Add a CNAME record to your site's authoritative DNS to delegate the DCV check for free certificate applications to ESA. ESA automatically issues and renews free certificates.
What is DCV
Domain Control Validation (DCV) is the process by which a certification authority (CA) verifies that an applicant controls a domain before issuing a certificate.
Use cases
-
For CNAME-accessed sites whose domain does not resolve to ESA, the ESA console defaults to HTTP verification for Let's Encrypt certificates. If you cannot deploy the HTTP verification file, configure delegated DCV to bypass HTTP verification.
-
DigiCert certificates support only DNS verification. For CNAME-accessed sites, configure delegated DCV to ensure correct certificate issuance and renewal.
Configure delegated DCV
-
In the ESA console, choose Websites. In the Website column, click the target site.
-
In the navigation pane on the left, choose .
-
In the Delegated DCV section, copy the CNAME record information.
NoteInstructions for replacing
hostname:-
If the delegated domain is a wildcard domain, such as
*.example.com,hostnameisexample.com. -
If the delegated domain is not a wildcard domain, such as
esa.example.com,hostnameisesa.example.com.
-
-
Add a CNAME record at your DNS provider. This example uses Alibaba Cloud DNS. Log on to the Alibaba Cloud DNS console. In the navigation pane on the left, click Public Zone. On the Public Zone page, find the domain name and click Settings.
-
On the Settings page, click Add Record. Set Record Type to CNAME. Paste the values from Step 3 into the Hostname and Record Value fields. Click OK.
Domain name type
Example domain name
Host record for your DNS provider
Record value
Root domain
example.com_dnsauthexample.com.SiteID.dcv.aliyun-esa.comSubdomain
www.example.com_dnsauth.wwwwww.example.com.SiteID.dcv.aliyun-esa.comWildcard domain name
*.example.com_dnsauthexample.com.SiteID.dcv.aliyun-esa.comMulti-level subdomain
api.test.example.com_dnsauth.api.testapi.test.example.com.SiteID.dcv.aliyun-esa.com
For CNAME-accessed sites, do not delete the delegated DCV record after applying for a wildcard certificate. Deleting this record causes certificate renewal failures.
Verification
If your certificate covers multiple domains, configure a CNAME record for each. Run the following commands to verify that the records have taken effect.
Verify a DigiCert certificate
# [DigiCert certificate]
dig _dnsauth.<hostname> CNAME # Replace <hostname> with your domain name, for example: dig _dnsauth.example.com CNAMEOutput:
QUESTION SECTION (request): _dnsauth.a.example.com.
ANSWER SECTION (response): a.example.com.******728815680.dcv.aliyun-esa.com.
If the ANSWER SECTION response matches your configured record value, the delegation is successful.
The record may take a few minutes to take effect. If the command fails, try again.
Verify a Let's Encrypt certificate
# [Let's Encrypt certificate]
dig _acme-challenge.<hostname> CNAME # Replace <hostname> with your domain name, for example: dig _acme-challenge.example.com CNAMEOutput:
QUESTION SECTION (request): _acme-challenge.a.example.com.
ANSWER SECTION (response): a.example.com.******728815680.dcv.aliyun-esa.com.
If the ANSWER SECTION response matches your configured record value, the delegation is successful.
The record may take a few minutes to take effect. If the command fails, try again.
