Add a CNAME record to your site's authoritative DNS. This lets you delegate the Domain Control Validation (DCV) check required for free certificate applications to ESA. ESA then automatically issues and renews your free certificates.
What is DCV
Domain Control Validation (DCV) is a process where a certification authority (CA) requires an applicant to prove control over a domain name before issuing a certificate for it.
Use cases
For sites that are accessed through a CNAME record, if the domain name does not resolve to ESA, the ESA console generates DCV information for HTTP verification by default when you request a Let's Encrypt certificate. If you cannot deploy the HTTP verification file to the target domain, you can configure a delegated DCV record in advance to avoid the need for HTTP verification.
Because DigiCert certificates support only DNS verification, you must configure delegated DCV for sites that are accessed through a CNAME record. This ensures that DigiCert certificates are issued and renewed correctly.
Configure delegated DCV
In the ESA console, choose Websites. In the Website column, click the target site.
In the navigation pane on the left, choose .
In the Delegated DCV area, view and copy the CNAME information.
NoteInstructions for replacing
hostname:If the delegated domain is a wildcard domain, such as
*.example.com,hostnameisexample.com.If the delegated domain is not a wildcard domain, such as
esa.example.com,hostnameisesa.example.com.
Go to your DNS provider and add a CNAME record. The following procedure uses Alibaba Cloud DNS as an example. Log on to the Alibaba Cloud DNS console. In the navigation pane on the left, click Public Zone. On the Public Zone page, find the domain name and click Settings.
On the Settings page, click Add Record. Set Record Type to CNAME. Paste the content that you copied in Step 3 into the Hostname and Record Value fields. Click OK.
Domain name type
Example domain name
Host record for your DNS provider
Record value
Root domain
example.com_dnsauthexample.com.SiteID.dcv.aliyun-esa.comSubdomain
www.example.com_dnsauth.wwwwww.example.com.SiteID.dcv.aliyun-esa.comWildcard domain name
*.example.com_dnsauthexample.com.SiteID.dcv.aliyun-esa.comMulti-level subdomain
api.test.example.com_dnsauth.api.testapi.test.example.com.SiteID.dcv.aliyun-esa.com
For sites that are accessed through a CNAME record, do not delete the delegated DCV record from your DNS provider after you apply for a wildcard certificate. If you delete the record, future certificate renewals will fail.
Verification
If your certificate includes multiple domain names, you must configure a CNAME record for each one. After the configuration is complete, you can use the following commands to verify that the CNAME records have taken effect.
Verify a DigiCert certificate
# [DigiCert certificate]
dig _dnsauth.<hostname> CNAME # Replace <hostname> with your domain name, for example: dig _dnsauth.example.com CNAMEExecution result:
QUESTION SECTION (request): _dnsauth.a.example.com.
ANSWER SECTION (response): a.example.com.******728815680.dcv.aliyun-esa.com.
If the response in the ANSWER SECTION matches the record value that you configured, the configuration is successful.
The record may take a few minutes to take effect. If the command fails, try again.
Verify a Let's Encrypt certificate
# [Let's Encrypt certificate]
dig _acme-challenge.<hostname> CNAME # Replace <hostname> with your domain name, for example: dig _acme-challenge.example.com CNAMEResult:
QUESTION SECTION (request): _acme-challenge.a.example.com.
ANSWER SECTION (response): a.example.com.******728815680.dcv.aliyun-esa.com.
If the response in the ANSWER SECTION matches the record value that you configured, the configuration is successful.
The change may take a few minutes to take effect. If the process fails, please retry.
