyun ESA DNS TXT records for ACME dns-01 challenges, including wildcard certificates.
This project is community-maintained and is not an official Aliyun or Certbot plugin.
中文文档:见 README.zh-CN.md。
Features
- Certbot Authenticator-only plugin for
dns-01validation. - Supports wildcard certificates, for example
*.example.com. - Uses Aliyun ESA
CreateRecord,ListRecords,DeleteRecord, andListSitesAPIs. - Deletes TXT records by matching record name, record type, and TXT value to avoid removing unrelated records.
- Supports multiple TXT values under the same
_acme-challengename.
Installation
From PyPI
pip install certbot-dns-aliyun-esa
From source
git clone https://github.com/lampofaladdin/certbot-dns-aliyun-esa.git
cd certbot-dns-aliyun-esa
python3 -m venv .venv
. .venv/bin/activate
pip install -e .
Verify that Certbot can discover the plugin:
certbot plugins
You should see dns-aliyun-esa in the plugin list.
Credentials
Create an INI file, for example /etc/letsencrypt/aliyun-esa.ini:
dns_aliyun_esa_access_key_id = your-access-key-id
dns_aliyun_esa_access_key_secret = your-access-key-secret
Protect the file:
chmod 600 /etc/letsencrypt/aliyun-esa.ini
The AccessKey needs permissions to:
- list ESA sites;
- create DNS records;
- list DNS records;
- delete DNS records.
Usage
Issue a certificate:
certbot certonly \
--authenticator dns-aliyun-esa \
--dns-aliyun-esa-credentials /etc/letsencrypt/aliyun-esa.ini \
--dns-aliyun-esa-propagation-seconds 60 \
-d example.com \
-d '*.example.com'
Use staging first when testing automation:
certbot certonly \
--test-cert \
--authenticator dns-aliyun-esa \
--dns-aliyun-esa-credentials /etc/letsencrypt/aliyun-esa.ini \
--dns-aliyun-esa-propagation-seconds 60 \
-d example.com \
-d '*.example.com'
Plugin options
| Option | Default | Description |
|---|---|---|
--dns-aliyun-esa-credentials |
required | Path to the credentials INI file. |
--dns-aliyun-esa-propagation-seconds |
60 |
Seconds to wait before ACME validation. Increase this if DNS propagation is slow. |
--dns-aliyun-esa-region-id |
cn-hangzhou |
Aliyun ESA region ID. |
--dns-aliyun-esa-endpoint |
esa.cn-hangzhou.aliyuncs.com |
Aliyun ESA API endpoint passed to the official SDK. Override it if your environment needs another regional endpoint. |
--dns-aliyun-esa-ttl |
1 |
TTL for created TXT records. 1 follows ESA default TTL behavior from Aliyun's generated sample. |
How it works
Certbot calls the plugin with a validation name such as _acme-challenge.example.com and a TXT value. The plugin then:
- lists Aliyun ESA sites;
- matches the requested domain to the best ESA site name;
- creates a TXT record using ESA
CreateRecord; - waits for DNS propagation through Certbot's DNS plugin flow;
- finds the exact TXT record by record name, type, and value;
- deletes only that matching TXT record.
Development
Install development dependencies:
python3 -m venv .venv
. .venv/bin/activate
pip install -e '.[test]'
Run tests:
pytest
Run a basic plugin discovery check:
certbot plugins | grep -A 5 dns-aliyun-esa
Build and check the package locally:
python -m pip install --upgrade build twine
rm -rf dist build *.egg-info src/*.egg-info
python -m build
python -m twine check dist/*
Publishing
This repository includes GitHub Actions workflows for CI and PyPI publishing:
- .github/workflows/ci.yml runs tests, plugin discovery, package build, and metadata checks.
- .github/workflows/publish.yml publishes to PyPI when a GitHub Release is published.
Publishing uses PyPI Trusted Publishing, so no PyPI API token needs to be stored in GitHub secrets.
Configure PyPI Trusted Publishing
In the PyPI project settings for certbot-dns-aliyun-esa, add a pending trusted publisher with:
| Field | Value |
|---|---|
| Owner | lampofaladdin |
| Repository name | certbot-dns-aliyun-esa |
| Workflow name | publish.yml |
| Environment name | pypi |
Release a version
- Update
versionin pyproject.toml. - Update CHANGELOG.md.
- Commit and push the change to
main. - Create and push a matching tag, for example
v0.1.1. - Create a GitHub Release from that tag.
- Publishing the GitHub Release triggers the PyPI workflow.
Security notes
- Do not commit credentials files.
- Restrict credential file permissions to
0600. - Prefer least-privilege RAM users/roles for the Aliyun AccessKey.
- Test with
--test-certbefore requesting production certificates.
License
Apache License 2.0. See LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file certbot_dns_aliyun_esa-0.1.0.tar.gz.
File metadata
- Download URL: certbot_dns_aliyun_esa-0.1.0.tar.gz
- Upload date:
- Size: 13.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8409107dbcd9987b996683e8a71288c4fbd3328f820c3bf80d78fdddf318587c
|
|
| MD5 |
ffd2eb1675c3a3dc1baec0d57125ce7d
|
|
| BLAKE2b-256 |
bd3876d9aa4c5b2774eadb04e89853783a77fa67edf0939b78d6ebbacbed286c
|
File details
Details for the file certbot_dns_aliyun_esa-0.1.0-py3-none-any.whl.
File metadata
- Download URL: certbot_dns_aliyun_esa-0.1.0-py3-none-any.whl
- Upload date:
- Size: 11.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
aad7ab97e3d2af133512777388807a6f5efb5952efedd4986fbc385d57344dd0
|
|
| MD5 |
a5694e15f7a33038c5defcdd0e6ec1e8
|
|
| BLAKE2b-256 |
d25b76d037c6125e5afa1ea148a7032a92ea1b8d41c5c9447696d327aa014972
|
