← 返回 Skills 市场
dogeow

ACME SSL automation for Alibaba Cloud ESA DNS

作者 dogeow · GitHub ↗ · v0.1.4 · MIT-0
linux ⚠ suspicious
370
总下载
1
收藏
1
当前安装
4
版本数
在 OpenClaw 中安装
/install acme-ssl-automation-for-alibaba-cloud-esa-dns
功能描述
Automatically issue/renew HTTPS certificates using Alibaba Cloud ESA DNS + acme.sh (including wildcard *.example.com + example.com), with optional installati...
使用说明 (SKILL.md)

ESA DNS + ACME Certificate Automation

Design Decision (Important)

This skill combines acme.sh + ESA DNS into a single integrated flow, not split into two skills.

Reasons:

  1. The two steps are tightly coupled: ACME challenge tokens must be written to ESA DNS immediately.
  2. The most common user errors are "validation failed / record written to the wrong panel" — an integrated flow minimizes mistakes.
  3. Wildcard scenarios often produce multiple TXT values for the same FQDN; splitting would increase manual synchronization cost.

If there is significant demand for "DNS-only operations" in the future, a separate esa-dns-records helper skill can be extracted.

When to Trigger

Trigger when any of the following apply:

  • Domain NS records are on *.atrustdns.com (ESA-hosted DNS)
  • User says "issue certificate with acme.sh", "Let's Encrypt", "DNS-01"
  • Error: No TXT record found at _acme-challenge...
  • Need to issue example.com + *.example.com together
  • Need to auto-write ESA DNS records and install to Nginx

Supported Environment

  • Linux hosts (recommended: Ubuntu tested)
  • System-level Nginx (LNMP tested)
  • Docker/containerized environments are not supported
  • Not tested on Windows/macOS

Prerequisites

Install acme.sh from the official project before using this skill, and review the installation method you choose instead of piping remote scripts directly to a shell:

This skill expects acme.sh to be available on PATH. The script also falls back to ~/.acme.sh/acme.sh if present.

Requirements:

  • Credentials via ALIYUN_AK / ALIYUN_SK or ALIBABACLOUD_ACCESS_KEY_ID / ALIBABACLOUD_ACCESS_KEY_SECRET
  • Optional ESA region hint via ALIYUN_ESA_REGION / ALIBABACLOUD_ESA_REGION / ESA_REGION or --region
  • STS token is supported via ALIYUN_SECURITY_TOKEN, ALIBABACLOUD_SECURITY_TOKEN, or --sts-token
  • If the user provides credentials directly in OpenClaw chat/TUI as plain id / secret / token values without env names, treat them as generic Alibaba Cloud AccessKeyId / AccessKeySecret / SecurityToken and pass them to --ak / --sk / --sts-token. Do not block on whether the user said Aliyun or Alibaba Cloud; let the script auto-detect the ESA region/site.

Running the Script

Script path: scripts/esa_acme_issue.py

Default behavior (optimized):

  • Certificate installation to Nginx is disabled by default; opt in with --install-cert
  • --dns-timeout defaults to 600 seconds
  • Region auto-discovery is best-effort; if ESA does not expose DescribeRegions, pass --region to seed site discovery and the script will probe a fallback region list
  • Optional IPv4/IPv6 record management: --ensure-a-record host=ip (with authoritative NS propagation check)
  • Overwrite protection: existing A value is NOT overwritten unless --confirm-overwrite is passed
  • --lang selects output language (default: en; available languages auto-discovered from scripts/i18n/)
  • If --install-cert is used, run on a controlled Linux host with permission to write the target cert paths and reload Nginx

Installing automatic renewal cron

Use scripts/install_cron.sh when the user wants this workflow to keep renewing automatically on the host.

What it installs:

  • a root-owned env file containing AK/SK (and optional STS token / region hint)
  • a wrapper script under /usr/local/sbin/
  • a cron entry that runs the wrapper on the requested schedule and logs to /var/log/

Example:

sudo bash scripts/install_cron.sh \
  --wrapper-name dogeow \
  --domains "dogeow.com,*.dogeow.com" \
  --ak YOUR_AK \
  --sk YOUR_SK \
  --region cn-hangzhou \
  --with-nginx-reload

Important:

  • This is the recommended way to automate renewal for ESA zones, because default acme.sh --cron does not know how to create ESA DNS TXT records by itself.
  • If the user wants installed nginx cert paths, also pass --cert-path / --key-path and optionally --reload-cmd.

