Install an SSL certificate on WordPress - Simple Application Server

Once you have connected a domain name to your Simple Application Server, you can enable HTTPS access. This cost-effective upgrade from HTTP to HTTPS provides website authentication and encrypted data transmission, preventing data tampering and data leaks. This topic demonstrates how to install an SSL certificate and enable HTTPS access on a Simple Application Server running WordPress 5.8.

Note

If you created your Simple Application Server with the WordPress 6.7.1 application image, you can enable HTTPS in one click from the console. For details, see one-click HTTPS setup.

Background

After using Certificate Management Service to purchase, apply for, and deploy a certificate to your web server, your web service will transmit data over HTTPS. The HTTPS protocol establishes an SSL-encrypted channel between a client browser and the web server to prevent data from being leaked or tampered with in transit. Publishing mobile apps, mini programs, and other applications in an app store or application ecosystem requires encrypted transmission over HTTPS. Securing your website with HTTPS provides the following benefits:

Security and compliance: Ensures compliance with app store and application ecosystem requirements.
Encrypted transmission of network data: Encrypts communications between users and your website to prevent hijacking, tampering, and eavesdropping.
Improved trust and security: Reduces the risk of phishing events. When users visit your site, their browser shows that the site is secure and trusted. This improves your website's credibility, traffic, and search ranking.

Prerequisites

You have created a Simple Application Server. For instructions, see Quickly build a website using a WordPress application image.
You have purchased a domain name. To purchase a domain name from Alibaba Cloud, see Register a generic domain name.
If your Simple Application Server is deployed in the chinese mainland, ensure the domain name has an Internet content provider (ICP) filing. For more information, see What is an ICP filing?.
You have bound the domain name to the Simple Application Server and resolved it. For instructions, see Register and resolve a domain name.

Step 1: Purchase an SSL certificate

Purchase a certificate

Go to the Buy Now page.

Select the certificate specifications that meet your business requirements.

Parameter	Description	Example
Certificate type	Select a certificate type: Single Domain: The SSL certificate is used to bind a single domain name. Wildcard Domain: A wildcard domain certificate secures multiple subdomains at the same level, which saves you from purchasing and installing a separate certificate for each one. The matching rules for wildcard domains are as follows: It can only match subdomains at the same level, not across levels. For example, a certificate for .aliyundoc.com matches subdomains like demo.aliyundoc.com and learn.aliyundoc.com, but not guide.demo.aliyundoc.com or developer.demo.aliyundoc.com. You can only apply for a certificate for a single wildcard domain. Applying for a certificate for multiple wildcard domains is not supported. If you need one certificate to cover multiple wildcard domains, you can merge multiple certificates of the same brand and type to generate a multi-wildcard certificate. For instructions, see Merge certificate applications. Multiple Domains: The SSL certificate is used to bind multiple single domain names simultaneously, with a maximum of 5 single domain names supported. Note* After you purchase a certificate, if it meets the requirements described in Purchase a commercial certificate, Alibaba Cloud provides the corresponding domain name for free.	Single Domain
Brand	Select the certificate brand (the certificate authority (CA) that issues the certificate). For more information about different certificate brands, see SSL certificate selection guide.	Digicert
Certificate specifications	Select the certificate type you need. For more information about different certificate types, see SSL certificate selection guide.	DV SSL
Domain names	This parameter is required only if you select Multiple Domains. Select the number of single domain names to be bound to the SSL certificate.	1
Quantity	The number of SSL certificates to purchase. The default is 1, and this cannot be increased. To purchase multiple SSL certificates, you can select a longer Service Duration. For example, selecting a Service Duration of 2 Years means you are purchasing two certificates, each with a 1-year validity period.	1
Service duration	Select the duration of the SSL certificate service. Options: 1 Year: Purchase a 1-year SSL certificate service. The certificate validity is 1 year by default. After the certificate expires, you need to manually place a new order to purchase another SSL certificate. 2 Years: Purchase a 2-year SSL certificate service, which includes two certificates each with a 1-year validity period and one hosting service instance. For more information about the hosting service, see What is the hosting service? 3 Years: Purchase a 3-year SSL certificate service, which includes three certificates each with a 1-year validity period and two hosting service instances.	1 Year

Click Buy Now and complete the payment.

