Simple Application Server:Install an SSL certificate in a WordPress runtime

Step 1: Purchase an SSL certificate

Purchase a certificate

1. Visit the Buy Now page of the Certificate Management Service console.

2. Select specifications for the certificate that you want to purchase based on your business requirements.

   Parameter	Description	Example
   Certificate Type	Specify the type of the domain name to which you want to bind the certificate. Valid values: Single Domain: If you select this value, you can bind the certificate to a single domain name. For example: if you bind the certificate to aliyundoc.com, the certificate is automatically applied to www.aliyundoc.com free of charge. Wildcard Domain: If you have multiple servers that use wildcard subdomains at the same level, you must purchase and install only one certificate. You do not need to purchase and install a certificate for each subdomain. The following list describes the matching rules of a wildcard domain name: Only subdomains at the same level can be matched. Subdomains at different levels cannot be matched. For example, if you bind the certificate to *.aliyundoc.com, subdomains such as demo.aliyundoc.com and learn.aliyundoc.com are matched. Subdomains such as guide.demo.aliyundoc.com and developer.demo.aliyundoc.com are not matched. If the parent domain name of a wildcard domain name is a first-level domain name, the certificate bound to the wildcard domain name is automatically applied to the parent domain name free of charge. For example, if you apply for a certificate bound to *.aliyundoc.com, the certificate is automatically applied to aliyundoc.com free of charge. If you apply for a certificate bound to *.demo.aliyundoc.com, the certificate is not applied to demo.aliyundoc.com or aliyundoc.com domain name free of charge. You can apply for a certificate bound to one wildcard domain name. You cannot apply for a certificate bound to multiple wildcard domain names. If you want to bind a certificate to multiple wildcard domain names, you can combine multiple certificates of the same brand and type to generate a multi-domain wildcard certificate. For more information, see Combine certificates. Multiple Domains: If you select this value, you can bind the certificate to multiple single domain names. You can bind a certificate to up to five single domain names.	Single Domain
   Brand	Select a certificate brand. The certificate brand is the certificate authority (CA) that issues the certificate to you. For more information about certificate brands, see Select an SSL certificate.	Digicert
   Certificate Specifications	Select a specification for the certificate. For more information about certificate specifications, see Select an SSL certificate.	DV SSL
   Domain Names	This parameter is required only if you set the Certificate Type parameter to Multiple Domains. Specify the number of domain names to which you want to bind the certificate.	1
   Quantity	Specify the number of certificates that you want to purchase. The default value is 1 and cannot be changed. If you want to purchase multiple certificates, configure the Service Duration parameter. For example, if you set the Service Duration parameter to 2 Years, two certificates are provided. Each certificate has a validity period of one year.	1
   Service Duration	Select the validity period of the certificate service. Valid values: 1 Year: You can use the certificate service for one year. The service provides a certificate whose validity period is one year. The default validity period of a certificate is one year. After a certificate expires, you must place a new order to purchase a new certificate. 2 Years: You can use the certificate service for two years. The certificate service provides two certificates and a hosting quota of 1. Each certificate has a validity period of one year. For more information about the certificate hosting feature, see Overview. 3 Years: You can use the certificate service for three years. The certificate service provides three certificates and a hosting quota of 2. Each certificate has a validity period of one year.	1 Year

3. Click Buy Now and complete the payment.

Submit a certificate application

1. Log on to the Certificate Management Service console.

2. In the left-side navigation pane, click SSL Certificates.

3. On the Manage Certificates tab of the SSL Certificates page, find the certificate for which you want to apply and click Apply for Certificate in the Actions column.

4. In the Apply for Certificate panel, configure parameters based on your business requirements, select the Quick Issue check box, and then click Submit.

