← Back to Skills Marketplace
dogeow

ACME SSL automation for Alibaba Cloud ESA DNS

by dogeow · GitHub ↗ · v0.1.4 · MIT-0
linux ⚠ suspicious
370
Downloads
1
Stars
1
Active Installs
4
Versions
Install in OpenClaw
/install acme-ssl-automation-for-alibaba-cloud-esa-dns
Description
Automatically issue/renew HTTPS certificates using Alibaba Cloud ESA DNS + acme.sh (including wildcard *.example.com + example.com), with optional installati...
README (SKILL.md)

ESA DNS + ACME Certificate Automation

Design Decision (Important)

This skill combines acme.sh + ESA DNS into a single integrated flow, not split into two skills.

Reasons:

  1. The two steps are tightly coupled: ACME challenge tokens must be written to ESA DNS immediately.
  2. The most common user errors are "validation failed / record written to the wrong panel" — an integrated flow minimizes mistakes.
  3. Wildcard scenarios often produce multiple TXT values for the same FQDN; splitting would increase manual synchronization cost.

If there is significant demand for "DNS-only operations" in the future, a separate esa-dns-records helper skill can be extracted.

When to Trigger

Trigger when any of the following apply:

  • Domain NS records are on *.atrustdns.com (ESA-hosted DNS)
  • User says "issue certificate with acme.sh", "Let's Encrypt", "DNS-01"
  • Error: No TXT record found at _acme-challenge...
  • Need to issue example.com + *.example.com together
  • Need to auto-write ESA DNS records and install to Nginx

Supported Environment

  • Linux hosts (recommended: Ubuntu tested)
  • System-level Nginx (LNMP tested)
  • Docker/containerized environments are not supported
  • Not tested on Windows/macOS

Prerequisites

Install acme.sh from the official project before using this skill, and review the installation method you choose instead of piping remote scripts directly to a shell:

This skill expects acme.sh to be available on PATH. The script also falls back to ~/.acme.sh/acme.sh if present.

Requirements:

  • Credentials via ALIYUN_AK / ALIYUN_SK or ALIBABACLOUD_ACCESS_KEY_ID / ALIBABACLOUD_ACCESS_KEY_SECRET
  • Optional ESA region hint via ALIYUN_ESA_REGION / ALIBABACLOUD_ESA_REGION / ESA_REGION or --region
  • STS token is supported via ALIYUN_SECURITY_TOKEN, ALIBABACLOUD_SECURITY_TOKEN, or --sts-token
  • If the user provides credentials directly in OpenClaw chat/TUI as plain id / secret / token values without env names, treat them as generic Alibaba Cloud AccessKeyId / AccessKeySecret / SecurityToken and pass them to --ak / --sk / --sts-token. Do not block on whether the user said Aliyun or Alibaba Cloud; let the script auto-detect the ESA region/site.

Running the Script

Script path: scripts/esa_acme_issue.py

Default behavior (optimized):

  • Certificate installation to Nginx is disabled by default; opt in with --install-cert
  • --dns-timeout defaults to 600 seconds
  • Region auto-discovery is best-effort; if ESA does not expose DescribeRegions, pass --region to seed site discovery and the script will probe a fallback region list
  • Optional IPv4/IPv6 record management: --ensure-a-record host=ip (with authoritative NS propagation check)
  • Overwrite protection: existing A value is NOT overwritten unless --confirm-overwrite is passed
  • --lang selects output language (default: en; available languages auto-discovered from scripts/i18n/)
  • If --install-cert is used, run on a controlled Linux host with permission to write the target cert paths and reload Nginx

Installing automatic renewal cron

Use scripts/install_cron.sh when the user wants this workflow to keep renewing automatically on the host.

What it installs:

  • a root-owned env file containing AK/SK (and optional STS token / region hint)
  • a wrapper script under /usr/local/sbin/
  • a cron entry that runs the wrapper on the requested schedule and logs to /var/log/

Example:

sudo bash scripts/install_cron.sh \
  --wrapper-name dogeow \
  --domains "dogeow.com,*.dogeow.com" \
  --ak YOUR_AK \
  --sk YOUR_SK \
  --region cn-hangzhou \
  --with-nginx-reload

Important:

  • This is the recommended way to automate renewal for ESA zones, because default acme.sh --cron does not know how to create ESA DNS TXT records by itself.
  • If the user wants installed nginx cert paths, also pass --cert-path / --key-path and optionally --reload-cmd.

