DocsICP FilingConsole
官方文档
首页

Install an SSL certificate on WordPress (Linux)

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes how to configure an SSL certificate for WordPress on a Linux system. It covers how to download and upload certificate files and how to verify the installation.

Prerequisites

  • You have purchased and applied for a certificate in Certificate Management Service, and its Status is Issued. To purchase and apply for a certificate, see Purchase a commercial certificate and Apply for a certificate.

  • The domain name is correctly resolved to the server and has an ICP filing from the Ministry of Industry and Information Technology (MIIT). This is required for servers in the Chinese mainland.

    How to check DNS records and ICP filing information

    Go to the Network Probe tool, select Website Diagnostic Analysis, enter the domain name, and confirm the following information:

    • In the DNS service provider analysis results section, verify that the IP address of the A record is the public IP address of the server.

    • Verify that the Filing Inspection status is The website has been filed. If the status is The website has not been filed, please consult the website server provider., you must complete the ICP filing before you can install the certificate.

  • You have administrative permissions for the server, such as a root account or an account with sudo privileges.

Procedure

Step 1: Download the SSL certificate and private key file

  1. Go to the SSL Certificate Management page, find the certificate that you want to deploy, and confirm the following information:

    1. Certificate Status: The status must be Issued. If the status is Pending Expiration or Expired, you must renew the SSL certificate.

    2. Bound Domains: This setting must match all the domain names that you want to protect. Otherwise, a security warning appears when an unmatched domain name is accessed over HTTPS. To add or modify domain names, see Append and replace domain names.

      Check whether the certificate matches the target domain name

      The Bound Domains of a certificate can include multiple exact-match and wildcard domain names. The matching rules for each type of domain name are as follows:

      • Exact-match domain name: Applies only to the specified domain name.

        • example.com applies only to example.com.

        • www.example.com applies only to www.example.com.

      • Wildcard domain name: Applies only to its first-level subdomains.

        • *.example.com applies to first-level subdomains such as www.example.com and a.example.com.

        • *.example.com does not apply to the root domain example.com or multi-level subdomains such as a.b.example.com.

      Note

      To match multi-level subdomains, the Bound Domains field must contain the exact domain name, such as a.b.example.com, or a corresponding wildcard domain name, such as *.b.example.com.

  2. In the Actions column for the target certificate, click More to go to the certificate details page. Then, on the Download tab, download the certificate for the Nginx Server Type.

  3. Unzip the downloaded certificate package:

    • If the package contains a certificate file (.pem) and a private key file (.key), save both files. You will need them for deployment.

    • If the package contains only a certificate file (.pem) and not a private key file (.key), you must deploy the certificate with the private key file that you saved locally.

      Note

      If you used a tool such as OpenSSL or Keytool to generate a Certificate Signing Request (CSR) file when applying for a certificate, the private key file was saved only on your local machine. The downloaded certificate package does not include the private key. If the private key is lost, the certificate is unusable. You must purchase a commercial certificate again and generate a new CSR and private key.

Step 2: Install SSL certificate on WordPress

  1. Log on to the Linux server.

    Alibaba Cloud server

    The following steps use Alibaba Cloud Elastic Compute Service (ECS) as an example. For other types of servers, see the corresponding product documentation.

    1. Log on to the ECS console. In the upper-left corner, select the region where the target ECS instance is located.

    2. In the left navigation pane, select Instances & Images > Instances. On the Instances page, find the target ECS instance and click Connect in the Actions column.

    3. In the dialog box that appears, select Workbench and click Sign in now.

    4. Select Terminal as the connection method, enter the required authentication information, and follow the on-screen prompts to log on to the server terminal. For more information, see Log on to an ECS instance using Workbench.

      Note

      If a note to add security group rules appears, click Add Now.

    Servers from other cloud providers

    Use the remote connection feature provided by the cloud provider to log on to the server terminal.

    Non-cloud servers (such as physical servers or IDC-hosted servers)

    Use an SSH tool to log on to the server terminal from your local computer.

    • Windows: In Command Prompt (cmd) or PowerShell, run: ssh username@serverIP. If the ssh command is not supported, you can use third-party software such as PuTTY or WinSCP to connect.

    • macOS/Linux: In the built-in Terminal, run: ssh username@serverIP.

    Some of the following commands vary based on the operating system. Choose the commands that apply to your server's operating system.