Submit a certificate application

Log in to the Certificate Management Service console.
In the navigation pane on the left, choose Certificate Management > SSL Certificate Management.
On the Commercial Certificate tab, find the target certificate and click Apply for Certificate in the Actions column.

In the Apply for Certificate panel, complete the configuration, select Quick Issue, and click Submit.

Parameter		Description and example
Certificate Type		Single Domain
Certificate Specifications		Digicert DV
Domain Name		The domain name that the certificate will secure, which is the domain name of the simple application server. For example, aliyundoc.com.
Validity Period (Years)		1
Quick issue	Domain verification method	If your domain's DNS is hosted on the same Alibaba Cloud account, Certificate Management Service automatically selects Automatic DNS Verification by default. This option cannot be changed. After you submit the application, the system automatically performs DNS verification, and you just need to wait for the certificate to be issued. If your domain's DNS is hosted on a different account or with another provider, you can choose one of the following methods to verify domain ownership: Manual DNS Verification: You need to manually add a TXT record at your DNS provider to verify domain ownership. File Verification: You need to manually download a dedicated verification file from the Certificate Management Service console and upload it to the specified verification directory on your web server.
	Contact	Select an existing contact or click Create Contact to add a new one. Ensure that your contact information is accurate and valid.
	Location	Select your city or region.
	Encryption algorithm	The encryption algorithm for the SSL certificate. The default is RSA and cannot be changed. The RSA algorithm is a widely used asymmetric encryption algorithm known for its high compatibility.
	CSR generation	A Certificate Signing Request (CSR) file contains server and company information and must be submitted to the CA for review. Select Automatic. This allows Certificate Management Service to automatically generate a CSR file using the encryption algorithm specified in the Encryption Algorithm field.

If the Domain Verification Method is Automatic DNS Verification, the system automatically completes the DNS verification, and you only need to wait for the certificate to be issued. If the Domain Verification Method is set to Manual DNS Verification or File Verification, you need to follow the instructions in Verification Information to complete domain ownership verification. For more information and common errors, see Domain ownership verification.
After you submit the SSL certificate application, the CA typically completes the review and issues the certificate in about 30 minutes. Once the SSL certificate is issued, its Status will change to Issued.

Step 2: Configure the SSL certificate

After the certificate is issued, its status changes to Issued. You must deploy the SSL certificate to your server and then configure it. For more information about deploying and installing certificates, see Deploy an SSL certificate.

Upload and deploy the SSL certificate.

In the , choose Deployment and Resource Management > Deployment to Cloud Servers.

On the Deployment to Cloud Servers page, click Create Task.

In the Basic Configuration step, enter a custom task name and click Next.
In the Select Certificate step, select the certificate type and the SSL certificate for your cloud server, and then click Next.
In the Select Resource step, select the target cloud server and resources, and then click Next.
- The system automatically detects and retrieves all eligible cloud server instances under your Alibaba Cloud account. An eligible instance is a server where a web application is deployed. If the target resource is not displayed, verify that a web application, such as Nginx or Apache, is deployed on the cloud server.
- If a certificate was previously deployed to an instance, the system displays the name of the deployed certificate.

In the Deployment Configuration step, configure the following parameters to deploy the certificate to the cloud server, and then click OK.

Important

If the specified certificate configuration directory does not exist on the server, the system automatically creates it. The path you specify in the console must match the certificate path configured in your web application.

Parameter	Description	Example
Certificate Path	The absolute path to the certificate file on the cloud server.	/data/cert/certpublic.crt
Private Key Path	The absolute path to the private key file on the cloud server.	/data/cert/cert.key
Certificate Chain Path	The absolute path to the certificate chain file on the cloud server.	/data/cert/certchain.crt
Reload Command	Specifies a command to restart the web application or reload its configuration file. This command runs after deployment to apply the new certificate. Important If the service fails to start after this command runs, connect to your cloud server to troubleshoot the issue.	Not required.

