update simple application server certificate,update ecs server certificate,manually deploy certificate to ecs,zero resources - Certificate Management Service

Manually managing SSL certificates for cloud servers can be complex, error-prone, and require repetitive renewal steps. To address these challenges, Certificate Management Service offers an automated deployment feature. You can deploy certificates to specified trusted ECS instances with a single click. You can also automatically update certificates on ECS and Simple Application Server instances where certificates are already configured. This improves deployment efficiency and reduces configuration risks.

Choose a deployment method

Select a method based on your server type and deployment scenario.

Feature	Method 1: One-click deployment (for first-time deployment)	Method 2: Manual deployment (for updating certificates)
Core mechanism	Fully automated. The private key never leaves the instance and communicates with the hardware trusted module through a PKCS#11 interface, which ensures high security.	Semi-automated. Uploads the certificate file to a specified path on the server to overwrite the old file.
Supported servers	Supports only specific trusted Elastic Compute Service (ECS) instances (7th/8th generation x86 architecture). Simple Application Server is not supported.	Supports all ECS and Simple Application Server instances.
Supported operating systems	Alibaba Cloud Linux 3.x, Ubuntu 22.04 UEFI images.	All major Linux and Windows Server distributions.
Supported web servers	Supports only specific versions of Nginx installed from `yum` or `apt` sources.	Supports all web servers, such as Nginx, Apache, and Tomcat.
SSL certificate requirements	Single-domain SSL certificates that use the RSA algorithm.	All types of SSL certificates.
Scenarios	First-time deployment on eligible trusted ECS instances to enable fully automated renewals.	Updating an existing certificate on an ECS or Simple Application Server instance.

Note

If the preceding solutions do not meet your requirements, see SSL Certificate Deployment Solution Selection to choose a different deployment solution.

Method 1: One-click deployment (for first-time deployment to a trusted ECS instance)

This method integrates with the security module of trusted ECS instances to provide fully automated and highly secure deployment of certificates and private keys. If you purchase a multi-year certificate, the system automatically renews and deploys the updated certificate.

Scope

Instance types and specifications: 7th and 8th generation x86-based trusted ECS instances. For more information, see Create a trusted instance. Simple Application Server is not supported.
Operating system: Alibaba Cloud Linux 3.x, Ubuntu 22.04 UEFI images.
Web server: Specific versions of Nginx installed from yum or apt sources.
- Alibaba Cloud Linux 3.x image: Nginx installed using yum, with a version from 1.18.0-2.1.al8 to 1.20.1-1.0.5.al8 (exclusive).
- Ubuntu 22.04 UEFI image: Nginx installed using apt.
Certificate type and status: Single-domain SSL certificates that use the RSA algorithm. The certificate status must be Issued.
Server permissions: You need a root account or an account with sudo privileges.
Domain name resolution: The domain's DNS record is configured and resolves to the server's public IP address.

Step 1: Check that the Cloud Assistant status is Normal

Ensure that Cloud Assistant is correctly installed on the ECS instance. Otherwise, the one-click deployment feature in the console is unavailable.

Go to ECS console - ECS Cloud Assistant.
Select the resource group and region where the target resource is located.
On the ECS Instances tab, locate the target ECS server and check its status in the Cloud Assistant Status column.
Note
If Cloud Assistant is not installed or its status is abnormal, see Check Cloud Assistant status and troubleshoot abnormal statuses.

Step 2: Configure the Nginx web application server on the ECS instance

For a first-time deployment, you must modify the Nginx configuration file to allow it to call the private key from the trusted module through the PKCS#11 interface. This step is not required for subsequent updates.

Alibaba Cloud Linux 3.x images

Note

This topic uses Nginx 1.20.1 as an example. /etc/nginx/ is the default installation directory for Nginx installed using yum. If you have changed this directory, adjust the paths accordingly.

