This topic describes how to install an SSL certificate on a Python Flask server, including downloading and uploading a certificate file, configuring related parameters on the Python Flask server, and verifying the installation result. The parameters include those related to the certificate file and certificate key. After the certificate is installed, you can access a Flask application over HTTPS.
This topic provides an example on how to install a certificate on a Flask 2.0.3 server that runs Python 3.6 and a Linux operating system. The installation process may vary based on the version of the operating system or web server.
The installation method in this topic applies only to the development environment. In the actual production environment, if your Flask website uses a reverse proxy server such as NGINX to provide external services, install the certificate on the NGINX server. For more information, see Install SSL certificates on NGINX or Tengine servers.
If you have questions, contact your account manager.
Prerequisites
A certificate is issued by using the Certificate Management Service console. For more information, see Purchase SSL certificates and Apply for a certificate.
Domain Name System (DNS) resolution is complete on the domain name that is bound to the certificate. The domain name is correctly resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. To use the tool, log on to the Certificate Management Service console, and choose Common Certificate Tools > Verify DNS Settings in the left-side navigation pane. For more information, see Verify the DNS record of your domain name.
Port 443 is enabled on your web server. Port 443 is the standard port used for HTTPS communication.
If you use an Alibaba Cloud Elastic Compute Service (ECS) instance, make sure that an inbound security group rule is configured to allow TCP access on port 443. For more information, see Add a security group rule.
If you use a third-party cloud server or an on-premises server, make sure that port 443 is enabled for a firewall or security group to allow TCP access.
If you want to deploy the website on which your certificate is installed to a server located in the Chinese mainland, you must complete an Internet Content Provider (ICP) filing for the domain name bound to the certificate as required by the Ministry of Industry and Information Technology (MIIT). Otherwise, the website cannot be accessed as expected. For more information, see What is an ICP filing?
Step 1: Download the certificate
Log on to the Certificate Management Service console.
In the left-side navigation pane, choose .
On the SSL Certificate Management page, find the certificate that you want to manage, click More in the Actions column. On the page that appears, click the Download tab.
Find Other in the Server Type column and click Download in the Actions column.
Decompress the downloaded certificate package.
The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.
Value of the CSR Generation parameter
File extracted from the certificate package
Automatic
Certificate file in the PEM format: Flask supports PEM files. A certificate file in the PEM format is a Base64-encoded text file that contains a complete certificate chain. The file is named in the
Certificate ID_Domain name bound to the certificateformat after decompression.Private key file in the KEY format: By default, the private key file is named in the Domain name bound to the certificate format.
Manual
If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set the CSR Generation parameter to Automatic.
If you specify a CSR that is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.
Step 2: Install the certificate for the Flask website
Run the following commands to create a directory to store the certificate in the
/directory of the Linux server:mkdir /ssl # Create a directory named ssl.Upload the certificate file and private key file to the following directory of the Linux server:
/ssl.NoteYou can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service (ECS) instance, see Use Remote Desktop Connection or Windows App to transfer files to a Windows instance or Upload a file to a Linux instance.
Open the Flask application file and configure the certificate based on the following sample code.
The following sample code shows how to install a certificate on a Flask application. You can copy the code to a new file, specify the certificate path, and save the new file as test.py for testing.
# Import the Flash web framework. from flask import Flask app = Flask(__name__) @app.route("/") def main(): return "<p>Hello, World!</p>" # Configure the certificate. # Specify the default HTTPS port 443. # Specify port 443 and the absolute path to the certificate. Replace /ssl/cert.pem with the absolute path to the certificate file. Replace /ssl/cert.key with the absolute path to the private key file. context = (r'/ssl/cert.pem', r'/ssl/cert.key') app.run(host="0.0.0.0", port=443, ssl_context=context)
Step 3: Check whether the certificate is installed
After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.
https://yourdomain # Replace yourdomain with the domain name that is bound to your certificate.If a lock icon appears in the address bar, the certificate is installed.
