diff --git a/README.md b/README.md
index 6a90e54..9844d54 100644
--- a/README.md
+++ b/README.md
@@ -237,6 +237,13 @@ acme_sh_default_issue_renew_hook: ""
 # instead of being created and set for renewal. This will not uninstall acme.sh.
 acme_sh_default_remove: False
 
+# acme.sh dns alias document https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode
+# If your DNS provider doesn't support API access, 
+# or if you're concerned about security problems from giving the DNS API access to your main domain, 
+# then you can use DNS alias mode.
+acme_sh_default_domain_alias: ""
+acme_sh_default_challenge_aliass: ""
+
 # This list contains a list of domains, along with key / value pairs to
 # configure each set of domains individually.
 #
@@ -278,6 +285,8 @@ acme_sh_domains:
 #    extra_issue_renew_hook: ""
 #    # Optionally remove and disable the certificate.
 #    remove: True
+#    # Optionally domain dns alias.
+#    challenge_alias: alias-2-example.com
 ```
 
 ## Example usage
@@ -313,6 +322,9 @@ acme_sh_default_dns_provider_api_keys:
   "CF_Key": "THE_API_SECRET_TOKEN_FROM_THE_CLOUDFLARE_DASHBOARD"
   "CF_Email: "you@example.com"
 
+# An example alias domain for DNS alias mode, document https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode
+acme_sh_default_challenge_aliass: "alias-example.com"
+
 # Reloading nginx inside of a Docker container that is named "nginx".
 # If you are running nginx in a Docker container then you'll also need to volume
 # mount in your certificates, but I'm sure you knew that already!
@@ -345,6 +357,20 @@ acme_sh_domains:
 
 # ------------------------------------------------------------------------------
 
+# ------------------------------------------------------------------------------
+
+# 1 certificate file for all of the domains.
+# use dns and dns alias
+acme_sh_domains:
+  - domains: ["example.com", "www.example.com"]  
+    challenge_alias: alias-example.com
+
+# Produces this on your server:
+#   /etc/ssl/ansible/example.com.key (the private key)
+#   /etc/ssl/ansible/example.com.pem (the full chain certificate)
+
+# ------------------------------------------------------------------------------
+
 # 2 certificate files using the same example but the admin certificate will get
 # removed and disabled.
 acme_sh_domains:
diff --git a/defaults/main.yml b/defaults/main.yml
index 7b31db6..484d73f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -43,4 +43,7 @@ acme_sh_default_issue_renew_hook: ""
 
 acme_sh_default_remove: False
 
+acme_sh_default_challenge_alias: ""
+acme_sh_default_domain_alias: ""
+
 acme_sh_domains: []
diff --git a/tasks/main.yml b/tasks/main.yml
index e262adb..3294dde 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -139,6 +139,8 @@
     ./acme.sh --issue -d {{ item.domains | join(" -d ") }}
     --dns {{ item.dns_provider | default(acme_sh_default_dns_provider) }}
     --dnssleep {{ item.dns_sleep | default(acme_sh_default_dns_sleep) }}
+    {{ "--domain-alias" if item.domain_alias | default(acme_sh_default_domain_alias|default("")) else ""}}
+    {{ "--challenge-alias " + '"' + item.challenge_alias | default(acme_sh_default_challenge_aliass) + '"' if item.challenge_alias | default(acme_sh_default_challenge_aliass|default("")) else "" }}
     {{ "--force" if item.force_issue | default(acme_sh_default_force_issue) else "" }}
     {{ "--staging" if item.staging | default(acme_sh_default_staging) else "" }}
     {{ "--debug" if item.debug | default(acme_sh_default_debug) else "" }}