OSS provides domain names that support HTTPS by default. When you use a custom domain name to access OSS, configure an SSL certificate for that domain to enable HTTPS encrypted transmission. This protects your data and helps meet compliance requirements.
How it works
HTTPS uses the TLS/SSL protocol to encrypt data end to end and uses a certificate chain to verify the server's identity. This ensures confidentiality, integrity, and authentication during data transmission. To enable HTTPS for OSS, configure a valid SSL certificate for your domain name in the correct location. The method depends on your domain type:
Bucket domain name: Format is
<bucket-name>.oss-<region-id>.aliyuncs.com. Alibaba Cloud manages the SSL certificates for these domains. They support HTTPS natively. No extra configuration is needed. Just use thehttps://prefix to access.Custom domain name: You must configure an SSL certificate for the domain.
Enable HTTPS access
The location where you configure the certificate depends on whether CDN acceleration is enabled.
CDN is not enabled: Traffic goes directly to OSS. Configure certificate hosting for the custom domain name in the OSS console.
CDN is enabled: Traffic passes through CDN points of presence (POPs) before going to OSS. Configure an HTTPS certificate for the CDN-accelerated domain name in the CDN console.
Use either of the following methods to check whether CDN acceleration is enabled for your custom domain name:
OSS console
Go to the Buckets page and click the target bucket.
In the navigation pane on the left, click .
The domain list shows all domains mapped to the bucket. If Alibaba Cloud CDN shows Configured, manage its HTTPS certificate in the CDN console.
CDN console
Go to the CDN Domain Name List page to view configured and active CDN-accelerated domain names and their origin bucket information.
Step 1: Configure the SSL certificate
Choose the configuration method based on your custom domain name's traffic path.
OSS custom domain name
This applies when your custom domain name uses CNAME to resolve to an OSS bucket domain name.
Before you begin, make sure that you have mapped a custom domain name to an OSS bucket. You must also have a valid SSL certificate that matches the domain name in SSL Certificates Service. You can obtain a certificate by purchasing a new certificate, applying for a free certificate, or uploading a third-party certificate.
Go to the Buckets page. Click the target bucket. In the navigation pane on the left, click .
In the Actions column for the target custom domain name, click Upload Certificate. From the Certificate Name drop-down list, select a certificate.
Click Upload to finish configuring certificate hosting.
CDN-accelerated domain name
This applies when your CDN-accelerated domain name fetches content from an OSS bucket.
Before you begin, make sure that you have configured CDN acceleration for an OSS bucket and are using the accelerated domain name as the endpoint. You must also have a valid SSL certificate that matches the domain name in SSL Certificates Service. You can obtain a certificate by purchasing a new certificate, applying for a free certificate, or uploading a third-party certificate. You can also enter the third-party certificate content and private key in the next steps.
Go to the CDN console. Click the target accelerated domain name. Click HTTPS. Next to SSL Certificate, click Modify.
Select HTTPS Secure Acceleration. Read the billing reminder and click OK.
Based on the Certificate Source drop-down list, select an SSL certificate or enter third-party certificate information.
SSL Certificates Service: From the Certificate Name drop-down list, select a certificate.
Custom Certificate (Certificate+Private Key): Enter the Certificate Name, Certificate (Public Key), and Private Key.
Click OK to complete the HTTPS certificate configuration.
If you cannot select the target certificate, go to the SSL Certificates Service console and confirm that the certificate meets the following conditions:
The certificate is issued and valid.
The certificate is valid for the domain name that you are configuring.
Step 2: Verify HTTPS access
After configuration, wait for it to take effect. CDN HTTPS configuration takes about one minute. Then verify HTTPS access in a browser:
OSS custom domain name
Go to the Buckets page and click the name of the target bucket.
Click the file name or View Details in the Actions column. Set Domain Name to Custom Domain. From the drop-down list, select the mapped custom domain name. Then click Copy Object URL.
CDN-accelerated domain name
Construct the access URL using the CDN-accelerated domain name, such as https://example.com/example.jpg, where example.com is your CDN-accelerated domain name.
Access the URL in a browser. Verify that the browser address bar displays a lock icon, which indicates that the connection is encrypted.
Force HTTPS access
In production, force all clients to use HTTPS. This prevents data interception or tampering during transmission. Choose the configuration method based on your domain type.
OSS custom domain name
Go to the Buckets page. Click the target bucket. In the navigation pane on the left, click . Select Add by Syntax to add the following bucket policy to deny all HTTP requests.
Replace <bucket-name> in the example with your actual bucket name. If you have existing policies, add this statement to them.
{
"Version": "1",
"Statement": [{
"Effect": "Deny",
"Action": ["oss:*"],
"Principal": ["*"],
"Resource": [
"acs:oss:*:*:<bucket-name>",
"acs:oss:*:*:<bucket-name>/*"
],
"Condition": {
"Bool": {
"acs:SecureTransport": ["false"]
}
}
}]
}CDN-accelerated domain name
Force clients to use HTTPS using either of the following methods:
Configure a force redirect:
Go to the CDN console. Click the target accelerated domain name. Click HTTPS.
Next to HTTP/S Redirect, click Modify. Select HTTP → HTTPS. Click OK.
After configuration, CDN uses a 301 redirect to change HTTP requests from clients to CDN nodes into HTTPS requests. For more information, see Configure Protocol Redirection.