   Parameter		Description or example
   Certificate Type		Single Domain
   Certificate Specifications		digicert DV
   Domain Name		Enter the domain name of the Node.js simple application server to which you want to bind the certificate. Example: aliyundoc.com.
   Validity Period (Years)		1
   Quick Issue	Domain Verification Method	If Alibaba Cloud DNS is activated within the Alibaba Cloud account of the certificate applicant, Certificate Management Service automatically identifies the domain name when you apply for a certificate. Automatic DNS Verification is automatically selected and cannot be changed. Wait for the certificate to be issued. If Alibaba Cloud DNS is not activated within the Alibaba Cloud account of the certificate applicant, you can use one of the following methods to verify the ownership of the domain name: Manual DNS Verification: You must manually add a TXT record for your domain name in the system of your DNS service provider to complete the verification. File Verification: You must manually download a dedicated verification file from the Certificate Management Service console and upload the file to the required verification directory of your web server.
   	Contact	In the Contact drop-down list, click Create Contact to create a contact for the certificate application. You can also select an existing contact. Make sure that your contact information is accurate and valid.
   	Location	Select the city or region of the certificate applicant.
   	Encryption Algorithm	Specify the encryption algorithm of the certificate. The default value is RSA and cannot be changed. The Rivest-Shamir-Adleman (RSA) algorithm is a widely used asymmetric algorithm that provides high compatibility.
   	CSR Generation	Specify the method to generate a Certificate Signing Request (CSR) file. A CSR file is the request file that contains server and company information of the certificate applicant. When you apply for a certificate, you must prepare a CSR file for the CA to review. If you select Automatic, Certificate Management Service uses the encryption algorithm that you configured to generate a CSR file.

5. If the Domain Verification Method parameter is set to Automatic DNS Verification, the system completes DNS verification, and you only need to wait for the certificate to be issued. If the Domain Verification Method parameter is set to Manual DNS Verification or File Verification, you must manually verify the ownership of the domain name based on the Verify Information parameter. For more information and common errors, see Verify the ownership of a domain name.

   After you submit the application, wait approximately 30 minutes for the CA to review your application and issue the certificate. After the certificate is issued, the status of the certificate changes to Issued.

Step 2: Configure the SSL certificate

After the certificate is issued, the status of the certificate changes to Issued. You must download and configure the certificate. For more information about certificate deployment and installation, see Installation overview.

1. Download the SSL certificate.

   1. In the left-side navigation pane, choose Deployment and Resource Management > Deployment to Cloud Servers.

   2. In the Deployment to Cloud Servers page, click Create Task, and follow the steps below to deploy the SSL certificate.

      1. In the Select Certificate step, select the desired SSL certificate and click Next.

         In each deployment task, you can upload only one SSL certificate to the corresponding server. If you want to deploy multiple SSL certificates, you must create multiple deployment tasks.

         Parameter	Description
         Task Name	The name of the custom deployment task.
         Certificate Type	The type of the certificate. In this example, Paid Certificate is selected.

      2. In the Select Resource step, select the simple application server and resources that you want to use and click Next.

         

         • The system automatically identifies and pulls all simple application servers that have web applications deployed under the current Alibaba Cloud account. If the corresponding resources are not found, click Synchronize Cloud Resources in the upper-right corner of the resource list. If the corresponding resources are still not displayed after you synchronize cloud resources, check whether web applications such as NGINX and Apache are deployed on the simple application server.

         • If a certificate has been deployed to a simple application server before, the system displays the name of the deployed certificate.

      3. In the Task Deployment step, configure the parameters described in the following table and click OK.

         Important

         If no configuration path for the certificate exists on the simple application server, the system automatically creates a configuration path for the certificate.

         Parameter	Description	Example
         Certificate Path	The absolute path to the certificate on the simple application server.	/data/cert/certpublic.crt
         Private Key Path	The absolute path to the private key file of the certificate on the simple application server.	/data/cert/cert.key
         Certificate Chain Path	The absolute path to the certificate chain file on the simple application server.	/data/cert/certchain.crt
         Reload Command	After the certificate is deployed, you must restart the web application on the simple application server or reload the application configuration file for the certificate to take effect. Therefore, you must configure a restart or reload command for the web application. Important A service startup failure may occur when you execute the restart or reload command. If a service startup failure occurs, go to the corresponding simple application server to troubleshoot the issue.	None

      4. In the message that appears, click OK.

2. Configure the SSL certificate.

   1. Connect to the simple application server. For more information, see Connect to a Linux server.

   2. Run the following command to modify the vhost.conf file:

      Note

      In this example, Apache is installed on a WordPress 5.8 server. The configuration file path and name vary based on environments. Your actual environment shall prevail.

      sudo vim /etc/httpd/conf.d/vhost.conf

   3. Press the I key to enter Insert mode.

   4. Add the following code to the configuration file:

      Before you add the sample code, modify the following parameters in the code:

      • ServerName: the domain name of the simple application server. Example: example.com.