Check the Nginx version.
Currently, only Nginx versions from 1.18.0-2.1.al8 to 1.20.1-1.0.5.al8 (exclusive) are supported.
Important
If Nginx is already installed on your ECS instance, check its version before using the one-click deployment feature. If the version is not supported, you must downgrade it to a supported version or reinstall it.
Open the /etc/nginx/nginx.conf configuration file and add ssl_engine pkcs11; after pid /run/nginx.pid; to specify the use of the PKCS#11 encryption library. The following code block shows the location and a complete example:
```
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Specify the use of the PKCS#11 encryption library
ssl_engine pkcs11;
```

Open the /etc/nginx/nginx.conf configuration file, uncomment the Settings for a TLS enabled server section, and add include "/etc/acm/ssl/nginx-acm.conf"; to reference the SSL key configuration.

Content to add:
```
include "/etc/acm/ssl/nginx-acm.conf";
```

Location and complete example:

server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
       
        # Specify the hostname or Common Name (CN)
        server_name  example.com;
        root         /usr/share/nginx/html;

        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_prefer_server_ciphers on;
       
        # Reference the SSL key configuration
        include "/etc/acm/ssl/nginx-acm.conf";
       
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

Open the /usr/lib/systemd/system/nginx.service file and add P11_KIT_SERVER_ADDRESS=unix:path=/etc/acm/ssl/acm-p11-kit.sock and OPENSSL_CONF=/etc/acm/ssl/openssl-acm.cnf to configure communication with the SSL key service.

Content to add:

Environment="P11_KIT_SERVER_ADDRESS=unix:path=/etc/acm/ssl/acm-p11-kit.sock"
Environment="OPENSSL_CONF=/etc/acm/ssl/openssl-acm.cnf"

Location and complete example:

[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=network.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed

# Configure communication with the SSL key service
Environment="P11_KIT_SERVER_ADDRESS=unix:path=/etc/acm/ssl/acm-p11-kit.sock"
Environment="OPENSSL_CONF=/etc/acm/ssl/openssl-acm.cnf"

[Install]
WantedBy=multi-user.target

Note

If you do not know the path to the Nginx systemd service configuration file, run sudo find / -name "nginx.service" to find it.

Run the following command to reload the Nginx systemd service configuration.
```
systemctl daemon-reload
```

Ubuntu 22.04 image

Note

This topic uses Nginx 1.18.0 as an example. /etc/nginx/ is the default installation directory for Nginx installed using apt. If you have changed this directory or installed Nginx using a different method, adjust the paths accordingly.

Open the /etc/nginx/nginx.conf configuration file and add ssl_engine pkcs11; after pid /run/nginx.pid; to specify the use of the SSL/TLS encryption library. The following code block shows the location and a complete example:
```
user www-data;
worker_processes auto;
pid /run/nginx.pid;

# Specify the use of the PKCS#11 encryption library
ssl_engine pkcs11;

include /etc/nginx/modules-enabled/*.conf;
```

Open the /etc/nginx/sites-enabled/default file, create a new server block in the default file, and add include "/etc/acm/ssl/nginx-acm.conf";.

Content to add:
```
include "/etc/acm/ssl/nginx-acm.conf";
```

Location and complete example:

server {
    listen 443 ssl;
    
    # Specify the hostname or Common Name (CN)
    server_name example.com;
    root /var/www/html;
    index index.html index.htm;
    access_log /var/log/nginx/access_6equj5.log;
    error_log /var/log/nginx/error_6equj5.log;
    ssl on;
    
    # Reference the SSL key configuration
    include "/etc/acm/ssl/nginx-acm.conf";

    location / {
      try_files $uri $uri/ =404;
    }
}

Note

If you do not know the path to the Nginx systemd service configuration file, run sudo find / -name "nginx.service" to find it.

