How to use https protocol to support applets

Step 1: Download the SSL certificate

1. Log in to the digital certificate management service console .
2. On the left navigation bar, click SSL Certificates .
3. On the SSL certificate page, locate the target certificate, and in the Action column, click Download .

4. In the Action column where the server type is Nginx , click Download .

   

5. Unzip the downloaded SSL certificate compression package.

   Depending on the CSR generation method you selected when submitting the certificate application, the files obtained after decompression are different, as shown in the following table.

   

   zoom in view

   CSR generation method	Files included in the certificate zip package
   The system generates or selects an existing CSR	Include the following files: Certificate file (PEM format): By default, it is named after certificate ID_certificate binding domain name. The certificate file in PEM format is a text file encoded with Base64. Private key file (TXT format): the password of the certificate file, named after the domain name bound to the certificate by default .
   Fill in manually	Only the certificate file (in PEM format) is included, and you need to manually create the certificate private key file. For details, see Creating a Private Key . illustrate According to actual needs, you can convert the certificate file in PEM format to other formats. For details on how to convert the certificate format, see Certificate Format Conversion .

Step 2: Install the certificate on the Nginx server

The operations for installing certificates on Nginx stand-alone servers and Nginx virtual hosts are different. Please choose the corresponding installation steps according to your actual environment.

Install certificates on Nginx standalone server

1. Execute the following command to create a directory for storing certificates under the Nginx conf directory.

   Zoom in to view the copy code

   cd /usr/local/nginx/conf #Enter the Nginx default configuration file directory. This directory is the default directory for manually compiling and installing Nginx. If you have modified the default installation directory or installed it in other ways, please adjust it according to the actual configuration.
   mkdir cert #Create a certificate directory named cert.

2. Upload the certificate file and private key file to the certificate directory (/usr/local/nginx/conf/cert) of the Nginx server.

3. Edit the Nginx configuration file nginx.conf to modify certificate-related configurations.

   1. Execute the following command to open the configuration file.

      Zoom in to view the copy code

      vim /usr/local/nginx/conf/nginx.conf

      important

      nginx.conf is saved in the /usr/local/nginx/conf directory by default. If you have modified the location of nginx.conf, you can execute it nginx -tto view the path of the nginx configuration file and /usr/local/nginx/conf/nginx.confreplace it.

   2. Press the i key to enter edit mode.

   3. Locate the server attribute configuration in nginx.conf.

      

   4. Delete the comment symbol # at the beginning of the line, and modify it according to the following content.

      Zoom in to view the copy code

      server {
           #HTTPS default access port 443.
           #If the default access port of HTTPS is not configured here, it may cause Nginx to fail to start.
           listen 443 ssl;
           
           #Fill in the domain name bound to the certificate
           server_name <yourdomain>;
       
           # Fill in the certificate file name
           ssl_certificate cert/<cert-file-name>.pem;
           #Fill in the certificate private key file name
           ssl_certificate_key cert/<cert-file-name>.key;
       
           ssl_session_cache shared:SSL:1m;
           ssl_session_timeout 5m;
       
           #default cipher suite
           ssl_ciphers HIGH:!aNULL:!MD5;
      	 
           #Customize the type of TLS protocol used and the cipher suite (the following is a configuration example, please evaluate whether you need to configure it yourself)
           #The higher the version of the TLS protocol, the higher the security of HTTPS communication, but compared with the lower version of the TLS protocol, the higher version of the TLS protocol is less compatible with browsers.
           #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
           #ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
      
           #Indicates that the server-side cipher suite is preferred. enabled by default
           ssl_prefer_server_ciphers on;
       
       
          location / {
                 root html;
                 index index.html index.htm;
          }
      }

   5. Optional: Set HTTP requests to automatically redirect to HTTPS.

      rewriteIf you want all HTTP visits to automatically redirect to HTTPS pages, you can add statements under the redirected HTTP sites .

      important

      The following code snippets need to be placed after the code snippets in the nginx.conf file server {}, that is, after HTTP requests are automatically redirected to HTTPS, there will be two server {}code snippets in the nginx.conf file.

      Zoom in to view the copy code

      server {
          listen 80;
          #Fill in the domain name bound to the certificate
          server_name <yourdomain>;
          #Redirect all HTTP requests to HTTPS through the rewrite command.
          rewrite ^(.*)$ https://$host$1;
          location / {
              index index.html index.htm;
          }
      }

      The configuration effect is shown in the figure below:

      

   6. After the modification is complete, press the Esc key, enter: wq and press the Enter key to save the modified configuration file and exit the editing mode.

4. Run the following command to restart the Nginx service.

   Zoom in to view the copy code

   cd /usr/local/nginx/sbin #Enter the executable directory of the Nginx service.
   ./nginx -s reload #Reload the configuration file.

   illustrate

   • Error the "ssl" parameter requires ngx_http_ssl_module: You need to recompile Nginx and add --with-http_ssl_moduleconfiguration when compiling and installing.

   • Error "/cert/3970497_demo.aliyundoc.com.pem":BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/cert/3970497_demo.aliyundoc.com.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file): You need to remove the first part of the relative path of the certificate /. For example, you need to strip /cert/cert-file-name.pemthe leading one /and use the correct relative path cert/cert-file-name.pem.

Install certificates on Nginx virtual hosts

To install certificates on different virtual hosts, you need to perform different steps. If you are using Alibaba Cloud's cloud virtual host, for details, see Enabling HTTPS encrypted access . If you are using a virtual host of another brand, please refer to the operation guide of the corresponding virtual host to install the certificate.

Step 3: Verify that the SSL certificate is successfully installed

After the certificate is installed, you can verify whether the certificate is successfully installed by accessing the bound domain name of the certificate. Zoom in to view the copy code

https://yourdomain #Need to replace yourdomain with the domain name bound to the certificate.

If a small lock symbol appears in the address bar of the webpage, it means that the certificate has been installed successfully.

related documents

After the SSL certificate is deployed, it does not take effect or accessing the website shows that it is insecure