Single domain

export ALIYUN_AK='YOUR_AK'
export ALIYUN_SK='YOUR_SK'
export ALIYUN_SECURITY_TOKEN='YOUR_STS_TOKEN'   # optional but recommended
python3 scripts/esa_acme_issue.py \
  -d test.example.com

Equivalent Alibaba Cloud env names are also accepted:

export ALIBABACLOUD_ACCESS_KEY_ID='YOUR_AK'
export ALIBABACLOUD_ACCESS_KEY_SECRET='YOUR_SK'
export ALIBABACLOUD_SECURITY_TOKEN='YOUR_STS_TOKEN'   # optional

Apex + wildcard (recommended order)

export ALIYUN_AK='YOUR_AK'
export ALIYUN_SK='YOUR_SK'
python3 scripts/esa_acme_issue.py \
  -d example.com \
  -d '*.example.com'

Wildcard only

python3 scripts/esa_acme_issue.py \
  -d '*.example.com'

Correct Nginx Configuration

ssl_certificate     /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;

Completion Criteria (Anti False-Positive)

Before reporting "record created / DNS ready", both conditions must be met:

  1. ListRecords returns the target RecordName + Type + Value;
  2. Authoritative NS dig @ns TXT returns the expected token.

If only the CreateRecord API returned success (RequestId/RecordId only) without passing both checks above, report "request accepted", not "completed".

Troubleshooting Quick Reference

  1. InvalidRecordNameSuffix

    • Domain suffix does not belong to the current ESA site (common typo).

  2. No TXT record found at _acme-challenge...

    • TXT not yet propagated to all authoritative NS; increase --dns-timeout to 300–600.

  3. Permission / signature errors after setting AccessKey IP whitelist

    • Check current public egress IP: curl -s ifconfig.me
    • Whitelist the actual egress NAT IP (not LAN IP)
    • If behind proxy/gateway, whitelist the proxy egress IP
    • Wait briefly after whitelist update before retrying

Security Guidelines

Before each execution, remind the user:

  1. Use a RAM sub-account with minimal permissions. Do NOT use the primary account long-term AK.
  2. Prefer STS temporary credentials to reduce leak risk.
  3. Enable AccessKey IP whitelist, allowing only the actual egress NAT IP.
Usage Guidance
This skill is functionally coherent for automating ACME DNS-01 with Alibaba ESA, but take these precautions before installing: (1) Confirm the registry metadata vs. the code: you only need one pair of AK/SK environment vars (the code accepts either ALIYUN_* or ALIBABACLOUD_*), but the metadata lists both pairs—don't expose extra secrets unnecessarily. (2) Prefer giving the script a RAM sub-account with minimal permissions or short-lived STS credentials instead of primary long-lived AK/SK. (3) If you run scripts/install_cron.sh, be aware it will write credentials to a root-owned env file and create a cron job that uses them—rotate keys if they are exposed or use STS. (4) Inspect and test the included esa_acme_issue.py and install_cron.sh locally before running them as root; verify the path to acme.sh and limit PATH to trusted locations. (5) If you will pass credentials via a chat/TUI, avoid doing so in plaintext — prefer setting env vars on the host or using temporary STS tokens. If you want, provide the exact metadata 'required env' that your platform will supply and I can confirm the minimum envs the script actually needs.
Capability Analysis
Type: OpenClaw Skill Name: acme-ssl-automation-for-alibaba-cloud-esa-dns Version: 0.1.4 The skill bundle provides a legitimate utility for automating SSL certificate issuance and renewal using Alibaba Cloud ESA DNS and acme.sh. The Python script (esa_acme_issue.py) and shell script (install_cron.sh) implement the stated functionality using standard APIs and system commands, including security-conscious features like secret redaction in logs and restricted file permissions (600/700) for credential storage. No evidence of data exfiltration, unauthorized persistence, or malicious prompt injection was found; the instructions even include explicit security reminders for the user regarding least-privilege access.
Capability Assessment
Purpose & Capability
Name/description, required binaries (python3, dig, acme.sh), and code all align with 'issue/renew certificates against Alibaba Cloud ESA using acme.sh'. The scripts call ESA APIs, create DNS TXT records, run acme.sh, and optionally install into Nginx as described.
Instruction Scope
SKILL.md and the included scripts instruct the agent/user to run the provided Python script and an installer script that can create root-owned env files, a wrapper under /usr/local/sbin, and a cron job. The instructions explicitly allow the agent to accept credentials provided in chat/TUI and pass them to the script—this is coherent with the purpose but broad (it instructs the agent to capture and forward credentials supplied in conversation). All runtime actions (dig, acme.sh invocation, ESA API calls, writing env/wrapper files, reloading nginx) stay within the stated scope.
Install Mechanism
This is an instruction-only skill with no remote download install step. All code is included in the bundle; there is no URL-based installer or archive extraction. The highest-risk install action is the helper script (install_cron.sh) which, when run, writes files to /root/.config, /usr/local/sbin, and registers a cron job—expected for a renewal cron installer.
Credentials
The credentials requested are appropriate for ESA operations (AccessKeyId / AccessKeySecret and optional STS token). However, the registry metadata lists both ALIYUN_AK/ALIYUN_SK and ALIBABACLOUD_ACCESS_KEY_ID/ALIBABACLOUD_ACCESS_KEY_SECRET as required env vars, while the code accepts either alias — the metadata's 'required env vars' is therefore misleading (it suggests all four must be present). The install script stores long-lived AK/SK in a root-owned env file as the default automation method; this is functional but elevates risk if those keys are long-lived. The skill does provide and promote STS/least-privilege guidance, which mitigates but does not eliminate the proportionality concern.
Persistence & Privilege
The skill does not set always:true. The optional installer requires root and creates persistent artifacts (env file with credentials, wrapper script, cron job, log file). That persistence is expected for an automated renewal workflow but is privileged (root-owned scheduled task that runs with stored credentials). The skill does not appear to modify other skills or global agent configuration.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install acme-ssl-automation-for-alibaba-cloud-esa-dns
  3. After installation, invoke the skill by name or use /acme-ssl-automation-for-alibaba-cloud-esa-dns
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.4
acme-ssl-automation-for-alibaba-cloud-esa-dns v0.1.4 - Added support for automatic installation of certificate renewal cron jobs via `install_cron.sh` script. - Introduced region hint options for ESA discovery (optional region parameter). - Added English and Chinese language support for script output. - Included detailed examples and recommendations for using the new cron installation workflow. - Provided wrapper/cron automation with safer credential storage and logging practices.
v0.1.2
- Added support for additional environment variable names (`ALIBABACLOUD_ACCESS_KEY_ID`, `ALIBABACLOUD_ACCESS_KEY_SECRET`, etc.) for credential input, in addition to existing Aliyun names. - Credentials entered directly as id/secret/token are now accepted as Alibaba Cloud AK/SK/token without requiring mention of platform brand, with automatic ESA region/site detection. - Updated dependencies: `acme.sh` must be available on `PATH`; falls back to user directory if present. - Metadata updated to reflect all accepted credential env vars and required binaries. - Added Python bytecode and test cache files to version control.
v0.1.1
Docs, CLI, and tests updated to make Nginx certificate installation opt-in and to require manual Python dependency installation. - README / README_zh: clarify acme.sh prerequisite, remove recommendation to pipe remote install scripts, state that certificate installation to Nginx is disabled by default and show explicit install examples; add warning about running --install-cert on a controlled Linux host. - SKILL.md: mirror doc changes, add homepage and metadata fields for OpenClaw, mark install-to-Nginx as opt-in and note permission requirements. - scripts/esa_acme_issue.py: - ensure_python_deps no longer attempts to auto-install; it now prints an error instructing manual pip install and exits. - removed auto-install-deps CLI flags and changed --install-cert default to False (opt-in). - updated main() to call ensure_python_deps() accordingly. - tests: add ArgParse tests asserting install_cert is False by default and true when --install-cert is provided; update flow test to include --install-cert where needed. These changes improve security and explicitness by avoiding implicit dependency installation and making certificate installation an explicit opt-in action.
v0.1.0
# ACME SSL automation for Alibaba Cloud ESA DNS ## Overview - A utility for automated HTTPS certificate issuance using acme.sh and Alibaba Cloud ESA DNS. - It supports ACME DNS-01 verification by dynamically creating TXT records through the ESA API, enabling fully automated SSL certificate issuance, deployment, and renewal for servers such as Nginx and Apache. ## Why This Project Exists - Many AI-generated scripts and online examples mistakenly use the traditional Alibaba Cloud DNS service when configuring ACME DNS validation. - However, Alibaba Cloud ESA uses a different DNS system, and using the wrong API often causes ACME validation failures. - This project ensures that SSL certificates are issued using the correct ESA DNS workflow, preventing common automation errors.
Metadata
Slug acme-ssl-automation-for-alibaba-cloud-esa-dns
Version 0.1.4
License MIT-0
All-time Installs 1
Active Installs 1
Total Versions 4
Frequently Asked Questions

What is ACME SSL automation for Alibaba Cloud ESA DNS?

Automatically issue/renew HTTPS certificates using Alibaba Cloud ESA DNS + acme.sh (including wildcard *.example.com + example.com), with optional installati... It is an AI Agent Skill for Claude Code / OpenClaw, with 370 downloads so far.

How do I install ACME SSL automation for Alibaba Cloud ESA DNS?

Run "/install acme-ssl-automation-for-alibaba-cloud-esa-dns" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is ACME SSL automation for Alibaba Cloud ESA DNS free?

Yes, ACME SSL automation for Alibaba Cloud ESA DNS is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does ACME SSL automation for Alibaba Cloud ESA DNS support?

ACME SSL automation for Alibaba Cloud ESA DNS is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux).

Who created ACME SSL automation for Alibaba Cloud ESA DNS?

It is built and maintained by dogeow (@dogeow); the current version is v0.1.4.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463942 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259883 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200739 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191401 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190375 · by oswalpalash

💬 Comments