Install an SSL certificate - Simple Application Server - Alibaba Cloud Documentation Center

If a domain name is bound to your simple application server, you can configure HTTPS access to the domain name. This way, you can convert the data transmission protocol from HTTP to HTTPS at a low cost, and perform authentication and encrypted data transmission of websites. This prevents data tampering and information leakage during data transmission. This topic describes how to install an SSL certificate on a simple application server and enable HTTPS access to the server. In this topic, a WordPress 5.8 simple application server is used.

Prerequisites

A simple application server is created. For more information, see Build a WordPress blog.
A domain name is purchased. For more information about how to purchase a domain name from Alibaba Cloud, see Register a generic domain name.
If your simple application server is located in a Chinese mainland region, you must obtain an Internet content provider (ICP) filing for the domain name that is bound to your simple application server. For more information, see What is an ICP filing?
The domain name is bound to the simple application server and resolved. For more information, see Bind and resolve a domain name.

Background information

After you apply for and purchase a certificate and deploy the certificate to your web server by using Alibaba Cloud Certificate Management Service, the web service transfers data over HTTPS. If HTTPS is used, an encrypted channel over SSL is activated to transmit data from a client browser to the web server. This enables unidirectional encrypted transmission and prevents data in transmission from being tampered with or intercepted. HTTPS transmission is an essential feature of mobile apps, mini programs, programs, and controls to be published in App Stores or application ecosystems. HTTPS transmission provides the following benefits for websites:

Security compliance: HTTPS transmission allows websites to meet the requirements of App Stores or application ecosystems.
Encrypted transmission of network data: HTTPS transmission encrypts data communication between users and websites to prevent transmitted data from being intercepted, tampered with, and listened on and ensure the security of transmitted data.
High website security: HTTPS transmission prevents phishing events. When a user visits the website, the browser prompts that the website is secure and trusted. This can improve the credibility, access traffic, and search ranking of the website.

Step 1: Purchase an SSL certificate

Purchase a certificate

Visit the Buy Now page of the Certificate Management Service console.

Select specifications for the certificate that you want to purchase based on your business requirements.

Parameter	Description	Example
Certificate Type	Specify the type of the domain name to which you want to bind the certificate. Valid values: Single Domain: If you select this value, you can bind the certificate to a single domain name. For example: if you bind the certificate to `aliyundoc.com`, the certificate is automatically applied to www.aliyundoc.com free of charge. Wildcard Domain: If you have multiple servers that use wildcard subdomains at the same level, you must purchase and install only one certificate. You do not need to purchase and install a certificate for each subdomain. The following list describes the matching rules of a wildcard domain name: Only subdomains at the same level can be matched. Subdomains at different levels cannot be matched. For example, if you bind the certificate to .aliyundoc.com, subdomains such as demo.aliyundoc.com and learn.aliyundoc.com are matched. Subdomains such as guide.demo.aliyundoc.com and developer.demo.aliyundoc.com are not matched. If the parent domain name of a wildcard domain name is a first-level domain name, the certificate bound to the wildcard domain name is automatically applied to the parent domain name free of charge. For example, if you apply for a certificate bound to .aliyundoc.com, the certificate is automatically applied to aliyundoc.com free of charge. If you apply for a certificate bound to .demo.aliyundoc.com, the certificate is not applied to demo.aliyundoc.com or aliyundoc.com domain name free of charge. You can apply for a certificate bound to one wildcard domain name. You cannot apply for a certificate bound to multiple wildcard domain names. If you want to bind multiple wildcard domain names to a certificate, you can combine multiple certificates of the same brand and type to generate a multi-domain wildcard certificate. For more information, see Combine certificates. Multiple Domains*: If you select this value, you can bind multiple single domain names to the certificate. You can bind up to five single domain names to a certificate.	Single Domain
Brand	Select a certificate brand. The certificate brand is the certificate authority (CA) that issues the certificate to you. For more information about certificate brands, see Select an SSL certificate.	Digicert
Certificate Specifications	Select a specification for the certificate. For more information about certificate specifications, see Select an SSL certificate.	DV SSL
Domain Names	This parameter is required only if you set the Certificate Type parameter to Multiple Domains. Specify the number of domain names to which you want to bind the certificate.	1
Quantity	Specify the number of certificates that you want to purchase. The default value is 1 and cannot be changed. If you want to purchase multiple certificates, configure the Service Duration parameter. For example, if you set the Service Duration parameter to 2 Years, two certificates are provided. Each certificate has a validity period of one year.	1
Service Duration	Select the validity period of the certificate service. Valid values: 1 Year: You can use the certificate service for one year. The service provides a certificate whose validity period is one year. The default validity period of a certificate is one year. After a certificate expires, you must place a new order to purchase a new certificate. 2 Years: You can use the certificate service for two years. The certificate service provides two certificates and a hosting quota of 1. Each certificate has a validity period of one year. For more information about the certificate hosting feature, see Overview. 3 Years: You can use the certificate service for three years. The certificate service provides three certificates and a hosting quota of 2. Each certificate has a validity period of one year.	1 Year

Click Buy Now and complete the payment.