    • RHEL/CentOS series: Includes Alibaba Cloud Linux, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, Anolis OS, and their derivatives.

    • Debian/Ubuntu series: Includes Debian, Ubuntu, and their derivatives.

    How to identify the operating system series

    Run cat /etc/os-release in the server terminal and check the values of ID_LIKE and ID in the output:

    • If ID_LIKE or ID contains rhel or centos, the operating system belongs to the RHEL/CentOS series.

    • If ID_LIKE or ID contains debian or ubuntu, the operating system belongs to the Debian/Ubuntu series.

  2. Open port 443 in the security group and firewall.

    1. Run the following command in the server terminal to check whether port 443 is open:

      RHEL/CentOS

      command -v nc > /dev/null 2>&1 || sudo yum install -y nc
# Replace <your_server_public_ip> with the public IP address of your server.
sudo ss -tlnp | grep -q ':443 ' || sudo nc -l 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443

      If the output is Ncat: Connected to <your_server_public_ip>:443, port 443 is open. Otherwise, open port 443 in the security group and firewall.

      Debian/Ubuntu

      command -v nc > /dev/null 2>&1 || sudo apt-get install -y netcat
# Replace <your_server_public_ip> with the public IP address of your server.
sudo ss -tlnp | grep -q ':443 ' || sudo nc -l -p 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443

      If the output is Connection to <your_server_public_ip> port [tcp/https] succeeded! or [<your_server_public_ip>] 443 (https) open, port 443 is open. Otherwise, open port 443 in the security group and firewall.

    2. Open port 443 in your security group configuration.

      Important

      If your server is deployed on a cloud platform, make sure that its security group allows inbound traffic on TCP port 443. Otherwise, the service will be inaccessible. The following steps use Alibaba Cloud ECS as an example. For other cloud platforms, refer to their official documentation.

      Go to the Elastic Compute Service (ECS) instances page and click the target instance name to go to the instance details page. For more information, see Add a security group rule to add a rule in the Security Group Details section with Action set to Allow, Protocol to Custom TCP, Destination (Current Instance) to HTTPS (443), and Source to 0.0.0.0/0 (anywhere).

    3. Open port 443 in your firewall.

      Run the following command to identify the active firewall service on your system:

      if command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet firewalld; then
    echo "firewalld"
elif command -v ufw >/dev/null 2>&1 && sudo ufw status | grep -qw active; then
    echo "ufw"
elif command -v nft >/dev/null 2>&1 && sudo nft list ruleset 2>/dev/null | grep -q 'table'; then
    echo "nftables"
elif command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet iptables; then
    echo "iptables"
elif command -v iptables >/dev/null 2>&1 && sudo iptables -L 2>/dev/null | grep -qE 'REJECT|DROP|ACCEPT'; then
    echo "iptables"
else
    echo "none"
fi

      If the output is none, no further action is required. Otherwise, run the corresponding command below based on the output (firewalld, ufw, nftables, or iptables) to open port 443:

      firewalld

      sudo firewall-cmd --permanent --add-port=443/tcp && sudo firewall-cmd --reload

      ufw

      sudo ufw allow 443/tcp

      nftables

      sudo nft add table inet filter 2>/dev/null
sudo nft add chain inet filter input '{ type filter hook input priority 0; }' 2>/dev/null
sudo nft add rule inet filter input tcp dport 443 counter accept 2>/dev/null

      iptables

      sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

      To make sure that the iptables rules persist after a system reboot, run the following commands:

      RHEL/CentOS
      sudo yum install -y iptables-services
sudo service iptables save
      Debian/Ubuntu
      sudo apt-get install -y iptables-persistent
sudo iptables-save | sudo tee /etc/iptables/rules.v4 >/dev/null

  3. Upload the SSL certificate and private key files to the target directory on the server.

    Important

    This example uses ssl.pem (certificate file) and ssl.key (private key file) and uploads them to the /etc/ssl/cert directory on the server. If this directory does not exist, run sudo mkdir -p /etc/ssl/cert to create it.

    Alibaba Cloud server

    The following steps use an Alibaba Cloud ECS instance as an example. For other types of servers, refer to the corresponding product documentation.

    1. In the Workbench page you opened earlier, select File > Open New File Tree from the top menu bar.

    2. In the file tree on the left, right-click the target storage directory (/etc/ssl/cert), select Upload File, and upload the certificate file ssl.pem.

