Core Concept: The Relationship Between GA and Certificates
First, it's essential to understand a core principle: Global Accelerator (GA) does not directly store or manage SSL certificates.
As a network acceleration layer, GA's HTTPS listener functionality relies on backend services, such as a Server Load Balancer (SLB) or your own origin servers, to handle the SSL/TLS encryption and decryption.
Therefore, the process of configuring HTTPS for GA is effectively the process of configuring an HTTPS certificate on the SLB instance associated with your GA backend. The GA instance receives encrypted traffic via its HTTPS listener and then forwards this traffic to the backend SLB listener, which is already configured with the certificate.
Below are two mainstream and professionally recommended methods to achieve this.
Scenario 1: Using Alibaba Cloud's Free SSL Certificates Service (Recommended)
This is the most convenient and highly integrated method. The Alibaba Cloud SSL Certificates Service provides free DV (Domain Validated) single-domain certificates issued by DigiCert or TrustAsia. The primary advantage of this approach is its seamless integration with other Alibaba Cloud products (like SLB) and its support for automatic renewal, which significantly simplifies operational maintenance.
UPDATE: there is no more free DV certificates for now. Head to the Scenario 2.
Step 1: Purchase and Validate the Free Certificate
Log in to the Alibaba Cloud Console: Navigate to the SSL Certificates Service console.
Purchase a Certificate: On the overview page, click "Purchase Certificate". On the purchase page, select "DV Single Domain," choose "DigiCert" or "TrustAsia" as the brand, and then select the "Free" edition. Click "Buy Now" and complete the payment process (the cost is $0.00).
Professional Tip: Although it's free, this purchase process is necessary to generate a certificate order in the system.
Complete the Certificate Application:
Return to the SSL Certificates Service console, find the "Pending Application" order you just created, and click "Apply".
Enter the domain you wish to secure with HTTPS, for example, secure.yourdomain.com.
Select a Domain Validation Method. "Automatic DNS Validation" is recommended. If your domain is managed by Alibaba Cloud DNS, the system will automatically add a TXT record to verify your domain ownership. Otherwise, you will need to manually add the specified TXT record at your DNS provider.
After submitting, wait for the Certificate Authority (CA) to complete the review. Automatic validation is typically very fast, taking only a few minutes.
Download and Deploy: Once the review is complete, the certificate status will change to "Issued". You do not need to manually download the files at this stage.
Step 2: Deploy the Certificate to Server Load Balancer (SLB)
Create or Select an SLB Instance:
Navigate to the Server Load Balancer (SLB) console.
You must have an SLB instance with a configured backend server group that is already serving traffic correctly over HTTP. This is the foundation for setting up HTTPS.
Create an HTTPS Listener:
On the management page for your target SLB instance, select the "Listeners" tab and click "Add Listener".
Listener Protocol: Select HTTPS.
Listener Port: Use the standard port 443.
SSL Certificate: Select "Select Certificate from SSL Certificates Service," and then choose the free certificate you just applied for from the dropdown list.
Backend Servers: Select your pre-configured server group.
Complete the remaining configurations (e.g., scheduling algorithm, health checks), then click "Next" and confirm.
Step 3: Configure Global Accelerator (GA)
Create a GA Instance:
Go to the Global Accelerator (GA) console, purchase, and create a GA instance. Choose a specification that suits your business needs.
Add a Listener:
On the GA instance management page, select the "Listeners" tab and click "Add Listener".
Protocol: Select HTTPS.
Port: Enter the port clients will use to connect, typically 443.
Client Affinity: Choose whether to preserve the source IP based on your application's requirements.
Configure an Endpoint Group:
Configure an endpoint group for the listener, selecting the region where your backend service is located (e.g., China East 1 - Hangzhou).
Backend Service Type: Choose Alibaba Cloud SLB Instance.
Backend Service: Select the SLB instance on which you configured the HTTPS listener in Step 2.
Finalize the configuration.
Step 4: DNS Configuration
Obtain the CNAME: After the GA instance is successfully created, the system will assign a CNAME address. You can find this on the instance details page.