Single domain

export ALIYUN_AK='YOUR_AK'
export ALIYUN_SK='YOUR_SK'
export ALIYUN_SECURITY_TOKEN='YOUR_STS_TOKEN'   # optional but recommended
python3 scripts/esa_acme_issue.py \
  -d test.example.com

Equivalent Alibaba Cloud env names are also accepted:

export ALIBABACLOUD_ACCESS_KEY_ID='YOUR_AK'
export ALIBABACLOUD_ACCESS_KEY_SECRET='YOUR_SK'
export ALIBABACLOUD_SECURITY_TOKEN='YOUR_STS_TOKEN'   # optional

Apex + wildcard (recommended order)

export ALIYUN_AK='YOUR_AK'
export ALIYUN_SK='YOUR_SK'
python3 scripts/esa_acme_issue.py \
  -d example.com \
  -d '*.example.com'

Wildcard only

python3 scripts/esa_acme_issue.py \
  -d '*.example.com'

Correct Nginx Configuration

ssl_certificate     /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;

Completion Criteria (Anti False-Positive)

Before reporting "record created / DNS ready", both conditions must be met:

  1. ListRecords returns the target RecordName + Type + Value;
  2. Authoritative NS dig @ns TXT returns the expected token.

If only the CreateRecord API returned success (RequestId/RecordId only) without passing both checks above, report "request accepted", not "completed".

Troubleshooting Quick Reference

  1. InvalidRecordNameSuffix

    • Domain suffix does not belong to the current ESA site (common typo).

  2. No TXT record found at _acme-challenge...

    • TXT not yet propagated to all authoritative NS; increase --dns-timeout to 300–600.

  3. Permission / signature errors after setting AccessKey IP whitelist

    • Check current public egress IP: curl -s ifconfig.me
    • Whitelist the actual egress NAT IP (not LAN IP)
    • If behind proxy/gateway, whitelist the proxy egress IP
    • Wait briefly after whitelist update before retrying

Security Guidelines

Before each execution, remind the user:

