Complete Process and Pitfalls for Issuing Let’s Encrypt Wildcard Certificates Using acme.sh + Alibaba Cloud DNS API

feiCode
,
1

Background

A wildcard SSL certificate for *.feibisi.net is required to support GitHub Pages-style static site hosting (each subdomain corresponds to a separate site). The existing certificate only covers feibisi.net and www.feibisi.net, and does not support wildcards.

We chose the acme.sh + Alibaba Cloud DNS API (DNS-01 challenge) approach, as wildcard certificates can only be issued via DNS-01 challenges.

Environment

  • Server: Ubuntu with Baota Panel (a web hosting control panel), nginx
  • DNS Hosting: Alibaba Cloud
  • Certificate Authority: Let’s Encrypt, ECC type

Installing acme.sh

Since domestic servers cannot directly access GitHub, we use the Gitee mirror for installation:

curl https://gitee.com/neilpang/acme.sh/raw/master/acme.sh | sh -s -- --install-online

After installation, acme.sh resides in the ~/.acme.sh/ directory.

Configuring Alibaba Cloud DNS API Credentials

export Ali_Key="Your AccessKey"
export Ali_Secret="Your AccessSecret"

acme.sh automatically saves these credentials to ~/.acme.sh/account.conf; they need not be reconfigured for future renewals.

Issuing the Certificate

~/.acme.sh/acme.sh --issue -d feibisi.net -d "*.feibisi.net" \
  --dns dns_ali --keylength ec-256 --server letsencrypt --dnssleep 30

Key parameter explanations:

  • -d feibisi.net -d "*.feibisi.net": Covers both the bare domain and the wildcard.
  • --dns dns_ali: Uses Alibaba Cloud DNS API to automatically add/remove TXT records.
  • --keylength ec-256: Generates an ECC certificate—smaller and faster than RSA.
  • --dnssleep 30: Waits 30 seconds for DNS propagation, skipping public DNS validation checks (public DNS check services may time out from within mainland China).

Installing the Certificate into nginx

~/.acme.sh/acme.sh --install-cert -d feibisi.net --ecc \
  --fullchain-file /path/to/cert/fullchain.pem \
  --key-file /path/to/cert/privkey.pem \
  --reloadcmd "nginx -s reload"

acme.sh remembers the installation paths and reload command, and will automatically execute them during renewal.

Common Pitfalls Encountered

1. InvalidTimeStamp.Expired — System Clock Drift

Alibaba Cloud API strictly validates request timestamps (±15 minutes tolerance). An inaccurate system clock triggers:

Error InvalidTimeStamp.Expired: Specified time stamp or date value is expired

Diagnosis:

timedatectl
# Check whether “System clock synchronized” shows “yes”
date -u
# Compare against actual UTC time

Our server’s clock drifted by 8 hours because although NTP service was active (timedatectl status showed active), synchronization had silently failed (upstream NTP servers were unreachable).

Fix:

# Manually correct the time first
sudo timedatectl set-ntp false
sudo date -s "Correct UTC time"
# Switch to domestic NTP servers
sudo mkdir -p /etc/systemd/timesyncd.conf.d
echo -e "[Time]\nNTP=ntp.aliyun.com ntp.tencent.com\nFallbackNTP=cn.pool.ntp.org" | \
  sudo tee /etc/systemd/timesyncd.conf.d/china.conf
sudo timedatectl set-ntp true

2. Let’s Encrypt Rate Limiting

Five consecutive failures trigger a rate limit: no further attempts allowed for one hour.

Error creating new order :: too many failed authorizations recently

There is no workaround—only waiting. We strongly recommend using --staging for testing first, then switching to production mode after successful validation.

3. DNS Validation Timeout

By default, acme.sh uses public DNS resolvers to verify that the TXT record has propagated. Domestic servers may fail to reach those resolvers (e.g., curl error 28 timeout).

Solution: Use --dnssleep 30 to skip public DNS checks entirely and instead rely on a fixed wait period before proceeding with validation.

4. GitHub Downloads Blocked

acme.sh --install-online defaults to downloading from GitHub, which fails on domestic servers due to network restrictions. Use the Gitee mirror (as shown above) or download manually.

Automatic Renewal

During installation, acme.sh automatically adds a cron job (default: daily checks); it renews certificates automatically 30 days before expiry. Confirm with crontab -l.

Verification

echo | openssl s_client -servername test.feibisi.net -connect 127.0.0.1:443 2>/dev/null | \
  openssl x509 -noout -text | grep -A1 "Subject Alternative Name"
# Expected output: DNS:*.feibisi.net, DNS:feibisi.net

Summary

The overall process is straightforward—but network constraints and system clock issues common in mainland China can cause frustrating delays at seemingly minor steps. Key takeaways:

  1. Always verify and synchronize system time using domestic NTP sources first.
  2. Use --dnssleep to bypass unreliable public DNS validation.
  3. Test thoroughly with --staging before issuing production certificates, to avoid hitting rate limits.
  4. Install acme.sh from Gitee—not GitHub—to avoid download failures.