Modify DNS Records: Go to your domain provider's DNS management panel. Change the DNS record for your service domain (e.g., secure.yourdomain.com) from an A or existing CNAME record to a CNAME record, pointing it to the CNAME address assigned by your GA instance.
At this point, the configuration is complete. The traffic flow will be as follows:
Client -> DNS resolves to GA IP -> GA Accelerated Network -> Backend SLB (HTTPS Decryption) -> Backend ECS Servers
Scenario 2: Using a Third-Party Free Certificate (e.g., Let's Encrypt)
If your domain is not hosted with Alibaba Cloud or if you have other specific requirements, you can use a third-party free certificate provider like Let's Encrypt. The main difference with this method is that the certificate application and renewal processes must be handled manually or via scripts.
Main Steps
Generate the Certificate:
On your own server or local machine, use certbot or another ACME client to generate a certificate for your domain.
Best Practice: The DNS-01 challenge method is highly recommended, as it does not require opening any ports on your server and is more suitable for services behind a load balancer. You may use RAM role to authorize your ECS to automatically apply for HTTPS certificates every 90 days.
Example command using certbot: certbot certonly --manual --preferred-challenges dns -d secure.yourdomain.com
Follow the prompts to add the specified TXT record to your DNS to complete the validation. Upon success, you will receive the certificate file (fullchain.pem) and the private key file (privkey.pem).
Upload the Certificate to Alibaba Cloud:
Return to the Alibaba Cloud SSL Certificates Service console.
Select the "Upload Certificate" feature.
Paste the contents of your certificate (fullchain.pem) and your private key (privkey.pem) into the respective fields, give the certificate a name, and upload it.
Subsequent Steps:
The following steps are identical to Step 2 and Step 3 in Scenario 1. When creating the HTTPS listener on your SLB, simply select the certificate that you manually uploaded.
Notes and Best Practices for Scenario 2
Certificate Renewal: Let's Encrypt certificates are valid for 90 days. You must set up a scheduled task (e.g., a Cron Job) to periodically run the certbot renew command. After a successful renewal, you will need to use Alibaba Cloud APIs to upload the new certificate and update the SLB listener. This adds operational complexity.
Automation Scripts: To streamline the renewal and upload process, you can write automation scripts. These scripts would call Certbot for renewal and then use the Alibaba Cloud CLI or SDK to upload the new certificate and update the SLB listener configuration.
Summary and Professional Recommendation
| Feature | Scenario 1 (Alibaba Cloud Free Cert) | Scenario 2 (Let's Encrypt) |
| Integration Level | High, seamless with the Alibaba Cloud ecosystem | Low, requires manual upload or API calls |
| Automatic Renewal | Fully automatic (when enabled) | Requires custom scripts and scheduled tasks |
| Operational Complexity | Low | Higher |
| Certificate Type | DV Single Domain | DV Single/Wildcard Domain |
| Recommended Scenario | The vast majority of cases, especially for users whose domains and DNS are on Alibaba Cloud | Users with strong automation capabilities, a need for wildcard certificates, or specific compliance requirements |
For almost all users, Scenario 1 is strongly recommended. It fully manages the certificate lifecycle within Alibaba Cloud, allowing you to focus on your core business and avoiding service interruptions due to expired certificates.
References
Alibaba Cloud. Global Accelerator Documentation. "Listener overview." https://www.alibabacloud.com/help/en/global-accelerator/latest/listener-overview
Alibaba Cloud. Server Load Balancer Documentation. "Configure an HTTPS listener." https://www.alibabacloud.com/help/en/server-load-balancer/latest/add-an-https-listener
Alibaba Cloud. SSL Certificates Service Documentation. "Overview of free SSL certificates." https://www.alibabacloud.com/help/en/ssl-certificates-service/latest/overview-of-free-ssl-certificates
Certbot. "Instructions for Certbot." Electronic Frontier Foundation. https://certbot.eff.org/instructions
Our latest content
Check out what's new in our company !
I hope this comprehensive guide assists you in a successful configuration. Please feel free to ask if you encounter any specific issues during the process.