In the message that appears, click OK.

Configure the SSL certificate.
1. Connect to the simple application server. For more information, see Connect to a Linux server.
2. Run the following command to modify the vhost.conf configuration file.
  
  Note
  In this example, Apache is installed by default in the WordPress environment. The path and name of the configuration file may vary depending on your environment. Use the actual path and name for your setup.
```
sudo vim /etc/httpd/conf.d/vhost.conf
```
3. Press the i key to enter Insert mode.
4. Add the following code to the configuration file.
  Before you use the sample code, replace the following placeholder values:
  - ServerName: The domain name. Example: example.com.
  - DocumentRoot: The application directory. Example: /data/wwwroot/wordpress.
  - Directory: The application directory. Example: /data/wwwroot/wordpress.
  - SSLCertificateFile: The path to the certificate public key file. Example: /data/cert/certpublic.crt.
  - SSLCertificateKeyFile: The path to the private key file. Example: /data/cert/cert.key.
  - SSLCertificateChainFile: The path to the certificate chain file. Example: /data/cert/certchain.crt.
  Important
  Ensure the certificate file paths are correct. Otherwise, you cannot access your website over HTTPS.
  
  Below is an example of the modified configuration file:
```
<VirtualHost *:443>
# Configure the domain name that is bound to the server.
ServerName  example.com
DocumentRoot "/data/wwwroot/wordpress"
#ErrorLog "logs/example.com-error_log"
#CustomLog "logs/example.com-access_log" common
<Directory "/data/wwwroot/wordpress">
Options Indexes FollowSymlinks
AllowOverride All
Require all granted
</Directory>
SSLEngine on
# Configure an SSL certificate. Make sure that the paths are the same as the paths that you specified when you deployed the certificate.
SSLCertificateFile  /data/cert/certpublic.crt
SSLCertificateKeyFile  /data/cert/cert.key
SSLCertificateChainFile  /data/cert/certchain.crt
</VirtualHost>
```
5. Optional: To automatically redirect HTTP requests to HTTPS, add the following configuration to the <VirtualHost *:80> block.
```
#----------HTTP for WordPress Start--------
<VirtualHost *:80>
    ServerName example.com
    #ServerAlias example.com
    DocumentRoot "/data/wwwroot/wordpress"
    ErrorLog "logs/wordpress-error_log"
    CustomLog "logs/wordpress-access_log" common
    RewriteEngine on
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^(.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
    <Directory "/data/wwwroot/wordpress">
        Options Indexes FollowSymlinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

#----------HTTP for WordPress End--------
```
6. To save your changes and exit Insert mode, press the Esc key, enter :wq!, and then press the Enter key.
7. Run the following command to restart the service.
```
sudo systemctl restart httpd
```
8. Run the following command to restart the database.
```
sudo service mysqld restart
```

Step 3: Verify SSL certificate

Configure the HTTPS domain name in the WordPress admin dashboard.
1. Log in to your WordPress admin dashboard.
  
  To find the URL, username, and password for your admin dashboard, see Quickly build a website using a WordPress application image.
2. In the left-side navigation pane, choose Settings > General.
3. In the WordPress Address (URL) and Site Address (URL) fields, enter your site's full HTTPS address (for example, https://example.com).
4. Click Save Changes.
  
  Note
  After you modify the WordPress Address (URL) and Site Address (URL), your admin login URL changes to https://example.com/wp-login.php. Replace example.com with your domain name.
In a web browser, go to https://<your domain name>.
- If a lock icon appears in the browser's address bar, the SSL certificate is installed successfully.
- If you cannot access your website over HTTPS, check the following:
  - Ensure that port 443 is open on the Simple Application Server and not blocked by other tools. To open port 443, see Manage firewalls.
  - Verify that the domain name has an ICP filing. If your domain name is resolved to a website hosted on a server in the Chinese mainland, you must obtain an ICP filing. For more information, see What is an ICP filing?
  - Verify that the certificate path is configured correctly. Ensure the upload path matches the configured path. For more information, see Configure the SSL certificate.

Simple Application Server:Install an SSL certificate on WordPress (Linux)