Submit a certificate application

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Manage Certificates > SSL Certificate Management.
On the Official Certificate tab of the SSL Certificates page, find the certificate for which you want to apply and click Apply for Certificate in the Actions column.

In the Apply for Certificate panel, configure parameters based on your business requirements, select the Quick Issue check box, and then click Submit.

Parameter		Description or example
Certificate Type		Single Domain
Certificate Specifications		digicert DV
Domain Name		Enter the domain name of the Node.js simple application server to which you want to bind the certificate. Example: aliyundoc.com.
Validity Period (Years)		1
Quick Issue	Domain Verification Method	If Alibaba Cloud DNS is activated within the Alibaba Cloud account of the certificate applicant, Certificate Management Service automatically identifies the domain name when you apply for a certificate. Automatic DNS Verification is automatically selected and cannot be changed. Wait for the certificate to be issued. If Alibaba Cloud DNS is not activated within the Alibaba Cloud account of the certificate applicant, you can use one of the following methods to verify the ownership of the domain name: Manual DNS Verification: You must manually add a TXT record for your domain name in the system of your DNS service provider to complete the verification. File Verification: You must manually download a dedicated verification file from the Certificate Management Service console and upload the file to the required verification directory of your web server.
	Contact	In the Contact drop-down list, click Create Contact to create a contact for the certificate application. You can also select an existing contact. Make sure that your contact information is accurate and valid.
	Location	Select the city or region of the certificate applicant.
	Encryption Algorithm	Specify the encryption algorithm of the certificate. The default value is RSA and cannot be changed. The Rivest-Shamir-Adleman (RSA) algorithm is a widely used asymmetric algorithm that provides high compatibility.
	CSR Generation	Specify the method to generate a Certificate Signing Request (CSR) file. A CSR file is the request file that contains server and company information of the certificate applicant. When you apply for a certificate, you must prepare a CSR file for the CA to review. If you select Automatic, Certificate Management Service uses the encryption algorithm that you configured to generate a CSR file.

If the Domain Verification Method parameter is set to Automatic DNS Verification, the system completes DNS verification, and you only need to wait for the certificate to be issued. If the Domain Verification Method parameter is set to Manual DNS Verification or File Verification, you must manually verify the ownership of the domain name based on the Verify Information parameter. For more information and common errors, see Verify the ownership of a domain name.
After you submit the application, wait approximately 30 minutes for the CA to review your application and issue the certificate. After the certificate is issued, the status of the certificate changes to Issued.

Step 2: Configure the SSL certificate

After the certificate is issued, the status of the certificate changes to Issued. You must download and configure the certificate. For more information about certificate deployment and installation, see Installation overview.

Download the SSL certificate.

In the left-side navigation pane, choose Deployment and Resource Management > Deployment to Cloud Servers.

On the Deployment to Cloud Servers page, click Create Task and perform the following steps:

In the Configure Basic Information step, specify a task name and click Next.
In the Select Certificate step, select a certificate type and the SSL certificate that you want to associate with the simple application server, and then click Next.
In the Select Resource step, select the simple application server and resources to which you want to deploy the certificate and click Next.
- The system automatically identifies and pulls all simple application servers that have web applications deployed in the current Alibaba Cloud account. If the corresponding resources are still not displayed after you synchronize cloud resources, check whether web applications such as NGINX and Apache are deployed on the simple application server.
- If a certificate has been deployed to a simple application server before, the system displays the name of the deployed certificate.

In the Deployment Configuration step, configure parameters to deploy the certificate to the simple application server and click OK. The following table describes the parameters.

Important

If no configuration path for the certificate exists on the simple application server, the system automatically creates a configuration path for the certificate. The path configured in the Certificate Management Service console must be consistent with the path to the certificate-related file configured in the web application of the simple application server.

Option	Description	Example
Certificate Path	The absolute path to the certificate on the simple application server.	/data/cert/certpublic.crt
Private Key Path	The absolute path to the private key file of the certificate on the simple application server.	/data/cert/cert.key
Certificate Chain Path	The absolute path to the certificate chain file on the simple application server.	/data/cert/certchain.crt
Reload Command	After the certificate is deployed, you must restart the web application on the simple application server or reload the application configuration file for the certificate to take effect. Therefore, you must configure a restart or reload command for the web application. Important A service startup failure may occur when you execute the restart or reload command. If a service startup failure occurs, go to the corresponding simple application server to troubleshoot the issue.	None

In the message that appears, click OK.