  1. Use a RAM sub-account with minimal permissions. Do NOT use the primary account long-term AK.
  2. Prefer STS temporary credentials to reduce leak risk.
  3. Enable AccessKey IP whitelist, allowing only the actual egress NAT IP.
安全使用建议
This skill is functionally coherent for automating ACME DNS-01 with Alibaba ESA, but take these precautions before installing: (1) Confirm the registry metadata vs. the code: you only need one pair of AK/SK environment vars (the code accepts either ALIYUN_* or ALIBABACLOUD_*), but the metadata lists both pairs—don't expose extra secrets unnecessarily. (2) Prefer giving the script a RAM sub-account with minimal permissions or short-lived STS credentials instead of primary long-lived AK/SK. (3) If you run scripts/install_cron.sh, be aware it will write credentials to a root-owned env file and create a cron job that uses them—rotate keys if they are exposed or use STS. (4) Inspect and test the included esa_acme_issue.py and install_cron.sh locally before running them as root; verify the path to acme.sh and limit PATH to trusted locations. (5) If you will pass credentials via a chat/TUI, avoid doing so in plaintext — prefer setting env vars on the host or using temporary STS tokens. If you want, provide the exact metadata 'required env' that your platform will supply and I can confirm the minimum envs the script actually needs.
功能分析
Type: OpenClaw Skill Name: acme-ssl-automation-for-alibaba-cloud-esa-dns Version: 0.1.4 The skill bundle provides a legitimate utility for automating SSL certificate issuance and renewal using Alibaba Cloud ESA DNS and acme.sh. The Python script (esa_acme_issue.py) and shell script (install_cron.sh) implement the stated functionality using standard APIs and system commands, including security-conscious features like secret redaction in logs and restricted file permissions (600/700) for credential storage. No evidence of data exfiltration, unauthorized persistence, or malicious prompt injection was found; the instructions even include explicit security reminders for the user regarding least-privilege access.
能力评估
Purpose & Capability
Name/description, required binaries (python3, dig, acme.sh), and code all align with 'issue/renew certificates against Alibaba Cloud ESA using acme.sh'. The scripts call ESA APIs, create DNS TXT records, run acme.sh, and optionally install into Nginx as described.
Instruction Scope
SKILL.md and the included scripts instruct the agent/user to run the provided Python script and an installer script that can create root-owned env files, a wrapper under /usr/local/sbin, and a cron job. The instructions explicitly allow the agent to accept credentials provided in chat/TUI and pass them to the script—this is coherent with the purpose but broad (it instructs the agent to capture and forward credentials supplied in conversation). All runtime actions (dig, acme.sh invocation, ESA API calls, writing env/wrapper files, reloading nginx) stay within the stated scope.
Install Mechanism
This is an instruction-only skill with no remote download install step. All code is included in the bundle; there is no URL-based installer or archive extraction. The highest-risk install action is the helper script (install_cron.sh) which, when run, writes files to /root/.config, /usr/local/sbin, and registers a cron job—expected for a renewal cron installer.
Credentials
The credentials requested are appropriate for ESA operations (AccessKeyId / AccessKeySecret and optional STS token). However, the registry metadata lists both ALIYUN_AK/ALIYUN_SK and ALIBABACLOUD_ACCESS_KEY_ID/ALIBABACLOUD_ACCESS_KEY_SECRET as required env vars, while the code accepts either alias — the metadata's 'required env vars' is therefore misleading (it suggests all four must be present). The install script stores long-lived AK/SK in a root-owned env file as the default automation method; this is functional but elevates risk if those keys are long-lived. The skill does provide and promote STS/least-privilege guidance, which mitigates but does not eliminate the proportionality concern.
Persistence & Privilege
The skill does not set always:true. The optional installer requires root and creates persistent artifacts (env file with credentials, wrapper script, cron job, log file). That persistence is expected for an automated renewal workflow but is privileged (root-owned scheduled task that runs with stored credentials). The skill does not appear to modify other skills or global agent configuration.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install acme-ssl-automation-for-alibaba-cloud-esa-dns
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /acme-ssl-automation-for-alibaba-cloud-esa-dns 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.4
acme-ssl-automation-for-alibaba-cloud-esa-dns v0.1.4 - Added support for automatic installation of certificate renewal cron jobs via `install_cron.sh` script. - Introduced region hint options for ESA discovery (optional region parameter). - Added English and Chinese language support for script output. - Included detailed examples and recommendations for using the new cron installation workflow. - Provided wrapper/cron automation with safer credential storage and logging practices.
v0.1.2
- Added support for additional environment variable names (`ALIBABACLOUD_ACCESS_KEY_ID`, `ALIBABACLOUD_ACCESS_KEY_SECRET`, etc.) for credential input, in addition to existing Aliyun names. - Credentials entered directly as id/secret/token are now accepted as Alibaba Cloud AK/SK/token without requiring mention of platform brand, with automatic ESA region/site detection. - Updated dependencies: `acme.sh` must be available on `PATH`; falls back to user directory if present. - Metadata updated to reflect all accepted credential env vars and required binaries. - Added Python bytecode and test cache files to version control.
v0.1.1
Docs, CLI, and tests updated to make Nginx certificate installation opt-in and to require manual Python dependency installation. - README / README_zh: clarify acme.sh prerequisite, remove recommendation to pipe remote install scripts, state that certificate installation to Nginx is disabled by default and show explicit install examples; add warning about running --install-cert on a controlled Linux host. - SKILL.md: mirror doc changes, add homepage and metadata fields for OpenClaw, mark install-to-Nginx as opt-in and note permission requirements. - scripts/esa_acme_issue.py: - ensure_python_deps no longer attempts to auto-install; it now prints an error instructing manual pip install and exits. - removed auto-install-deps CLI flags and changed --install-cert default to False (opt-in). - updated main() to call ensure_python_deps() accordingly. - tests: add ArgParse tests asserting install_cert is False by default and true when --install-cert is provided; update flow test to include --install-cert where needed. These changes improve security and explicitness by avoiding implicit dependency installation and making certificate installation an explicit opt-in action.
v0.1.0
# ACME SSL automation for Alibaba Cloud ESA DNS ## Overview - A utility for automated HTTPS certificate issuance using acme.sh and Alibaba Cloud ESA DNS. - It supports ACME DNS-01 verification by dynamically creating TXT records through the ESA API, enabling fully automated SSL certificate issuance, deployment, and renewal for servers such as Nginx and Apache. ## Why This Project Exists - Many AI-generated scripts and online examples mistakenly use the traditional Alibaba Cloud DNS service when configuring ACME DNS validation. - However, Alibaba Cloud ESA uses a different DNS system, and using the wrong API often causes ACME validation failures. - This project ensures that SSL certificates are issued using the correct ESA DNS workflow, preventing common automation errors.
元数据
Slug acme-ssl-automation-for-alibaba-cloud-esa-dns
版本 0.1.4
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 4
常见问题

ACME SSL automation for Alibaba Cloud ESA DNS 是什么?

Automatically issue/renew HTTPS certificates using Alibaba Cloud ESA DNS + acme.sh (including wildcard *.example.com + example.com), with optional installati... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 370 次。

如何安装 ACME SSL automation for Alibaba Cloud ESA DNS?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install acme-ssl-automation-for-alibaba-cloud-esa-dns」即可一键安装,无需额外配置。

ACME SSL automation for Alibaba Cloud ESA DNS 是免费的吗?

是的,ACME SSL automation for Alibaba Cloud ESA DNS 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

ACME SSL automation for Alibaba Cloud ESA DNS 支持哪些平台?

ACME SSL automation for Alibaba Cloud ESA DNS 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(linux)。

谁开发了 ACME SSL automation for Alibaba Cloud ESA DNS?

由 dogeow(@dogeow)开发并维护,当前版本 v0.1.4。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 留言讨论