Changes have been made to the certificate policies based on the latest proposals made by the CA/Browser Forum (CA/B). Due to these changes, the success rate of applying for a free SSL certificate in the Alibaba Cloud Dynamic Route for CDN (DCDN) console is greatly reduced. If you want to use free SSL certificates, we recommend that you apply for and deploy certificates in the SSL Certificates Service console.

Intended users

This notice is intended for users who use or are about to apply for free SSL certificates.

Details

Valued Alibaba Cloud users,

SSL Certificates Service product update: Notice on policy changes for domain name ownership verification.

Based on the latest proposals made by CA/B, SSL Certificates Service will adjust the file-based verification method for verifying domain name ownership.

Effective date: September 21, 2021.

Changes:
  • You can no longer upload a verification file to verify the ownership of a wildcard domain name, such as *.aliyundoc.com or *.developer.aliyundoc.com.

    If you use SSL Certificates Service to apply for a certificate that protects a wildcard domain name, you can verify the ownership of the wildcard domain name only by adding a DNS record. For more information, see Add a DNS record to prove the ownership of a domain name.

  • You can still upload a verification file to verify the ownership of a specific domain name. A specific domain name can be a top-level domain name such as aliyundoc.com or a lower-level domain name such as example.aliyundoc.com. This verification method requires that each specific domain name uses a separate verification file.

    If you want to upload a verification file to verify the ownership of a top-level domain name such as aliyundoc.com and its lower-level domain names such as example.aliyundoc.com, you must upload separate verification files for them. For more information, see Upload a verification file to prove the ownership of a domain name.

References: Domain validation policy changes in 2021

We apologize for any inconvenience this may cause. If you have questions, submit a ticket to contact us.

Changes

Domain name type Impact
Top-level domain names, such as example.com No impact.
Specific domain names that start with www, such as www.example.com No impact.
Domain names that do not start with www, such as example.aliyundoc.com. Applications for free SSL certificates may fail.
Note DCDN allows you to apply for free SSL certificates only for specific domain names. After you upload a verification file to verify the ownership of a domain name and pass the verification, the verification file is stored on DCDN edge nodes. Then, the certificate authority (CA) accesses the verification file on the nodes and reviews your application. Based on the latest policy, domain names that do not start with www, including top-level domain names such as aliyundoc.com and their lower-level domain names such as example.aliyundoc.com and demo.aliyundoc.com, must all pass ownership verification before they can acquire free SSL certificates. For this type of domain name, the DCDN console does not allow you to use verification files to verify the ownership of top-level domain names. In this case, domain names that do not start with www cannot pass ownership verification. Therefore, you cannot apply for free SSL certificates for domain names that do not start with www.
Note The feature that allows you to apply for free SSL certificates in the DCDN console will be phased out and migrated to SSL Certificates Service. Alibaba Cloud will notify you of the phaseout time. We recommend that you apply for free SSL certificates in the SSL Certificates Service console and then deploy the certificates to DCDN.

Solutions

You have an existing free SSL certificate that has been deployed to DCDN

DCDN automatically applies for a new certificate before the current one expires, and deploys the certificate to the domain name. Due to the latest certificate policy changes made by CA/B, the success rate of automatically applying for free SSL certificates is greatly reduced. If you have acquired a free SSL certificate through DCDN, we recommend that you apply for a new certificate in the SSL Certificates Service console and deploy the new certificate to your website before the current certificate expires.

If you use SSL Certificates Service to apply for free SSL certificates, you can add a DNS record or upload a verification file to verify the ownership of domain names. The success rate is higher than that of using DCDN to apply for free SSL certificates.

  1. Log on to the DCDN console.
  2. In the left-side navigation pane, choose Tools > Certificate Center.
  3. Certificate Source shows that the certificate is a free SSL certificate.
  4. We recommend that you use SSL Certificates Service to apply for a new free certificate for the domain name before September 21, 2021.
    Notice

    You must Prove the ownership of a domain name when you apply for a free certificate for the domain name. Take note of the following rules:

    • You can no longer upload a verification file to verify the ownership of a wildcard domain name, such as *.aliyundoc.com or *.developer.aliyundoc.com. If you use SSL Certificates Service to apply for a certificate that protects a wildcard domain name, you can verify the ownership of the wildcard domain name only by adding a DNS record.
    • You can still upload a verification file to verify the ownership of a specific domain name. A specific domain name can be a top-level domain name such as aliyundoc.com or a subdomain name such as example.aliyundoc.com. This verification method requires that each specific domain name uses a separate verification file. If you want to upload a verification file to verify the ownership of a top-level domain name such as aliyundoc.com and its lower-level domain names such as example.aliyundoc.com, you must upload separate verification files for them.
    • For more information, see Prove the ownership of a domain name.
  5. Deploy the free SSL certificate to the domain name. For more information, see Configure an SSL certificate.

Apply for a free SSL certificate

We recommend that you use SSL Certificates Service to apply for free SSL certificates. For more information, see Apply for a certificate.

If you must use DCDN to apply for free SSL certificates, take note of the changes made to the certificate policies. We recommend that you do not use DCDN to apply for free certificates.

Before After
The accelerated domain name must be mapped to the CNAME that is assigned by DCDN. No change.
No Certification Authority Authorization (CAA) record is configured for the domain name, or the CAA record must allow Digicert.com and digicert.com to issue certificates. Wildcard domain names are not supported. No change.
A free SSL certificate can protect only one specific domain name. No change.
You must authorize Alibaba Cloud to apply for free certificates on your behalf. No change.
The security level of SSL Labs for the accelerated domain name must be A. No change.
A free SSL certificate is valid for one year. If the certificate is not automatically renewed seven days before it expires, you must manually renew it before it expires. No change.
If you want to apply for a free certificate for a domain name that starts with www, you must resolve the top-level domain name to DCDN.
Note For example, both www.aliyun.com and aliyun.com must be resolved to DCDN and mapped to the CNAMEs assigned by DCDN. This requirement is optional to other subdomain names.
  • Domain names that start with www: no change.
  • Other domain names: You cannot apply for a free certificate in the DCDN console for domain names that do not start with www.