Configure the SSL certificate.
1. Connect to the simple application server. For more information, see Connect to a Linux server.
2. Run the following command to modify the vhost.conf file:
  Note
  In this example, Apache is installed on a WordPress 5.8 server. The configuration file path and name vary based on environments. Your actual environment shall prevail.
```
sudo vim /etc/httpd/conf.d/vhost.conf
```
3. Press the I key to enter Insert mode.
4. Add the following code to the configuration file:
  Before you add the sample code, modify the following parameters in the code:
  - ServerName: the domain name of the simple application server. Example: example.com.
  - DocumentRoot: the root path to the application. Example: /data/wwwroot/wordpress.
  - Directory: the path to the application. Example: /data/wwwroot/wordpress.
  - SSLCertificateFile: the path to the public key file. Example: /data/cert/certpublic.crt.
  - SSLCertificateKeyFile: the path to the private key file. Example: /data/cert/cert.key.
  - SSLCertificateChainFile: the path to the certificate chain file. Example: /data/cert/certchain.crt.
  Important
  To ensure that your website can be accessed over HTTPS, you must correctly specify the paths of the certificate files.
  The following sample code provides an example of the content of the modified configuration file:
```
#-----HTTPS/SSL template start------------
<VirtualHost *:443>
# Bind a domain name to the server.
ServerName  example.com
DocumentRoot "/data/wwwroot/wordpress"
#ErrorLog "logs/example.com-error_log"
#CustomLog "logs/example.com-access_log" common
<Directory "/data/wwwroot/wordpress">
Options Indexes FollowSymlinks
AllowOverride All
Require all granted
</Directory>
SSLEngine on
# Configure an SSL certificate. Make sure that the paths in the configuration file are the same as the paths where the certificate files are deployed. 
SSLCertificateFile  /data/cert/certpublic.crt
SSLCertificateKeyFile  /data/cert/cert.key
SSLCertificateChainFile  /data/cert/certchain.crt
</VirtualHost>
#-----HTTPS template end------------
#--------------HTTPS/SSL end-----
```
5. (Conditionally required) If you want to enable automatic redirection from HTTP requests to HTTPS requests, add the following code to
  the <VirtualHost *:80> code block:
```
#----------HTTP for WordPress Start--------
<VirtualHost *:80>
    ServerName example.com
    #ServerAlias example.com
    DocumentRoot "/data/wwwroot/wordpress"
    ErrorLog "logs/wordpress-error_log"
    CustomLog "logs/wordpress-access_log" common
    RewriteEngine on
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^(.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
    <Directory "/data/wwwroot/wordpress">
        Options Indexes FollowSymlinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

#----------HTTP for WordPress End--------
```
6. Press Esc, enter :wq!, and then press Enter to save the file and exit the edit mode.
7. Run the following command to restart the httpd service:
```
sudo systemctl restart httpd
```
8. Run the following command to restart the database:
```
sudo service mysqld restart
```

Step 3: Check whether the SSL certificate is installed

Specify the HTTPS domain name on WordPress.
1. Log on to WordPress.
  For information about how to obtain the URL and the username and password of the WordPress administrator account, see Step 2: Configure the application.
2. In the left-side navigation pane, choose Settings > General.
3. In the WordPress Address (URL) and Site Address (URL) fields, enter the domain name that is bound and resolved. In this topic, https://example.com is used.
4. Click Save Changes.
  Note
  After you modify the WordPress Address (URL) and Site Address (URL) fields, the administrator logon address changes to https://example.com/wp-login.php. Remember to change example.com to your actual domain name.
Use a browser to access https://<Domain name of the simple application server>.
- If a lock icon appears in the address bar of the browser, the SSL certificate is installed.
- If you cannot access the website over HTTPS, you can use the following methods to troubleshoot the issue:
  - Check whether port 443 is enabled and not blocked on the simple application server on which you install the SSL certificate. For more information about how to allow port 443, see Manage the firewall of a simple application server.
  - Check whether an ICP filing is obtained for the domain name. If the domain name is resolved to a website that is hosted on a server in the Chinese mainland, make sure that an ICP filing is obtained for the domain name. For more information, see What is an ICP filing?
  - Check whether the certificate file paths are correctly specified. Make sure that the paths in the configuration file are the same as the paths that are used to upload the certificate files. For more information, see Configure the SSL certificate.

References

Different types of servers support different formats of SSL certificates. You can install an SSL certificate based on the server type. For more information, see Installation overview.