Content to add:

Environment="P11_KIT_SERVER_ADDRESS=unix:path=/etc/acm/ssl/acm-p11-kit.sock"
Environment="OPENSSL_CONF=/etc/acm/ssl/openssl-acm.cnf"

Location and complete example:

[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=network.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed

# Configure communication with the SSL key service
Environment="P11_KIT_SERVER_ADDRESS=unix:path=/etc/acm/ssl/acm-p11-kit.sock"
Environment="OPENSSL_CONF=/etc/acm/ssl/openssl-acm.cnf"

[Install]
WantedBy=multi-user.target

Run the following command to reload the Nginx systemd service configuration.
```
systemctl daemon-reload
```

Step 3: Deploy the certificate from the Certificate Management Service console

Log on to the Certificate Management Service console.
In the navigation pane on the left, choose Deployment and Resource Management > Deployment To Cloud Servers.
On the Deployment to Cloud Servers page, click Create Task and follow these steps to deploy the SSL certificate.
1. On the Configure Basic Information page, enter a custom task name and click Next.
2. On the Select Certificate page, select the certificate type and the SSL certificate associated with the cloud server, and then click Next.
  Each deployment task can deploy only one certificate. To deploy multiple certificates, you must create multiple deployment tasks.
3. On the Select Resource page, select an ECS instance that supports one-click deployment and click Next.
  - The system automatically detects and retrieves all eligible ECS instances under your Alibaba Cloud account. If no resources are displayed, click Synchronize Cloud Resources in the Total Resources area in the upper-left corner. The synchronization time varies based on the number of your cloud resources.
  - If there are many instances in the list, you can select Quick Deployment/Manual Deployment from the All Types drop-down list to quickly filter the list for supported instances.
On the Quick Deployment tab, confirm that the deployment environment requirements are met. If they are, select Confirm that the preceding operations are complete. and click Continue to Deploy.
In the dialog box that appears, click OK.
Warning
Restarting the web application server will affect your business. We recommend that you perform the deployment during off-peak hours.
- Reference command to manually restart Nginx:
```
systemctl restart nginx.service
```
- After restarting, you can use the curl command to test the Nginx SSL connection. The command format is curl -v https://<your_domain_name>.

Step 4: Check the deployment task status

On the Deployment to Cloud Servers page, find the task that you created. If the Task Status is Deployed, the certificate has been successfully deployed to the cloud server.

Step 5: Verify that the SSL certificate is effective

A successful deployment task does not guarantee that the certificate is working correctly. You must verify its status by accessing your domain name.

Access your domain over HTTPS in a web browser. For example, https://yourdomain. Replace yourdomain with your actual domain.
If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If you encounter access errors or the lock icon does not appear, clear your browser cache or try again in incognito (privacy) mode.
Starting from version 117, the icon in the Chrome address bar has been replaced with a new icon. Click this icon to view the lock information.

Method 2: Manual deployment (updating an existing certificate)

This method is used to update a certificate on a cloud server (ECS or Simple Application Server) that already has a certificate configured. It simplifies the renewal and replacement process by overwriting the old certificate files. This method is not intended for first-time deployments.

Scope

Server type: This method applies only to Alibaba Cloud servers, such as Simple Application Server and Elastic Compute Service (ECS).
Web server: Supports only web servers, such as Nginx and Apache, that directly reference certificate files in PEM or CRT format. IIS is not supported.
Server permissions: You need a root account or an account with sudo privileges.

Step 1: Deploy the SSL certificate

Log on to the Certificate Management Service console.
In the navigation pane on the left, choose Deployment and Resource Management > Deployment to Cloud Servers.

On the Deployment to Cloud Servers page, click Create Task.

On the Configure Basic Information page, enter a Task Name and click Next.
On the Select Certificate page, select a Certificate Type, select the Associated Certificates, and then click Next.
- Certificates issued by the Private CA service are synchronized to the Manage Uploaded Certificates tab.
On the Select Resource page, select a cloud server type, select the target instance, and then click Next. When you open this page for the first time, the system automatically detects and retrieves all eligible cloud server instances under your Alibaba Cloud account that have a web application deployed.
Note
If no resources are displayed, you can click Synchronize Cloud Resources in the Total Resources area to manually synchronize them. The time required for synchronization varies depending on the number of cloud product resources.

On the Deployment Configuration page, configure the parameters as described in the following table and click OK.

Important

The Certificate Path and Private Key Path must match the paths configured in your web application. Otherwise, the certificate will not take effect.

The following figure shows the certificate file configuration path for Nginx on a cloud server. The path is for reference only.