Enable HSTS:
Go to the CDN console. Click the target accelerated domain name. Click HTTPS.
Next to HSTS, click Modify. Turn on the HSTS. Click OK.
After configuration, browsers automatically convert HTTP requests to HTTPS requests. For more information, see Configure HSTS.
Certificate lifecycle management
View certificate expiration time
OSS custom domain name
Go to the Buckets page. Click the target bucket. In the navigation pane on the left, click .
Click Certificate Details for the target domain name to view the expiration time.
CDN-accelerated domain name
Go to the CDN console. In the navigation pane on the left, click Certificate Center to view the certificate expiration time.
Update the certificate
The update procedure is the same as the initial configuration. Choose the path based on your domain type and update method.
Console
OSS custom domain name: Go to the Buckets page. In the section for the target bucket, click Upload Certificate and select the new certificate.
CDN-accelerated domain name: Go to the CDN console. In the HTTPS settings for the target accelerated domain name, select or upload the new certificate.
Command-line interface and API
OSS custom domain name: Use ossutil to bind a certificate to a custom domain name. For more information, see put-cname.
CDN-accelerated domain name: Set certificates for accelerated domain names using the Alibaba Cloud CLI. For more information, see CLI integration examples and Set certificates for accelerated domain names.
Automatic renewal
SSL certificates have a fixed validity period. An expired certificate causes service interruptions. Renew certificates 30 days before they expire.
Alibaba Cloud SSL certificates: Enable certificate hosting to renew certificates automatically and reduce manual intervention.
Third-party certificates: Establish a regular update process and assign responsibility to ensure timely renewal.
Disable HTTPS access
When you no longer need HTTPS encrypted access, disable it as follows:
OSS custom domain name
Go to the Buckets page. Click the target bucket. In the navigation pane on the left, click .
Click the delete icon next to Certificate Details for the target domain name. Click OK.
CDN-accelerated domain name
To avoid access interruptions, first restore the protocol redirection type to its default setting and disable the HSTS feature before disabling HTTPS.
Go to the CDN console. Click the target accelerated domain name. Click HTTPS. Next to SSL Certificate, click Modify.
Turn off HTTPS Secure Acceleration. Click OK.
Apply in production
Performance optimization
Modern browsers and CDNs widely support HTTP/2. Compared to HTTP/1.1, HTTP/2 offers advantages such as multiplexing and header compression. In your CDN configuration, enable HTTP/2 and Gzip compression to optimize transmission efficiency while maintaining security.
Risk mitigation
Backup certificate mechanism: Prepare a backup SSL certificate to handle primary certificate failure or CA issues. For critical business systems, use certificates from different CAs as backups. Switch quickly if the primary certificate fails.
HTTP fallback policy: When a severe, unresolvable certificate issue occurs, follow a standard emergency procedure to allow temporary HTTP access. Enhance monitoring to detect and fix issues quickly.
Billing
After you enable HTTPS in CDN, you are billed for the number of static HTTPS requests. For more information, see Static HTTPS Requests.
FAQ
After I configure an SSL certificate, why does my browser still show an 'insecure' or 'certificate error' message?
If a security warning persists after configuration, troubleshoot the issue as follows:
Check the configuration location: Confirm whether CDN acceleration is enabled for the access domain. If it is, configure the HTTPS certificate in the CDN console. Certificate hosting in the OSS console will not apply.
Clear the browser cache: Your browser may have cached the old certificate status. Try clearing your browser cache and accessing the site again.
Wait for the configuration to take effect: CDN HTTPS configuration or OSS certificate hosting takes time to deploy.
Check the certificate chain integrity: Certificate files issued by intermediate CAs contain multiple certificates. Concatenate the server certificate with the intermediate certificate to form a complete certificate chain before uploading. The Certificate Authority usually provides instructions for this concatenation. Review the relevant documentation carefully.
How do I handle certificate exceptions when accessing OSS over HTTPS?
You can use the corresponding method based on the type of certificate exception:
Certificate not configured: The browser shows the error
NET::ERR_SSL_PROTOCOL_ERROR. This may indicate that the certificate is missing or configured in the wrong location (for example, using certificate hosting in OSS when CDN acceleration is enabled). Reconfigure HTTPS using the steps in Enable HTTPS access.Certificate expired: The browser shows the error
NET::ERR_CERT_DATE_INVALID. Follow the steps in Update the certificate to reconfigure.Certificate mismatch: The browser shows the error
NET::ERR_CERT_COMMON_NAME_INVALID. The access domain is not included in the certificate's domains (for example, you accesscdn.example.combut the certificate is bound tooss.example.com). Configure the correct certificate for the access domain.
Why can't I find my target certificate in the drop-down list when selecting a certificate?
Certificate and domain name mismatch: The system only lists certificates that match the domain you are currently configuring. For example, when configuring a certificate for
oss.example.com, you cannot select a certificate issued tocdn.example.com.Certificate is not under the current account: Upload the certificate on the SSL Certificate Management page.
Wildcard certificate level mismatch: A wildcard certificate only supports subdomains at the same level. For example,
*.example.comcan matchwww.example.comandoss.example.com, but notcdn.oss.example.com.
When I configure an HTTPS certificate in CDN, a message indicates that the certificate format is incorrect. How do I convert the format?
CDN HTTPS configuration only supports certificates in PEM format. If the certificate is not in PEM format, see Certificate Formats. Follow the instructions in the document to convert the format before uploading.