The Oracle Cloud Infrastructure (OCI) DNS service lets you create and manage public and private DNS zones in an OCI tenancy. The DNS Service provides each tenancy with a limit of 1,000 zones and 25,000 records per zone and is charged per 1M queries.
Before you can use OCI DNS with acme.sh
, you'll need the following:
- A private API signing key; and
- The tenancy and service account OCIDs
We recommend installing the OCI CLI and using the interactive setup process to create an API signing keypair. If the OCI CLI is configured, the plugin will automatically detect and use the configuration file for authentication.
Alternatively, the OCI Developer Guide provides the manual steps required to generate the API signing keys and determine the required OCIDs.
Configuration
Automatic configuration
No configuration is required if an OCI CLI configuraton file is
located at $HOME/.oci/config
and has a DEFAULT
profile that can be used to manage
DNS records in the target tenancy.
To override the configuration file path or profile name, set the following environment variables:
OCI_CLI_CONFIG_FILE
: set to the full path including filename of the OCI SDK and CLI configuration file.OCI_CLI_PROFILE
: provide an existing profile from the configuration file. Case-sensitive!
Manual configuration
If the OCI CLI is not installed, the following environment variables must be set:
OCI_CLI_USER
: OCID of the user calling the API. Example:ocid1.user.oc1..<unique_ID>
OCI_CLI_TENANCY
: OCID of your tenancy. Example:ocid1.tenancy.oc1..<unique_ID>
OCI_CLI_REGION
: Your Oracle Cloud Infrastructure home region.
You also need to provide the API signing key using one of the following two variables:
OCI_CLI_KEY_FILE
: Path to the file containing the private API signing key in PEM format; orOCI_CLI_KEY
: the private API signing key in PEM format
Tip: The variables above can also be used to override the values stored in the OCI SDK and CLI configuration file.
Issuing a certificate
To issue a certificate, ensure either the OCI CLI is working correctly or all the mandatory environment variables have been configured, then run:
acme.sh --issue --dns dns_oci -d example.com -d www.example.com
To issue a wildcard certificate, use::
acme.sh --issue --dns dns_oci -d example.com -d *.example.com
Required IAM service policy
Permissions are required to add and remove DNS records from DNS. Ensure that
a policy exists that grants the specified user sufficient permission to create
and remove TXT
records in the target zone(s) in the tenancy.
Here is an example policy that grants all DNS operations in all zones in the tenancy for all members of a specific user group:
Allow group <GroupName> to manage dns in tenancy <TenancyName>
If you're new to policies, see Getting Started with Policies and Common Policies. For more details about policies for DNS, see Details for the DNS Service.
Security recommendations
The Oracle Cloud Infrastructure Security Guide details the recommended best practices for securing user authentication which include:
- creating a dedicated service user account specifically for GitHub Actions;
- assigning that service account a unique and complex password;
- rotating the API signing key pair used by the service account every 90 days; and
- using GitHub encrypted secrets to store credentials.
Reporting an issue
Please use https://github.com/acmesh-official/acme.sh/issues/3540 to report any issues or bugs.
Buy me a beer, Donate to acme.sh if it saves your time. Your donation makes acme.sh better: https://donate.acme.sh/
如果 acme.sh 帮你节省了时间,请考虑赏我一杯啤酒🍺, 捐助: https://donate.acme.sh/ 你的支持将会使得 acme.sh 越来越好. 感谢