All Products
Search

This Product

    ApsaraDB for ClickHouse:Enable HTTPS

    Document Center

    ApsaraDB for ClickHouse:Enable HTTPS

    Last Updated:Mar 28, 2026

    ApsaraDB for ClickHouse supports HTTPS connections to encrypt data in transit. This topic describes how to enable HTTPS for clusters that require it.

    HTTPS is automatically enabled for clusters of version 20.8 or later created after December 1, 2021. If your cluster was created after that date, no action is required—skip to Connect to an ApsaraDB for ClickHouse cluster over HTTPS.

    Limitations

    Only ApsaraDB for ClickHouse clusters of version 20.8 or later support HTTPS.

    Before you begin

    Before enabling HTTPS, review the following:

    ConsiderationDetails
    Supported SSL/TLS versionsApsaraDB for ClickHouse supports SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.
    Cluster restartThe cluster restarts after you enable HTTPS. Plan for approximately 1 minute of downtime.
    Performance impactHTTPS increases network latency and CPU utilization compared to unencrypted connections.
    When to use HTTPSEnable HTTPS when connecting over the Internet and your workload requires encryption. For VPC connections, the network is already isolated and HTTPS is typically not required.
    Protocol compatibilityAfter HTTPS is enabled, other protocols remain available.
    CA certificateBoth the public endpoint and VPC endpoint use the same CA certificate. Downloading it is free. The certificate is valid until December 25, 2031.
    HTTPS port8443

    Enable HTTPS

    Prerequisites

    Before you begin, make sure that:

    • Your cluster runs version 20.8 or later

    • Your cluster was created before December 1, 2021 (clusters created after that date already have HTTPS enabled)

    Procedure

    1. Log on to the ApsaraDB for ClickHouse console.

    2. On the Clusters page, click the Clusters of Community-compatible Edition tab, find your cluster, and click its ID.

    3. On the Cluster Information page, click Enable HTTPS Protocol.

    4. In the Note dialog, click OK. The cluster state changes to Restarting. Wait approximately 1 minute for the state to change to Running. HTTPS is enabled when the cluster returns to the Running state.

    5. Click Download CA Certificate to download the SSL CA certificate package. The downloaded file is ClickHouse-CA-Chain.pem. Use this file to import CA certificates to other systems or applications.

    What's next

    After enabling HTTPS, connect to your cluster over HTTPS using port 8443: