All Products
Search

This Product

    Microservices Engine:Configure HTTPS certificates

    Document Center

    Microservices Engine:Configure HTTPS certificates

    Last Updated:Dec 04, 2025

    After you configure HTTPS certificates, you can implement Transport Layer Security (TLS) or Secure Socket Layer (SSL) encryption for services deployed on Microservices Engine (MSE) Ingress gateways. This is a key measure to protect data security in modern web applications and API services. HTTPS certificates encrypt data transmission between clients and servers through your gateway, preventing unauthorized third parties from stealing or tampering with sensitive information and protecting against man-in-the-middle attacks.

    Prerequisites

    • Services are exposed using an MSE Ingress gateway. For more information, see Access Container Service and Container Compute Service through MSE Ingress.

    • A trusted digital certificate is available. You can obtain a trusted digital certificate using one of the following methods:

      • Purchase a certificate in the Certificate Management Service console. For more information, see Purchase a certificate.

      • Purchase a certificate from other CA authorities.

      • Generate a self-signed certificate on your on-premises machine.

    Configuration methods

    MSE Ingress gateways allow you to configure an HTTPS certificate using a Kubernetes Secret or in the MSE console.

    Comparison item

    Kubernetes Secret

    MSE console

    Supported scenarios

    • Certificates are managed based on annotation configurations.

    • Certificates are automatically managed by using CI/CD pipelines or the cert-manager tool.

    • Certificates are managed in the Alibaba Cloud Certificate Management Service console.

    • Certificates are used for multiple cloud products, such as WAF and SLB.

    • Multiple certificates are deployed or replaced at the same time.

    Priority

    Low

    High

    Cross-namespace support

    Not supported.

    Yes, it is supported.

    Certificate update

    Replace Kubernetes Secret content.

    Replace the certificate in the MSE console, or deploy a new certificate to replace the existing certificate in the Alibaba Cloud Certificate Management Service console.

    Deploy a backend service

    1. Log on to the ACK console. In the navigation pane on the left, choose Clusters.

    2. On the Clusters page, click the name of the target cluster. In the navigation pane on the left, choose Workloads > Deployments.

    3. On the Deployments page, click Create from YAML. Use the following YAML template to deploy a Deployment named httpbin and a Service named httpbin.

      apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      containers:
        - image: registry.cn-hangzhou.aliyuncs.com/mse-ingress/go-httpbin
          args:
            - "--version=v1"
          imagePullPolicy: Always
          name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
  namespace: default
spec:
  ports:
    - port: 8080
      protocol: TCP
  selector:
    app: httpbin

    Configure an HTTPS certificate

    K8s Secret method

    You can configure an HTTPS certificate for a domain name using the native Ingress semantics to reference a Kubernetes Secret.

    1. Prepare a domain name certificate. In this example, a self-signed certificate is prepared.

      Note

      In the production scenario, you must replace the sample key and certificate with the actual key and certificate. You can download the key and certificate of the domain name from the Alibaba Cloud Certificate Management Service console.

      1. Run the following command to generate a certificate file named tls.crt and a private key file named tls.key:

        openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com/O=foo.bar.com"

      2. Create a Secret to store the TLS certificate.

        1. Log on to the ACK console. In the navigation pane on the left, choose Clusters.

        2. On the Clusters page, click the name of the target cluster. In the navigation pane on the left, choose Configurations > Secrets.

        3. Click Create. In the Create panel, set Name to tls-test, select Type as TLS Certificate, copy the created tls.crt and tls.key to the corresponding input boxes, and then click OK.

        image.png

    2. Create an MSE Ingress rule and configure an HTTPS certificate for the domain name foo.bar.com.

      1. In the left-side navigation pane, choose Network > Ingresses.

      2. On the Ingresses page, click Create Ingress. In the Create Ingress dialog box, configure the Ingress.

        Parameter

        Description

        Example

        Gateway Type

        Select MSE Ingress. For information about the differences among the three types of gateways, see Comparison among Nginx Ingress, ALB Ingress, and MSE Ingress.

        MSE Ingress

        Name

        Enter a name for the route that you want to create.

        test

        Ingress Class

        Select the related resource class.

        mse

        Rules

        Click + Add Rule to add multiple routing rules.

        • Domain Name: Enter a custom domain name.

        • Mappings: Configure the following parameters:

          • Path: Specify the URL path for accessing the service.

          • Rule:

            • Prefix (Prefix-based Match): matches the prefix of the requested URL path.

            • Exact(Exact Match): exactly matches the requested URL path.

            • ImplementationSpecific (Default Value): The specific logic implemented by the Ingress controller determines the matching rule.

            For more information, see Advanced usage of ALB Ingress.

          • Service: Select the target service, which is a Service in Kubernetes.

          • Port: Select the port that you want to expose for the service.

        • You can configure multiple paths for a domain name. Click + Add Path to add a path.

        • Domain Name: foo.bar.com

        • Mappings:

          • Path: /

          • Rule: Prefix (Prefix-based Match)

          • Service: httpbin

          • Port: 8080

        TLS Settings

        You can enable TLS authentication for the Ingress.

