All Products
Search

This Product

    Container Compute Service:Configure certificates for encrypted communication over HTTPS

    Document Center

    Container Compute Service:Configure certificates for encrypted communication over HTTPS

    Last Updated:Mar 26, 2026

    To encrypt traffic between clients and an Application Load Balancer (ALB) listener, associate an SSL/TLS certificate with the HTTPS listener. ALB Ingress supports three methods for certificate configuration: automatic certificate discovery, Kubernetes Secrets, and AlbConfig-level certificate binding.

    Choose a method

    Method Certificate storage Certificate discovery Cross-namespace use Certificate renewal
    Automatic discovery Certificate Management Service By domain name bound to the certificate Yes Upload a new certificate or renew the existing one in Certificate Management Service, then update the Ingress
    Kubernetes Secret Kubernetes Secret By Secret name No — limited to the Secret's namespace Update the Secret
    AlbConfig binding Certificate Management Service By certificate ID

    Use automatic discovery when your certificates are purchased or uploaded to Certificate Management Service and you want zero-touch binding based on domain names.

    Use Kubernetes Secrets when you manage certificates inside the cluster, for example with cert-manager.

    Use AlbConfig binding when you need explicit control over which certificate is bound to a specific listener, or when a listener is shared across multiple Ingresses.

    Important

    An ALB instance supports a maximum of 25 certificates. The count includes all certificates associated with all listeners of the instance, including certificates attached through Ingresses. For details, see Methods to calculate ALB quotas.

    Compatibility when methods are combined

    Combination Behavior
    Automatic discovery + Secret, same domain The Secret certificate takes precedence
    Automatic discovery + Secret, different domains Each certificate is used for its respective domain
    Automatic discovery + AlbConfig, same listener Only the AlbConfig certificate is used
    Secret + AlbConfig, same listener Both certificates are used

    Prerequisites

    Before you begin, ensure that you have:

    Overview

    image
    Important

    By default, an AlbConfig has an HTTP listener on port 80. You must add an HTTPS listener and configure a certificate. Without a certificate, the HTTPS listener becomes unavailable and the ALB Ingress controller fails.

    Step 1: Add an HTTPS listener to the AlbConfig

    1. Edit the AlbConfig:

      kubectl edit albconfig <albconfig-name>

    2. Add a listener entry for port 443:

      apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    addressAllocatedMode: Fixed
    addressType: Internet
    zoneMappings:
    - vSwitchId: vsw-bp19sXXXXXXX176iv
    - vSwitchId: vsw-bp1boXXXXXXXu74xz
  listeners:
  - port: 80
    protocol: HTTP
  - port: 443       # Adds the HTTPS listener; a certificate is required for this listener
    protocol: HTTPS

    Step 2: Generate a self-signed certificate (optional)

    Skip this step if you already have a certificate from Certificate Management Service or a CA.

    Run the following OpenSSL commands to generate a self-signed certificate:

    openssl genrsa -out albtop-key.pem 4096
openssl req -subj "/CN=demo.alb.ingress.top" -sha256 -new -key albtop-key.pem -out albtop.csr
echo subjectAltName = DNS:demo.alb.ingress.top > extfile.cnf
openssl x509 -req -days 3650 -sha256 -in albtop.csr -signkey albtop-key.pem -out albtop-cert.pem -extfile extfile.cnf

    Expected output:

    Certificate request self-signature ok
subject=CN=demo.alb.ingress.top

    Replace demo.alb.ingress.top with your domain name.

    Important

    Self-signed certificates are not trusted by browsers or clients. Use them for testing only — not in production.

    Step 3: Create sample resources

    In addition to the AlbConfig, you need a Deployment, Service, IngressClass, and Ingress for the ALB Ingress to function.

    1. Create a file named https-quickstart.yaml with the following content:

      apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: https-ingressclass
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: alb   # Must match the name of your AlbConfig
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: https-ingress
spec:
  ingressClassName: https-ingressclass
  rules:
  - host: demo.alb.ingress.top   # Replace with your domain name
    http:
      paths:
      - backend:
          service:
            name: https-svc
            port:
              number: 443
        path: /
        pathType: Prefix
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: https-deploy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: https-deploy
  template:
    metadata:
      labels:
        app: https-deploy
    spec:
      containers:
        - image: registry.cn-hangzhou.aliyuncs.com/acs-sample/old-nginx:latest
          imagePullPolicy: IfNotPresent
          name: https-deploy
          ports:
            - containerPort: 80
              protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: https-svc
spec:
  ports:
    - name: port1
      port: 443
      protocol: TCP
      targetPort: 80
  selector:
    app: https-deploy
  sessionAffinity: None
  type: ClusterIP

    2. If the AlbConfig has both HTTP and HTTPS listeners, add the listen-ports annotation to the Ingress:

      apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: https-ingress
  annotations:
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]'
spec:
  # ...

