add section Mix dns alias and default dns auth

2025-03-13 16:00:14 +08:00 · 2022-04-21 10:07:06 +02:00 · 2022-04-21 10:07:06 +02:00 · 95d12a1db4
commit 95d12a1db4
parent 2f79045846
1 changed files with 23 additions and 2 deletions
--- a/DNS-alias-mode.md
+++ b/DNS-alias-mode.md
@ -118,13 +118,34 @@ acme.sh --issue  \

 Let's assume the first domain `aliasDomainForValidationOnly.com` is hosted at cloudflare, and the second is hosted at godaddy.

+### 5. Mix dns alias and default dns auth

-### 5. Last
+You can get a certificate with domains where you can authenticate with dns and want to mix it with domains where you need to use dns alias mode. Use `--challenge-alias no` to mark the domain that doesn't use a dns alias.
+
+If we have direct acccess to set a txt record for *.example.com. The domain example.net must use dns alias. For extern1.example.net set a CNAME
+
+```txt
+_acme-challenge.extern1.example.net
+  =>   _acme-challenge.aliasDomainForValidationOnly.com
+```
+
+Then issue cert:
+
+```sh
+
+./acme.sh/acme.sh --issue \
+   -d host1.example.com   --challenge-alias no \
+   -d host2.example.com   --challenge-alias no \
+   -d extern1.example.net --challenge-alias aliasDomainForValidationOnly.com \
+   --dns dns_infoblox
+```
+
+### 6. Last

 Do not remove the CNAME like : `_acme-challenge.example.com` after you issue the cert. It will be reused when acme.sh tries to renew the cert. The left cname record `_acme-challenge.example.com` doesn't harm your domain at all. Just keep it there.


-### 6. challenge-alias or domain-alias
+### 7. challenge-alias or domain-alias

 We have another parameter: `--domain-alias`, it has the same meaning with `--challenge-alias`.