      • DocumentRoot: the root path to the application. Example: /data/wwwroot/wordpress.

      • Directory: the path to the application. Example: /data/wwwroot/wordpress.

      • SSLCertificateFile: the path to the public key file. Example: /data/cert/certpublic.crt.

      • SSLCertificateKeyFile: the path to the private key file. Example: /data/cert/cert.key.

      • SSLCertificateChainFile: the path to the certificate chain file. Example: /data/cert/certchain.crt.

      Important

      To ensure that your website can be accessed over HTTPS, you must correctly specify the paths of the certificate files.

      The following sample code provides an example of the content of the modified configuration file:

      #-----HTTPS/SSL template start------------
      <VirtualHost *:443>
      # Bind a domain name to the server.
      ServerName  example.com
      DocumentRoot "/data/wwwroot/wordpress"
      #ErrorLog "logs/example.com-error_log"
      #CustomLog "logs/example.com-access_log" common
      <Directory "/data/wwwroot/wordpress">
      Options Indexes FollowSymlinks
      AllowOverride All
      Require all granted
      </Directory>
      SSLEngine on
      # Configure an SSL certificate. Make sure that the paths in the configuration file are the same as the paths where the certificate files are deployed. 
      SSLCertificateFile  /data/cert/certpublic.crt
      SSLCertificateKeyFile  /data/cert/cert.key
      SSLCertificateChainFile  /data/cert/certchain.crt
      </VirtualHost>
      #-----HTTPS template end------------
      #--------------HTTPS/SSL end-----

   5. (Conditionally required) If you want to enable automatic redirection from HTTP requests to HTTPS requests, add the following code to the <VirtualHost *:80> code block:

      #----------HTTP for WordPress Start--------
      <VirtualHost *:80>
          ServerName example.com
          #ServerAlias example.com
          DocumentRoot "/data/wwwroot/wordpress"
          ErrorLog "logs/wordpress-error_log"
          CustomLog "logs/wordpress-access_log" common
          RewriteEngine on
          RewriteCond %{SERVER_PORT} !^443$
          RewriteRule ^(.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
          <Directory "/data/wwwroot/wordpress">
              Options Indexes FollowSymlinks
              AllowOverride All
              Require all granted
          </Directory>
      </VirtualHost>
      
      #----------HTTP for WordPress End--------

   6. Press Esc, enter :wq!, and then press Enter to save the file and exit the edit mode.

   7. Run the following command to restart the httpd service:

      sudo systemctl restart httpd

   8. Run the following command to restart the database:

      sudo service mysqld restart

Step 3: Check whether the SSL certificate is installed

1. Specify the HTTPS domain name on WordPress.

   1. Log on to WordPress.

      For information about how to obtain the URL and the username and password of the WordPress administrator account, see Step 2: Configure the application.

   2. In the left-side navigation pane, choose Settings > General.

   3. In the WordPress Address (URL) and Site Address (URL) fields, enter the domain name that is bound and resolved. In this topic, https://example.com is used.

   4. Click Save Changes.

      Note

      After you modify the WordPress Address (URL) and Site Address (URL) fields, the administrator logon address changes to https://example.com/wp-login.php. Remember to change example.com to your actual domain name.

2. Use a browser to access https://<Domain name of the simple application server>.

   • If a lock icon appears in the address bar of the browser, the SSL certificate is installed.

   • If you cannot access the website over HTTPS, you can use the following methods to troubleshoot the issue:

     • Check whether port 443 is enabled and not blocked on the simple application server on which you install the SSL certificate. For more information about how to allow port 443, see Manage the firewall of a simple application server.

     • Check whether an ICP filing is obtained for the domain name. If the domain name is resolved to a website that is hosted on a server in the Chinese mainland, make sure that an ICP filing is obtained for the domain name. For more information, see What is an ICP filing?

     • Check whether the certificate file paths are correctly specified. Make sure that the paths in the configuration file are the same as the paths that are used to upload the certificate files. For more information, see Configure the SSL certificate.

References

Different types of servers support different formats of SSL certificates. You can install an SSL certificate based on the server type. For more information, see Installation overview.