Add a CNAME record to your site's authoritative DNS to delegate the DCV check for free certificate applications to ESA. ESA automatically issues and renews free certificates.
What is DCV
Domain Control Validation (DCV) is the process by which a certification authority (CA) verifies that an applicant controls a domain before issuing a certificate.
Use cases
For CNAME-accessed sites whose domain does not resolve to ESA, the ESA console defaults to HTTP verification for Let's Encrypt certificates. If you cannot deploy the HTTP verification file, configure delegated DCV to bypass HTTP verification.
DigiCert certificates support only DNS verification. For CNAME-accessed sites, configure delegated DCV to ensure correct certificate issuance and renewal.
Configure delegated DCV
In the ESA console, choose Websites. In the Website column, click the target site.
In the navigation pane on the left, choose .
In the Delegated DCV section, copy the CNAME record information.
NoteInstructions for replacing
hostname:If the delegated domain is a wildcard domain, such as
*.example.com,hostnameisexample.com.If the delegated domain is not a wildcard domain, such as
esa.example.com,hostnameisesa.example.com.
Add a CNAME record at your DNS provider. This example uses Alibaba Cloud DNS. Log on to the Alibaba Cloud DNS console. In the navigation pane on the left, click Public Zone. On the Public Zone page, find the domain name and click Settings.

On the Settings page, click Add Record. Set Record Type to CNAME. Paste the values from Step 3 into the Hostname and Record Value fields. Click OK.

Domain name type
Example domain name
Host record for your DNS provider
Record value
Root domain
example.com_dnsauthexample.com.SiteID.dcv.aliyun-esa.comSubdomain
www.example.com_dnsauth.wwwwww.example.com.SiteID.dcv.aliyun-esa.comWildcard domain name
*.example.com_dnsauthexample.com.SiteID.dcv.aliyun-esa.comMulti-level subdomain
api.test.example.com_dnsauth.api.testapi.test.example.com.SiteID.dcv.aliyun-esa.com
For CNAME-accessed sites, do not delete the delegated DCV record after applying for a wildcard certificate. Deleting this record causes certificate renewal failures.
After you add or modify the delegated DCV CNAME record at your DNS provider, go to the ESA console to manually apply for a free certificate. The system does not automatically trigger verification after DNS changes.
Keep the following in mind:
After the certificate is successfully issued, do not delete the DCV record from your DNS provider. Deleting it causes future auto-renewal failures.
If certificate application fails or keeps timing out: verify that DNS propagation has taken effect (typically up to 10 minutes); confirm the host record format is correct (
_acme-challengefor Let's Encrypt,_dnsauthfor DigiCert); delete any conflicting old validation records and retry.
Multi-level subdomains: When applying for a certificate for a multi-level subdomain (such as hw.drive.example.com), set the host record to only the prefix (for example, _dnsauth.hw.drive). Do not include the full domain name in the host record—this causes validation to fail. Note that wildcard certificates (such as *.example.com) do not cover third-level or deeper subdomains. Apply for a separate certificate and configure a corresponding DCV record for each multi-level subdomain.
Verification
If your certificate covers multiple domains, configure a CNAME record for each. Run the following commands to verify that the records have taken effect.
If certificate application fails, the certificate status is abnormal, or the certificate shows as untrusted, use the dig commands in this section to verify that DNS resolution is correctly configured. For Let's Encrypt certificates, some scenarios may also require verifying the _acme-challenge record. DNS propagation typically takes a few minutes to 10 minutes. If verification fails, wait and retry, or check your DNS configuration for errors.
Verify a DigiCert certificate
# [DigiCert certificate]
dig _dnsauth.<hostname> CNAME # Replace <hostname> with your domain name, for example: dig _dnsauth.example.com CNAMEOutput:
QUESTION SECTION (request): _dnsauth.a.example.com.
ANSWER SECTION (response): a.example.com.******728815680.dcv.aliyun-esa.com.
If the ANSWER SECTION response matches your configured record value, the delegation is successful.
The record may take a few minutes to take effect. If the command fails, try again.

Verify a Let's Encrypt certificate
# [Let's Encrypt certificate]
dig _acme-challenge.<hostname> CNAME # Replace <hostname> with your domain name, for example: dig _acme-challenge.example.com CNAMEOutput:
QUESTION SECTION (request): _acme-challenge.a.example.com.
ANSWER SECTION (response): a.example.com.******728815680.dcv.aliyun-esa.com.
If the ANSWER SECTION response matches your configured record value, the delegation is successful.
The record may take a few minutes to take effect. If the command fails, try again.

FAQ
How long are ESA free certificates valid? How does auto-renewal work?
ESA free certificates are valid for 3 months. The system automatically attempts renewal 30 days before the certificate expires.
If you receive a renewal failure notification or find that your certificate has expired, you do not need to delete the original certificate. Go to the ESA console and navigate to the Edge Certificates page to re-apply. The system supports multiple coexisting certificates and the update process does not interrupt service. New certificates typically take effect within 5–10 minutes.
The ESA console shows my certificate status as "Pending Configuration" even though I have uploaded a certificate. What should I do?
This status typically means domain traffic is not routing through ESA nodes. To resolve this:
Pause the A record for your domain at your DNS provider.
Ensure only the CNAME record pointing to ESA remains, and set the routing line to Default.
After traffic begins routing through ESA nodes, the certificate status will return to normal.
Can I download the free SSL certificate issued by ESA to deploy on my origin server?
No. Free DV certificates issued through the ESA console are for use on ESA edge nodes only and cannot be downloaded. To deploy a certificate on your origin server, go to the Alibaba Cloud Certificate Management Service console to apply for a downloadable free certificate or commercial certificate.