Certbot is one of the most popular choices for issuing SSL certificates
and was originally developed by Let's Encrypt. It comes with a variety
of DNS plugins that help automate the certificate renewal process.

Behind the scenes, these plugins handle provisioning the DNS challenge
records and cleaning them up afterward so that domain verification can
pass on the ACME server.

However, there is no official Certbot plugin for Alibaba Cloud. Manually
running the renewal command and adding or deleting DNS records is both
tedious and error-prone. Why not have a dedicated plugin to handle the
entire process automatically? I spent a few days building the plugin,
and I hope it can help you as well–and hopefully save you from
forgetting to renew your certificate.

In this blog post, I will walk you through the process of issuing an SSL
certificate. The web server is nginx running on Ubuntu, and the DNS is
hosted on Alibaba Cloud.


Install Certbot
---------------

Feel free to check out the official Certbot website. It provides an
interactive guide that walks you through the installation process step
by step. Below are the commands I copied from the instructions:

  $ sudo apt update
  $ sudo apt install python3 python3-dev python3-venv libaugeas-dev gcc

  $ sudo python3 -m venv /opt/certbot/
  $ sudo /opt/certbot/bin/pip install --upgrade pip

  $ sudo /opt/certbot/bin/pip install certbot
  $ sudo ln -s /opt/certbot/bin/certbot /usr/local/bin/certbot
  $ echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

At this point, Python is installed, a virtual environment has been
configured for Certbot, Certbot itself is installed, and the renewal
cron job is ready.


Prepare an AccessKey pair
-------------------------

Before we move on, let's generate an AccessKey pair from Alibaba Cloud
and grant the required permissions.

0) Head to the RAM console

RAM stands for Resource Access Management. Alibaba Cloud provides both
an international console and a mainland China console:

- https://ram.console.alibabacloud.com
- https://ram.console.aliyun.com

1) Create a dedicated user for Certbot

You can find the user creation page under Identities -> Users in the
left sidebar. Fill out the form with something similar to the following:

- Login name: certbot
- Access Configuration: Permanent AccessKey

After the user is created, Alibaba Cloud will show you the AccessKey ID
and AccessKey secret. Save them securely.

2) Create a policy to the `certbot` user

The user does not have any permissions yet, so we need to create a
policy and attach it.

Navigate to Permissions -> Policies in the left sidebar and create a
policy with the following JSON document:

  {
    "Version": "1",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "alidns:DescribeDomains",
        "Resource": "*"
      },
      {
        "Effect": "Allow",
        "Action": [
          "alidns:AddDomainRecord",
          "alidns:DeleteDomainRecord",
          "alidns:DescribeDomainRecords"
        ],
        "Resource": "acs:alidns:*:*:domain/YOUR-DOMAIN-NAME.COM"
      }
    ]
  }

Do not forget to replace the domain name in the JSON document with your
own.

When issuing a certificate, the plugin first needs to locate the managed
domain in Alibaba Cloud DNS. For example, if the requested certificate
domain is `sub.example.com`, the managed domain in your account could be
either `sub.example.com` or `example.com`. That is why the
`DescribeDomains` permission is required.

DNS record operations are scoped to the specific domain name you
provided. The plugin uses the `DescribeDomainRecords` API to query the
challenge records it previously created so that they can be cleaned up
after validation.

According to the authorization documentation, Alibaba Cloud DNS does not
support applying conditions to these resources. This means we cannot
limit the API operations specifically to records beginning with
`_acme-challenge.`. The current policy already follows the Principle of
Least Privilege.

I named the policy `certbot-policy`, which is straightforward enough.
You will probably appreciate the naming three months later.

3) Grant permissions to the user

At this point, we have created both the user and the policy. Now we need
to associate them.

Open the `certbot` user details page and locate the Permissions section.
Grant the `certbot-policy` policy to the user.

4) Create the credentials file

Using the AccessKey pair we generated earlier, let's create a
restrictive credentials file so Certbot can communicate with Alibaba
Cloud on our behalf.

You can store the file wherever you like, but remember that it contains
sensitive credentials. You must prevent other users or programs from
reading it. Anyone with access to the AccessKey pair can perform any
operations granted to that user.

I am going to store the file at `~/.secrets/certbot/alibabacloud.ini`
and edit it with Neovim, feel free to adjust the path to your own
preference:

  mkdir -p ~/.secrets/certbot
  umask 077
  nvim ~/.secrets/certbot/alibabacloud.ini

Here is an example credentials file:

  # Alibaba Cloud API credentials used by Certbot
  dns_alibabacloud_access_key_id = LTAI5txxxxxxxxxxxxxxxxxx
  dns_alibabacloud_access_key_secret = yyyyyyyyyyyyyyyyyyyyyyyyyyyyyy


Install the plugin
------------------

Didn't I mention that we still haven't installed the plugin yet? Here is
the package that handles all the Alibaba Cloud DNS integration magic:

  $ sudo /opt/certbot/bin/pip install certbot-dns-alibabacloud


Issue a certificate
-------------------

We finally made it here. Everything is now set up: Certbot, the plugin,
and the credentials. It's time to obtain the certificate.

I am using the example domain `example.com` here. Replace it with your
own domain name:

  certbot certonly \
    --authenticator dns-alibabacloud \
    --dns-alibabacloud-credentials ~/.secrets/certbot/alibabacloud.ini \
    --deploy-hook 'nginx -s reload' \
    -d example.com

Certbot supports deploy hooks after a certificate is issued. We can use
this hook to reload nginx so that the new certificate takes effect
immediately.

Certbot will also remember the parameters used to obtain the
certificate, and the same parameters will automatically be reused during
future renewals.

Now you can declare the certificate directives in your nginx
configuration.

You can also make use of Mozilla's SSL Configuration Generator to tune
your SSL settings:

* https://ssl-config.mozilla.org/