    3. Repeat the previous step. Right-click the target directory (/etc/ssl/cert), select Upload File, and upload the private key file ssl.key.

    4. After the upload is complete, the path to the certificate file is /etc/ssl/cert/ssl.pem, and the path to the private key file is /etc/ssl/cert/ssl.key.

    Other cloud servers

    Use the file upload feature provided by your cloud provider to upload the certificate and private key files to the target directory (/etc/ssl/cert) on the server.

    Non-cloud servers

    Use an SSH tool on your local machine to upload the certificate and private key files. In the following examples, <username> is your username on the server, and <server_ip> is the server's public IP address.

    Windows

    1. Use the built-in Command Prompt (cmd) or PowerShell to upload files with the scp command. This example assumes the certificate and private key files are in the local C:\ directory.

      # Upload the local certificate file to the server. Replace the paths C:\ssl.pem and /etc/ssl/cert with the actual source file and destination directory.
scp C:\ssl.pem <username>@<server_ip>:/etc/ssl/cert

# Upload the local private key file to the server. Replace the paths C:\ssl.key and /etc/ssl/cert with the actual source file and destination directory.
scp C:\ssl.key <username>@<server_ip>:/etc/ssl/cert

    2. If the scp command is not available on your system, you can use the free and open-source PuTTY client and its accompanying pscp.exe tool to upload files from the command line. You can also use the graphical WinSCP client to upload files.

    Linux/macOS

    Use the built-in terminal to upload files with the scp command. This example assumes the certificate and private key files are in the local /tmp directory.

    # Upload the local certificate file to the server. Replace /tmp/ssl.pem and /etc/ssl/cert with the actual source file and destination directory.
scp /tmp/ssl.pem <username>@<server_ip>:/etc/ssl/cert

# Upload the local private key file to the server. Replace /tmp/ssl.key and /etc/ssl/cert with the actual source file and destination directory.
scp /tmp/ssl.key <username>@<server_ip>:/etc/ssl/cert

  4. Run the following command to modify the certificate paths in the WordPress configuration file, wordpress.conf. The paths must match the location where you uploaded the certificate and private key files.

    Note

    The WordPress environment in this example has Nginx installed by default. The configuration file path and name may be different in your environment. Adjust them to match your actual configuration.

    sed -i 's|ssl_certificate\s*[^;]*;|ssl_certificate /etc/ssl/cert/ssl.pem;|; s|ssl_certificate_key\s*[^;]*;|ssl_certificate_key /etc/ssl/cert/ssl.key;|' /usr/local/nginx/conf/vhost/wordpress.conf

    Parameters:

    • /etc/ssl/cert/ssl.pem: Replace this with the absolute path to your certificate file on the server.

    • /etc/ssl/cert/ssl.key: Replace this with the absolute path to your private key file on the server.

    • /usr/local/nginx/conf/vhost/wordpress.conf: Replace this with the absolute path to your WordPress configuration file.

  5. Run the following command to reload the Nginx service:

    sudo systemctl reload nginx

  6. Run the following command to restart the database:

    sudo service mysqld restart

Step 3: Verify certificate installation

  1. Access your domain over HTTPS in a web browser. For example, https://yourdomain. Replace yourdomain with your actual domain.

  2. If a lock icon appears in the browser's address bar, the certificate is deployed successfully. If you encounter access errors or the lock icon does not appear, clear your browser cache or try again in incognito (privacy) mode.

    image

    Starting from version 117, the image icon in the Chrome address bar has been replaced with a new image icon. Click this icon to view the lock information.

Note

If you still encounter issues, see FAQ for troubleshooting.

What to do next (Optional)

Enable domain name monitoring

After the certificate is deployed, we recommend that you enable the domain name monitoring feature. The system automatically detects the certificate validity period and sends reminders before the certificate expires. This helps you renew the certificate in time and avoid service interruptions. For more information, see Purchase and enable public domain name monitoring.

FAQ

Why is my certificate not working or HTTPS inaccessible after installation or update?

Common reasons include:

Update or replace an SSL certificate

First, back up the original certificate files (.pem and .key) on your server. Then, log on to the SSL Certificates Service console, download the new certificate files (.pem and .key), and upload them to the server, overwriting the old files. Ensure the file paths and names are the same. Finally, reload the Nginx service to apply the new certificate.

Previous:Install an SSL certificate on Python Flask (Linux)Next:Install an SSL certificate in a Node.js environment (Linux)