Updated DNS alias mode (markdown)

2025-03-22 18:20:09 +08:00 · 2018-02-10 10:39:54 +08:00 · 2018-02-10 10:39:54 +08:00 · 1cadca6abc
commit 1cadca6abc
parent 19d55d9bd3
1 changed files with 99 additions and 4 deletions
--- a/DNS-alias-mode.md
+++ b/DNS-alias-mode.md
@ -1,11 +1,106 @@
-Set domain CNAME:
+If your dns provider doesn't support api access,  or if you mind the secure to give the dns api access of your main domain to a shell script.  You can use dns alias mode.
 For example,  your main domain is `importantDomain.com`,  which doesn't have api access, or you don't want to give the api access to acme.sh, since it's important.
 And you have another domain:  "aliasDomainForValidationOnly.com", which has a supported dns api.  This domain is less important, and maybe it's used for validation only.
 Ok, let's start.
 ### 1. First set domain CNAME:
 ```sh
-_acme-challenge.example.com  =>   _acme-challenge.exampleAlias.com
+_acme-challenge.importantDomain.com  =>   _acme-challenge.aliasDomainForValidationOnly.com
 ```
 ### 2. Issue a cert:
 ```sh
 acme.sh --issue  \
-  -d  example.com --challenge-alias exampleAlias.com --dns dns_cf
+  -d  importantDomain.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf
-```
+```
 The Letsencrypt CA server checks the txt record of original domain `_acme-challenge.importantDomain.com` to validate your domain,  but you have set the CNAME in step 1,  so it goes forward to the aliased domain `_acme-challenge.aliasDomainForValidationOnly.com` to check.
 And acme.sh knows that, so it just added the correct txt record to `_acme-challenge.aliasDomainForValidationOnly.com`.
 So, it's done.  you will get a cert for `importantDomain.com`, but you don't need to give the domain control out.
 ### 3. Share the same aliased domain:
 If you have multiple (sub)domains, you need add CNAME for each (sub)domain,  but they can share the same aliased domain.
 For example, you can add the CNAME like:
 ```sh
 _acme-challenge.importantDomain.com  =>   _acme-challenge.aliasDomainForValidationOnly.com
 _acme-challenge.www.importantDomain.com  =>   _acme-challenge.aliasDomainForValidationOnly.com
 _acme-challenge.sub.importantDomain.com  =>   _acme-challenge.aliasDomainForValidationOnly.com
 _acme-challenge.importantDomain2.com  =>   _acme-challenge.aliasDomainForValidationOnly.com
 _acme-challenge.importantDomain3.com  =>   _acme-challenge.aliasDomainForValidationOnly.com
 ```
 And then issue cert like bellow:
 ```sh
 acme.sh --issue  \
  -d  importantDomain.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf
  -d  www.importantDomain.com \
  -d  sub.importantDomain.com \
  -d  importantDomain2.com \
  -d  importantDomain3.com
 ```
 Even with ACME v2 wildcard cert:
 ```sh
 acme.sh --issue  \
  -d  importantDomain.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf
  -d  www.importantDomain.com \
  -d  sub.importantDomain.com \
  -d  importantDomain2.com \
  -d  importantDomain3.com \
  -d  *.importantDomain.com \
  -d  *.importantDomain2.com \
  -d  *.importantDomain3.com
 ```
 ### 4. Specify different aliased domains for each domain.
 Yes, you know, acme.sh support to set alias domain for each domain. Even with different dns provider:
 You can set CNAME like:
 ```sh
 _acme-challenge.importantDomain.com  =>   _acme-challenge.aliasDomainForValidationOnly.com
 _acme-challenge.importantDomain3.com  =>   _acme-challenge.aliasDomainForValidationOnly2.com
 ```
 Then issue cert:
 ```sh
 acme.sh --issue  \
  -d  importantDomain.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf
  -d  importantDomain2.com --challenge-alias aliasDomainForValidationOnly2.com
 ```
 Even with different dns provider:
 ```sh
 acme.sh --issue  \
  -d  importantDomain.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf
  -d  importantDomain2.com --challenge-alias aliasDomainForValidationOnly2.com  --dns dns_gd
 ```
 Let's assume the first domain `aliasDomainForValidationOnly.com` is hosted at cloudflare, and the second is hosted at godaddy.