        • Domain Name: Enter a custom domain name.

        • Secret: Select a Secret based on your needs.

          Note

          If you leave this parameter empty, automatic certificate discovery is used.

          To create a Secret, perform the following steps:

          1. Click Create on the right side of Secret.

          2. In the Create Secret dialog box, customize the Name, Cert, and Key of the Secret, and then click OK.

          3. Select the created Secret from the Secret drop-down list.

        Click + Add to add multiple TLS configurations.

        • Domain Name: demo.alb.ingress.top

        • Secret: tls-test

      3. Keep the other settings at their default values. After you complete the configuration, click OK in the lower-left corner of the Create Ingress page.

    3. Test HTTPS traffic. Run the following command to test the traffic. Replace x.x.x.x with the actual IP address of your gateway. You can view the gateway IP address on the Ingresses page.

      Note

      Because this example uses a self-signed certificate and the domain name is not registered with a DNS service provider, you need to manually resolve the domain name to the gateway IP address using --resolve and skip the certificate validity check using -k.

      curl -v -k https://foo.bar.com/version --resolve "foo.bar.com:443:x.x.x.x"

      Expected output:

      * Connected to foo.bar.com (X.X.X.X) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=foo.bar.com; O=foo.bar.com
*  start date: Jan 17 06:47:23 2024 GMT
*  expire date: Jan 16 06:47:23 2025 GMT
*  issuer: CN=foo.bar.com; O=foo.bar.com
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /version HTTP/1.1
> Host: foo.bar.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Wed, 17 Jan 2024 07:49:39 GMT
< content-length: 53
< content-type: text/plain; charset=utf-8
< req-cost-time: 3
< req-arrive-time: 1705477779046
< resp-start-time: 1705477779049
< x-envoy-upstream-service-time: 2
< server: istio-envoy
<
version: v1
hostname: httpbin-xxxxxx

    Configure an HTTPS certificate in the MSE console

    You can configure a certificate for the domain name in the MSE console. This way, you do not need to reference a Kubernetes Secret on the Ingress. You only need to configure routing rules.

    Important

    For the same domain name, the method of using the MSE console takes precedence over the method of using a Kubernetes Secret. If you configure a certificate for the same domain name in both the MSE console and the Kubernetes Ingress, the certificate configured in the MSE console takes precedence.

    1. Prepare a domain name certificate. In this example, a self-signed certificate is prepared.

      Note

      In the production scenario, you must replace the sample key and certificate with the actual key and certificate. You can download the key and certificate of the domain name from the Alibaba Cloud Certificate Management Service console.

      1. Run the following command to generate a certificate file named tls.crt and a private key file named tls.key.

      openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=foo.bar.com/O=foo.bar.com"

      b. Upload the self-signed certificate to the Alibaba Cloud Certificate Management Service console. For more information, see Upload and share SSL certificates. If your certificate is managed by the Alibaba Cloud Certificate Management Service console, proceed to the next step.

    2. Create a domain name and configure a certificate.

      1. Log on to the MSE console. In the top navigation bar, select a region.

      2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. On the Gateways page, click the ID of the gateway.

      3. In the left-side navigation pane, click Routes. Then, click the Domain tab.

      4. Click Add Domain Name. Add Domain foo.bar.com, set protocol to HTTPS, and select the corresponding certificate.

        image.png

    3. Create an MSE Ingress rule.

      1. Log on to the ACK console. In the navigation pane on the left, choose Clusters.

      2. On the Clusters page, click the name of the target cluster. In the navigation pane on the left, choose Network > Ingresses.

      3. On the Ingresses page, click Create Ingress.

      4. In the Create Ingress dialog box, set Gateway Type to MSE Ingress, and configure the Name, Annotations, and other information for the backend. Then, click OK.

        Set Ingress Class to mse, set the routing to Prefix (Prefix-based Match), set the path to /, and forward requests to the httpbin service.

        Note

        You do not need to configure a TLS certificate.

    4. Test HTTPS traffic. Run the following command to test the traffic. Replace x.x.x.x with the actual IP address of your gateway. You can view the gateway IP address on the Ingresses page.

      Note

      Because this example uses a self-signed certificate and the domain name is not registered with a DNS service provider, you need to manually resolve the domain name to the gateway IP address using --resolve and skip the certificate validity check using -k.

      curl -v -k https://foo.bar.com/version --resolve "foo.bar.com:443:x.x.x.x"

      Expected output:

      * Connected to foo.bar.com (X.X.X.X) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=foo.bar.com; O=foo.bar.com
*  start date: Jan 17 06:47:23 2024 GMT
*  expire date: Jan 16 06:47:23 2025 GMT
*  issuer: CN=foo.bar.com; O=foo.bar.com
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /version HTTP/1.1
> Host: foo.bar.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Wed, 17 Jan 2024 08:16:27 GMT
< content-length: 46
< content-type: text/plain; charset=utf-8
< req-cost-time: 5
< req-arrive-time: 1705479387567
< resp-start-time: 1705479387573
< x-envoy-upstream-service-time: 4
< server: istio-envoy
<
version: v1
hostname: httpbin-xxxxxx