diff --git a/CHANGELOG.md b/CHANGELOG.md
index 71aa525..b222577 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,11 +8,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ### v3.9.x - [Unreleased]
 
+### v3.9.9 - 2019-09-24
+
 #### Added
 
 - [STACK]  UFW now available as a stack with flag `--ufw`
 - [SECURE] `wo stack secure --ssh` to harden ssh security
 - [SECURE] `wo stack secure --sshport` to change ssh port
+- [SITE] check domain DNS records before issuing a new certificate without DNS API
+- [STACK] Acme challenge with DNS Alias mode [acme.sh wiki](https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode)
 
 #### Changed
 
@@ -26,10 +30,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 #### Fixed
 
-- `wo stack purge --all` failure if mysql isn't installed
-- Fix EEv3 files cleanup
-- Incorrect variable usage in `wo secure --port`
-- Fix backup_ee function in install script
+- [STACK] `wo stack purge --all` failure if mysql isn't installed
+- [INSTALL] Fix EEv3 files cleanup
+- [SECURE] Incorrect variable usage in `wo secure --port`
+- [INSTALL] Fix backup_ee function in install script
 
 ### v3.9.8.12 - 2019-09-20
 
diff --git a/setup.py b/setup.py
index 09aa70a..cf655c2 100644
--- a/setup.py
+++ b/setup.py
@@ -25,7 +25,7 @@ if not os.path.exists('/var/lib/wo/'):
     os.makedirs('/var/lib/wo/')
 
 setup(name='wo',
-      version='3.9.8.12',
+      version='3.9.9',
       description=long_description,
       long_description=long_description,
       classifiers=[],
diff --git a/wo/cli/plugins/site.py b/wo/cli/plugins/site.py
index d62f2fb..af17533 100644
--- a/wo/cli/plugins/site.py
+++ b/wo/cli/plugins/site.py
@@ -372,6 +372,9 @@ class WOSiteCreateController(CementBaseController):
                 dict(help="choose dns provider api for letsencrypt",
                      action='store' or 'store_const',
                      const='dns_cf', nargs='?')),
+            (['--dnsalias'],
+                dict(help="set domain used for acme dns alias validation",
+                     action='store', nargs='?')),
             (['--hsts'],
                 dict(help="enable HSTS for site secured with letsencrypt",
                      action='store_true')),
@@ -730,13 +733,18 @@ class WOSiteCreateController(CementBaseController):
             letsencrypt = True
             if data['letsencrypt'] is True:
                 Log.debug(self, "Going to issue Let's Encrypt certificate")
-                acmedata = dict(acme_domains, dns=False, acme_dns='dns_cf')
+                acmedata = dict(acme_domains, dns=False, acme_dns='dns_cf',
+                                dnsalias=False, acme_alias='')
                 if pargs.dns:
                     Log.debug(self, "DNS validation enabled")
                     acmedata['dns'] = True
                     if not pargs.dns == 'dns_cf':
                         Log.debug(self, "DNS API : {0}".format(pargs.dns))
                         acmedata['acme_dns'] = pargs.dns
+                if pargs.dnsalias:
+                    Log.debug(self, "DNS Alias enabled")
+                    acmedata['dnsalias'] = True
+                    acmedata['acme_alias'] = pargs.dnsalias
 
                 # detect subdomain and set subdomain variable
                 if pargs.letsencrypt == "subdomain":
@@ -793,7 +801,6 @@ class WOSiteCreateController(CementBaseController):
                                           "Aborting SSL certificate issuance")
                         Log.debug(self, "Setup Cert with acme.sh for {0}"
                                   .format(wo_domain))
-                        Log.info(self, "Certificate type: Subdomain")
                         if WOAcme.setupletsencrypt(
                                 self, acme_domains, acmedata):
                             WOAcme.deploycert(self, wo_domain)
@@ -1171,7 +1178,8 @@ class WOSiteUpdateController(CementBaseController):
 
         if pargs.letsencrypt:
             acme_domains = []
-            acmedata = dict(acme_domains, dns=False, acme_dns='dns_cf')
+            acmedata = dict(acme_domains, dns=False, acme_dns='dns_cf',
+                            dnsalias=False, acme_alias='')
             (wo_domain_type,
              wo_root_domain) = WODomain.getdomainlevel(self, wo_domain)
 
@@ -1398,6 +1406,10 @@ class WOSiteUpdateController(CementBaseController):
                     if not pargs.dns == 'dns_cf':
                         Log.debug(self, "DNS API : {0}".format(pargs.dns))
                         acmedata['acme_dns'] = pargs.dns
+                if pargs.dnsalias:
+                    Log.debug(self, "DNS Alias enabled")
+                    acmedata['dnsalias'] = True
+                    acmedata['acme_alias'] = pargs.dnsalias
                 # Set list of domains to secure
                 if acme_subdomain is True:
                     Log.info(self, "Certificate type : subdomain")
diff --git a/wo/core/acme.py b/wo/core/acme.py
index d9e68f1..d640eed 100644
--- a/wo/core/acme.py
+++ b/wo/core/acme.py
@@ -23,6 +23,9 @@ class WOAcme:
         if acmedata['dns'] is True:
             acme_mode = "--dns {0}".format(wo_acme_dns)
             validation_mode = "DNS mode with {0}".format(wo_acme_dns)
+            if acmedata['dnsalias'] is True:
+                acme_mode = acme_mode + \
+                    " --challenge-alias {0}".format(acmedata['acme_alias'])
         else:
             acme_mode = "-w /var/www/html"
             validation_mode = "Webroot challenge"
diff --git a/wo/core/variables.py b/wo/core/variables.py
index 9ad512b..af40727 100644
--- a/wo/core/variables.py
+++ b/wo/core/variables.py
@@ -11,7 +11,7 @@ class WOVariables():
     """Intialization of core variables"""
 
     # WordOps version
-    wo_version = "3.9.8.12"
+    wo_version = "3.9.9"
     # WordOps packages versions
     wo_wp_cli = "2.3.0"
     wo_adminer = "4.7.2"