acme.sh wildcard cert and domian

# domain.com not support acme api, dpmoain.cn support acme (eg. dnspod )

# config domain.com cname 
_acme-challenge         CNAME _acme-challenge.dpdomain.cn    # for *.domain.com
_acme-challenge.api   CNAME _acme-challenge.dpdomain.cn    # for *.api.domain.com
_acme-challenge.sub   CNAME _acme-challenge.dpdomain.cn    # for *.sub.domain.com

crontab -l
#25 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
25 0 13,26 * * bash /root/acme.sh/acme.sh --upgrade
25 0 14,28 * * bash /root/start_acme.sh  > /dev/null

# /root/start_acme.sh
export DP_Id="idddddddddddd"
export DP_Key="keyyyyyy"

/root/.acme.sh/acme.sh --issue --dns dns_dp \
     -d domain.com --challenge-alias dpdomain.cn \
     -d *.mirr.domain.com --challenge-alias dpdomain.cn \
     -d *.sub.domain.com --challenge-alias dpdomain.cn \
     -d *.dev.domain.com --challenge-alias dpdomain.cn \
     -d *.test.domain.com --challenge-alias dpdomain.cn \
     -d *.api.domain.com --challenge-alias dpdomain.cn \
     -d *.rd.domain.com --challenge-alias dpdomain.cn \
     -d *.domain.com --challenge-alias dpdomain.cn \
     --keylength ec-256  --debug --log

mkdir -p /app/acme
\cp -f /root/.acme.sh/domain.com_ecc/domain.com.key /app/acme/ecc.key
\cp -f /root/.acme.sh/domain.com_ecc/fullchain.cer /app/acme/ecc.crt

## rsync crt to remote 

# monit check cert timestamp, auto reload nginx

check file nginx_crt with path /app/acme/ecc.crt
start program = "/bin/systemctl start nginx "  with timeout 60 seconds
stop program  = "/bin/systemctl stop nginx"
if changed timestamp then exec "/bin/systemctl reload nginx"