Configuration Item	Description	Example (for reference only, use your actual deployment path)
Certificate Path	The absolute path where the certificate file is stored on the cloud server.	Linux example: /ssl/cert.pem Windows example: c:\ssl\cert.pem
Private Key Path	The absolute path where the private key file of the certificate is stored on the cloud server.	Linux example: /ssl/cert.key Windows example: c:\ssl\cert.key
Certificate Chain Path	The absolute path where the certificate chain file is stored on the cloud server. Note If a certificate chain file is configured in the web application, enter the path here.	Linux example: /ssl/cert.cer Windows example: c:\ssl\cert.cer
Reload Command	If you configure a restart command, the command is executed after the certificate is deployed. This restarts the web application on the cloud server or reloads the web application configuration file to make the certificate take effect. Important If the web application fails to restart, go to the corresponding cloud server to perform the operation.	The command to reload the Nginx configuration file is `sudo nginx -s reload`. The command to restart the Apache service is `sudo systemctl restart httpd`.

In the dialog box that appears, click OK.
- If you do not configure a restart command, the following message appears. Click OK. You must then log on to the cloud server and manually restart the web application service for the certificate to take effect.
- If you configure a restart command, the following message appears. Confirm the risks and click OK. After the deployment task is complete, the restart command is executed to restart the web application service, and the certificate takes effect immediately.

Step 2: Check the deployment task status

On the Deployment to Cloud Servers page, find the task that you created. If the Task Status is Deployed, the certificate has been successfully updated on the cloud server.

Step 3: Verify that the SSL certificate is effective

Access your domain over HTTPS in a web browser. For example, https://yourdomain. Replace yourdomain with your actual domain.
If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If you encounter access errors or the lock icon does not appear, clear your browser cache or try again in incognito (privacy) mode.
Starting from version 117, the icon in the Chrome address bar has been replaced with a new icon. Click this icon to view the lock information.

Note

If the issue persists, see FAQ for troubleshooting.

Quotas and limits

Deployment fees:
- Deployment of official certificates is free of charge and does not consume deployment quotas.
- Deploying a certificate that you upload consumes a deployment quota. You must purchase a deployment quota package at a cost of CNY 30 per deployment. If a deployment fails, the deployment quota is returned.
Quota limits:
Each deployment task can deploy only one certificate to one cloud server instance. To deploy certificates to multiple instances, you must create multiple tasks.

Going live

Service interruption risk: Both deployment methods may require restarting the web service (such as Nginx or Apache), which will cause a brief service interruption. We strongly recommend that you perform deployment operations during off-peak hours.
Graceful reload: For web servers that support graceful reloads (such as Nginx), we recommend using nginx -s reload or systemctl reload nginx in the Reload Command of Method 2 instead of restart. This minimizes the impact on existing connections.
Monitoring and alerting: After you deploy a certificate, we recommend that you enable the domain name monitoring feature for the domain name. Alibaba Cloud automatically detects the certificate validity period and sends reminders before the certificate expires to help you renew it in a timely manner and prevent service interruptions. For more information, see Purchase and enable public domain name monitoring.

FAQ

The certificate does not take effect or HTTPS is inaccessible after installation or update

Common reasons are as follows:

Port 443 is not open in the server's security group or firewall.
The Bound Domains of the certificate does not include the domain name that you are trying to access.
The Task Status of the deployment task is abnormal. Go to the task details page, click View Failure Cause, update the configurations as prompted, and then retry.

Note

For further troubleshooting, see Resolve certificate deployment issues based on browser error messages and SSL certificate deployment troubleshooting guide.

What do I do if I get the error "the cloud Assistant not install or run" during deployment?

Cause: Cloud Assistant is not installed on the ECS instance, or its status is abnormal.

Solution 1:
1. Go to ECS console - ECS Cloud Assistant.
2. Find the target server and check the Cloud Assistant status.
  1. If it is not installed, you can click Install to install it automatically.
  2. If the status is abnormal, see Troubleshoot abnormal Cloud Assistant statuses for solutions.
3. After the Cloud Assistant status returns to normal, create a Cloud Server Deployment task again in the Certificate Management Service console.
Solution 2:
See Install an SSL certificate on an Nginx or Tengine server (Linux) to manually install the certificate on an ECS server.