    3. Apply the resources:

      kubectl apply -f https-quickstart.yaml

    Step 4: Configure certificates

    Choose one of the following methods.

    Method 1: Automatic certificate discovery

    Use this method when the certificate is already in Certificate Management Service and you want the ALB Ingress controller to discover it automatically by matching the domain name.

    1. Upload the certificate to Certificate Management Service. For details, see Upload an SSL certificate.

    2. Edit the Ingress:

      kubectl edit ingress https-ingress

    3. Add the tls field with the domain name bound to the certificate:

      apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: https-ingress
  namespace: default
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      # ...
  tls:
  - hosts:
    - demo.alb.ingress.top   # Set the value to the domain name bound to the certificate. The domain name must be the same as the domain name specified in the "rules: host" field.
    After this is configured, the ALB instance automatically creates an HTTPS:443 listener.

    Method 2: Kubernetes Secret

    Use this method when you manage certificates inside the cluster, for example with cert-manager.

    1. Encode the certificate and key files in Base64:

      echo -n `cat albtop-key.pem` | base64
echo -n `cat albtop-cert.pem` | base64

      Create a file named albconfig.yaml and replace the placeholder values with the Base64-encoded output:

      apiVersion: v1
kind: Secret
metadata:
  name: https-secret
type: kubernetes.io/tls
data:
  tls.key: |
    <base64-encoded-albtop-key.pem>
  tls.crt: |
    <base64-encoded-albtop-cert.pem>

      Apply the Secret:

      kubectl apply -f https-secret.yaml

    2. Edit the Ingress:

      kubectl edit ingress https-ingress

    3. Add the tls field with the Secret name and domain name:

      apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: https-ingress
  namespace: default
spec:
  ingressClassName: alb
  rules:
  - host: demo.alb.ingress.top
    http:
      # ...
  tls:
  - hosts:
    - demo.alb.ingress.top      # Must match rules.host exactly
    secretName: https-secret    # References the Secret that holds the certificate
    After you configure the Secret, the certificate is automatically uploaded to Certificate Management Service under the name default-https-secret-******. The ALB instance automatically creates an HTTPS:443 listener.

    Method 3: AlbConfig binding

    Use this method when you need to bind a specific certificate to a listener by its certificate ID. When a certificate is bound at the listener level, the Ingress no longer uses automatic certificate discovery for that listener.

    1. Upload the certificate to Certificate Management Service. For details, see Upload and share an SSL certificate.

    2. Get the certificate ID:

      1. Log on to the Certificate Management Service console.

      2. In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.

      3. On the SSL Certificate Management page, click the Manage Uploaded Certificates tab.

      4. Find the certificate, click More in the Actions column, and view the CertIdentifier field in the Certificate Details panel.

    3. Edit the AlbConfig to bind the certificate to the HTTPS listener:

      kubectl edit albconfig <albconfig-name>
      apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb
spec:
  config:
    addressType: Intranet
    name: xiaosha-alb-test
  listeners:
    - port: 80
      protocol: HTTP
    - port: 443
      protocol: HTTPS
      certificates:
        - CertificateId: 756****-cn-hangzhou   # The certificate ID from CertIdentifier
          IsDefault: true                       # Marks this as the default certificate for the listener

    4. Edit the Ingress to add the listener port annotation:

      kubectl edit ingress https-ingress
      apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]'   # Add {"HTTP": 80} to also handle HTTP traffic
  name: https-ingress
spec:
  ingressClassName: https-ingressclass
  rules:
  - host: demo.alb.ingress.top
    http:
      paths:
      - backend:
          service:
            name: https-svc
            port:
              number: 443
        path: /
        pathType: Prefix
    After the AlbConfig is updated, the ALB instance automatically creates an HTTPS:443 listener.

    Step 5: Verify the result

    1. Get the Ingress address:

      kubectl get ingress

      Expected output:

      NAME            CLASS                HOSTS                  ADDRESS                         PORTS     AGE
https-ingress   https-ingressclass   demo.alb.ingress.top   alb-********.alb.aliyuncs.com   80, 443   83m

      Note the values in the HOSTS and ADDRESS columns.

    2. Send an HTTPS request to the backend Service:

      curl -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com

      Replace demo.alb.ingress.top and alb-********.alb.aliyuncs.com with the values from the previous step. If the certificate is configured correctly, the command returns:

      old

    What's next