github-repos/acme.sh
1
0
Fork 0
mirror of https://github.com/acmesh-official/acme.sh.git synced 2025-03-13 16:00:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

RFC 2606: importantDomain.com → example.com, importantDomain2.com → example.net, importantDomain3.com → example.org

Alexey Vazhnov 2020-04-11 20:10:11 +03:00
parent 0bba3f0cb0
commit 6915d1293f
1 changed files with 40 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
DNS-alias-mode.md

@ -1,6 +1,6 @@
If your dns provider doesn't support api access, or if you're concerned about security problems from giving the dns api access to your main domain, then you can use DNS alias mode.
For example, your main domain is `importantDomain.com`, which doesn't have api access, or you don't want to give the api access to acme.sh, since it's important.
For example, your main domain is `example.com`, which doesn't have api access, or you don't want to give the api access to acme.sh, since it's important.
And you have another domain: "aliasDomainForValidationOnly.com", which has a supported dns api. This domain is less important, and maybe it's used for validation only.
@ -9,7 +9,7 @@ Ok, let's start.
### 1. First set domain CNAME:
```sh
_acme-challenge.importantDomain.com
_acme-challenge.example.com
=> _acme-challenge.aliasDomainForValidationOnly.com
```
@ -18,14 +18,14 @@ _acme-challenge.importantDomain.com
```sh
acme.sh --issue \
-d importantDomain.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf
-d example.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf
```
The Letsencrypt CA server checks the txt record of original domain `_acme-challenge.importantDomain.com` to validate your domain, but you have set the CNAME in step 1, so it goes forward to the aliased domain `_acme-challenge.aliasDomainForValidationOnly.com` to check.
The Letsencrypt CA server checks the txt record of original domain `_acme-challenge.example.com` to validate your domain, but you have set the CNAME in step 1, so it goes forward to the aliased domain `_acme-challenge.aliasDomainForValidationOnly.com` to check.
And acme.sh knows that, so it just added the correct txt record to `_acme-challenge.aliasDomainForValidationOnly.com`.
So, it's done. you will get a cert for `importantDomain.com`, but you don't need to give the domain control out.
So, it's done. you will get a cert for `example.com`, but you don't need to give the domain control out.
@ -35,19 +35,19 @@ If you have multiple (sub)domains, you need add CNAME for each (sub)domain, but
For example, you can add the CNAME like:
```sh
_acme-challenge.importantDomain.com
_acme-challenge.example.com
=> _acme-challenge.aliasDomainForValidationOnly.com
_acme-challenge.www.importantDomain.com
_acme-challenge.www.example.com
=> _acme-challenge.aliasDomainForValidationOnly.com
_acme-challenge.sub.importantDomain.com
_acme-challenge.sub.example.com
=> _acme-challenge.aliasDomainForValidationOnly.com
_acme-challenge.importantDomain2.com
_acme-challenge.example.net
=> _acme-challenge.aliasDomainForValidationOnly.com
_acme-challenge.importantDomain3.com
_acme-challenge.example.org
=> _acme-challenge.aliasDomainForValidationOnly.com
```
@ -56,11 +56,11 @@ And then issue cert like bellow:
```sh
acme.sh --issue \
-d importantDomain.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf \
-d www.importantDomain.com \
-d sub.importantDomain.com \
-d importantDomain2.com \
-d importantDomain3.com
-d example.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf \
-d www.example.com \
-d sub.example.com \
-d example.net \
-d example.org
```
Even with ACME v2 wildcard cert:
@ -68,14 +68,14 @@ Even with ACME v2 wildcard cert:
```sh
acme.sh --issue \
-d importantDomain.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf \
-d www.importantDomain.com \
-d sub.importantDomain.com \
-d importantDomain2.com \
-d importantDomain3.com \
-d *.importantDomain.com \
-d *.importantDomain2.com \
-d *.importantDomain3.com
-d example.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf \
-d www.example.com \
-d sub.example.com \
-d example.net \
-d example.org \
-d *.example.com \
-d *.example.net \
-d *.example.org
```
### 4. Specify different aliased domains for each domain.
@ -85,10 +85,10 @@ Yes, you know, acme.sh support to set alias domain for each domain. Even with di
You can set CNAME like:
```sh
_acme-challenge.importantDomain.com
_acme-challenge.example.com
=> _acme-challenge.aliasDomainForValidationOnly.com
_acme-challenge.importantDomain2.com
_acme-challenge.example.net
=> _acme-challenge.aliasDomainForValidationOnly2.com
```
@ -97,16 +97,16 @@ Then issue cert:
```sh
acme.sh --issue \
-d importantDomain.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf \
-d importantDomain2.com --challenge-alias aliasDomainForValidationOnly2.com
-d example.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf \
-d example.net --challenge-alias aliasDomainForValidationOnly2.com
```
Even with different dns provider:
```sh
acme.sh --issue \
-d importantDomain.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf \
-d importantDomain2.com --challenge-alias aliasDomainForValidationOnly2.com --dns dns_gd
-d example.com --challenge-alias aliasDomainForValidationOnly.com --dns dns_cf \
-d example.net --challenge-alias aliasDomainForValidationOnly2.com --dns dns_gd
```
Let's assume the first domain `aliasDomainForValidationOnly.com` is hosted at cloudflare, and the second is hosted at godaddy.
@ -114,7 +114,7 @@ Let's assume the first domain `aliasDomainForValidationOnly.com` is hosted at cl
### 5. Last
Do not remove the CNAME like : `_acme-challenge.importantDomain.com` after you issue the cert. It will be reused when acme.sh tries to renew the cert. The left cname record `_acme-challenge.importantDomain.com` doesn't harm your domain at all. Just keep it there.
Do not remove the CNAME like : `_acme-challenge.example.com` after you issue the cert. It will be reused when acme.sh tries to renew the cert. The left cname record `_acme-challenge.example.com` doesn't harm your domain at all. Just keep it there.
### 6. challenge-alias or domain-alias
@ -127,7 +127,7 @@ For example, if you use `--challenge-alias`, you must set CNAME like bellow:
```sh
CNAME:
_acme-challenge.A.com
_acme-challenge.A.com
=> _acme-challenge.B.com
```
Then issue cert like:
@ -140,7 +140,7 @@ If you use `--domain-alias`, the CNAME should be like:
```sh
CNAME:
_acme-challenge.A.com
_acme-challenge.A.com
=> myalias.B.com
```
@ -152,18 +152,18 @@ acme.sh --issue -d a.com --domain-alias myalias.B.com --dns dns_cf
```
**Note:** Don't use the domain name only for --domain-alias.
**Note:** Don't use the domain name only for --domain-alias.
```sh
acme.sh --issue -d a.com --domain-alias B.com --dns dns_cf
acme.sh --issue -d a.com --domain-alias B.com --dns dns_cf
```
This would require that a TXT record is created at the domain apex i.e. @ TXT "myvalidationcode". Since adding a value at the apex of a domain requires a different syntax for adding the DNS records it cannot be used in this form.
This would require that a TXT record is created at the domain apex i.e. @ TXT "myvalidationcode". Since adding a value at the apex of a domain requires a different syntax for adding the DNS records it cannot be used in this form.
If you really want to create the validation records at the domain apex then depending on the implementation of the dns api you have to use
If you really want to create the validation records at the domain apex then depending on the implementation of the dns api you have to use
```sh
acme.sh --issue -d a.com --domain-alias @.B.com --dns dns_cf
acme.sh --issue -d a.com --domain-alias @.B.com --dns dns_cf
```
or
or
```sh
acme.sh --issue -d a.com --domain-alias .B.com --dns dns_cf
```
acme.sh --issue -d a.com --domain-alias .B.com --dns dns_cf
```