Automatically deploy wildcard SSL certificate to Alibaba Cloud CDN

🛠 Tools and Programming
1

Official Introduction

Deploy Certificate to Aliyun

Automatically deploy wildcard SSL certificates to Alibaba Cloud CDN every two months.

:sparkles: Features

  • :counterclockwise_arrows_button: Automatically renew Let’s Encrypt wildcard domain certificates
  • :cloud: Automatically deploy to Alibaba Cloud CDN
  • :alarm_clock: Runs automatically once every two months
  • :e_mail: Email notification when certificate is about to expire
  • :locked: Secure sensitive information using GitHub Secrets

:rocket: How to Use

Step 1: Fork the Repository

  1. Open the project’s GitHub page
  2. Click the “Fork” button at the top right corner
  3. This will create a full copy under your GitHub account

Step 2: Configure Alibaba Cloud Access Key (AK/SK)

To allow the GitHub script to access your Alibaba Cloud account, you need to provide an AccessKey with appropriate permissions.

  1. Log in to the Alibaba Cloud Console and go to the Resource Access Management (RAM) page
  2. Create a dedicated user for this project (recommended for security best practices)
  3. Assign the following policies to the user:
    • AliyunDNSFullAccess (Manage DNS resolution, used for automatic domain ownership verification)
    • AliyunCDNFullAccess (Manage CDN, used to upload and deploy certificates)
    • AliyunYundunCertFullAccess (Manage SSL Certificates Service)
  4. Create an AccessKey (AK/SK) for this user and securely save it

Step 3: Set Secrets in Your GitHub Repository

  1. Go to the page of your forked repository
  2. Click the “Settings” tab at the top
  3. In the left sidebar, navigate to “Secrets and variables” → “Actions”
  4. Click “New repository secret” and add the following secrets one by one:
Secret Name Description Example Value
ALIYUN_ACCESS_KEY_ID Alibaba Cloud AccessKey ID LTAI5txxxxxxxxxxxxx
ALIYUN_ACCESS_KEY_SECRET Alibaba Cloud AccessKey Secret h6J9Zxxxxxxxxxxxxxxxxxxxx
DOMAINS Main domains, multiple separated by English commas example.com,test.org
ALIYUN_CDN_DOMAINS CDN domains, corresponding in order to DOMAINS, multiple separated by English commas cdn.example.com,img.test.org
EMAIL Email address to receive notifications your-email@example.com

Step 4: Trigger Workflow Execution

  1. In your forked repository, click the “Code” tab
  2. Find any file (e.g., README.md) and click the edit button (pencil icon)
  3. Make a trivial change, such as adding a space or newline at the end
  4. Enter a commit message (e.g., Trigger first run) and click “Commit changes”

Step 5: Check Execution Results

  1. After committing, click the “Actions” tab at the top of the repository
  2. View the workflow run status and detailed logs
  3. If all configurations are correct, the workflow will show a green checkmark (:white_check_mark:), indicating success
  4. Log in to the Alibaba Cloud CDN Console to verify that the certificate has been updated

:warning: Important Notes

  • Security: Alibaba Cloud AK/SK credentials are highly sensitive. Always configure them via Secrets, never hardcode them in files
  • Domain Mapping: The order of domains in DOMAINS and ALIYUN_CDN_DOMAINS must exactly match; otherwise, certificates may be deployed to incorrect CDN domains
  • Delimiter: Separate multiple domains with English commas only, without spaces or other characters
  • First Run: It is recommended to manually trigger the workflow once to ensure everything is configured correctly
  • Costs: Let’s Encrypt certificates are free, but associated Alibaba Cloud services (CDN, DNS, etc.) may incur standard usage fees

:wrench: Support

If you encounter issues, please:

  1. Check error messages in the GitHub Actions logs
  2. Ensure all secrets are correctly set
  3. Confirm the RAM user has the required permissions

That’s it! You’ve completed all setup steps. From now on, GitHub will automatically renew and deploy your certificates approximately every 60 days — a one-time setup for long-term convenience.