Skip to content

Add DNS provider for AlibabaCloud ESA #2703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add DNS provider for AlibabaCloud ESA #2703

wants to merge 5 commits into from

Conversation

@ldez
Copy link
Member

@ldez ldez commented Nov 5, 2025
edited
Loading

  • adds a description to your PR
  • have a homogeneous design with the other providers
  • add tests (units)
  • add tests ("live")
  • add a provider descriptor
  • generate CLI help, documentation, and readme.
  • be able to do: (and put the output of this command to a comment) 
    make build
rm -rf .lego

ALIESA_ACCESS_KEY=abcdefghijklmnopqrstuvwx \
ALIESA_SECRET_KEY=your-secret-key \
ALIESA_SECURITY_TOKEN=your-sts-token \
./dist/lego --email [email protected] --dns aliesa - -d '*.example.com' -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run
    Note that the wildcard domain is important.
  • pass the linter
  • do go mod tidy

Closes #2702

Ping @AirboZH, can you run the command (with your domain, email, credentials, etc.)?

How to test this PR?
  1. You need Go
  2. Check out the PR: 
    git clone https://github.com/ldez/lego.git
cd lego
git checkout feat/dns/aliesa
  3. Compile lego:
    • if you have make: make build
    • if you don't have make: go build -o dist/lego ./cmd/lego
  4. Run the following command with your information (email, domain, credentials): 
    ALIESA_ACCESS_KEY=abcdefghijklmnopqrstuvwx \
ALIESA_SECRET_KEY=your-secret-key \
ALIESA_SECURITY_TOKEN=your-sts-token \
./dist/lego --email [email protected] --dns aliesa - -d '*.example.com' -d example.com -s https://acme-staging-v02.api.letsencrypt.org/directory run
    The wildcard domain is important
  5. Before each run of the command, you should clean your local environment: 
    rm -rf .lego

@ldez ldez added enhancement area/dnsprovider waiting-for/user-tests Need users to test functionality waiting-for/contrib-feedback Awaiting feedback from the contributor. labels Nov 5, 2025
@AirboZH
Copy link

AirboZH commented Nov 6, 2025

Thanks for adding support for this so quickly! I’ve tested the branch and found a couple of issues:

1. Wrong DNS API host
The API endpoint should be esa.cn-hangzhou.aliyuncs.com according to the AlibabaCloud ESA documentation
It looks like the SDK is still using esa.aliyuncs.com, which results in this error:

Could not obtain certificates:
  error: one or more domains had a problem:
[*.airbozh.cn] acme: error presenting token: aliesa: list sites: Get "https://esa.aliyuncs.com/?SiteName=airbozh.cn&SiteSearchType=suffix": dial tcp: lookup esa.aliyuncs.com: no such host
[airbozh.cn] acme: error presenting token: aliesa: list sites: Get "https://esa.aliyuncs.com/?SiteName=airbozh.cn&SiteSearchType=suffix": dial tcp: lookup esa.aliyuncs.com: no such host

2. recordIDs field not initialized
In the DNSProvider constructor, recordIDs should be initialized to avoid nil map errors:

return &DNSProvider{
    config:    config,
    client:    client,
    recordIDs: map[string]int64{},
}, nil

@AirboZH AirboZH mentioned this pull request Nov 6, 2025
Closed
@AirboZH
Copy link

AirboZH commented Nov 6, 2025
edited by ldez
Loading

I’ve gone ahead and fixed these issues locally and opened a PR — hope it helps! ldez#3

❯ ALIESA_ACCESS_KEY=my-access-key \
ALIESA_SECRET_KEY=my-access-secret \
./dist/lego --email [email protected] --dns aliesa -d '*.airbozh.cn' -d airbozh.cn -s https://acme-staging-v02.api.letsencrypt.org/directory run

2025/11/06 14:46:28 [INFO] [*.airbozh.cn, airbozh.cn] acme: Obtaining bundled SAN certificate
2025/11/06 14:46:32 [INFO] [*.airbozh.cn] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/240827353/20085170543
2025/11/06 14:46:32 [INFO] [airbozh.cn] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz/240827353/20085450463
2025/11/06 14:46:32 [INFO] [airbozh.cn] acme: authorization already valid; skipping challenge
2025/11/06 14:46:32 [INFO] [*.airbozh.cn] acme: use dns-01 solver
2025/11/06 14:46:32 [INFO] [*.airbozh.cn] acme: Preparing to solve DNS-01
2025/11/06 14:46:32 [INFO] [*.airbozh.cn] acme: Trying to solve DNS-01
2025/11/06 14:46:33 [INFO] [*.airbozh.cn] acme: Checking DNS record propagation. [nameservers=192.168.70.1:53,114.114.114.114:53]
2025/11/06 14:46:35 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2025/11/06 14:46:35 [INFO] [*.airbozh.cn] acme: Waiting for DNS record propagation.
2025/11/06 14:46:37 [INFO] [*.airbozh.cn] acme: Waiting for DNS record propagation.
2025/11/06 14:46:47 [INFO] [*.airbozh.cn] The server validated our request
2025/11/06 14:46:47 [INFO] [*.airbozh.cn] acme: Cleaning DNS-01 challenge
2025/11/06 14:46:48 [INFO] [*.airbozh.cn, airbozh.cn] acme: Validations succeeded; requesting certificates
2025/11/06 14:46:48 [INFO] Wait for certificate [timeout: 30s, interval: 500ms]
2025/11/06 14:46:49 [INFO] [*.airbozh.cn] Server responded with a certificate.

@ldez
Copy link
Member Author

ldez commented Nov 6, 2025
edited
Loading

The problem with the region is related to https://github.com/alibabacloud-go/esa-20240910/blob/7660e3aab2045d4820e4b83427a154efe0c79319/client/client.go#L27

The EndpointRule is hardcoded with an empty string, so the region is ignored.

@ldez ldez removed waiting-for/user-tests Need users to test functionality waiting-for/contrib-feedback Awaiting feedback from the contributor. labels Nov 6, 2025
@ldez ldez marked this pull request as ready for review November 6, 2025 13:06
@AirboZH
Copy link

AirboZH commented Nov 6, 2025

The problem with the region is related to https://github.com/alibabacloud-go/esa-20240910/blame/7660e3aab2045d4820e4b83427a154efe0c79319/client/client.go#L27

The EndpointRule is hardcoded with an empty string, so the region is ignored.

Thanks for the guidance, I ran it again, it worked perfectly.

@ldez ldez requested a review from dmke November 6, 2025 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dmke dmke dmke approved these changes

Assignees

No one assigned

Labels

area/dnsprovider enhancement

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support for provider: AlibabaCloud ESA DNS

3 participants

@ldez @AirboZH @dmke