DaaS / Products / Deploy HTTPS Across App and AIRec

Deploy HTTPS Across App and AIRec

A developer enables HTTPS for their entire platform by deploying SSL certificates to general cloud infrastructure (ECS, SLB, CDN) via CAS while also configuring HTTPS specifically for their AIRec recommendation service, ensuring end-to-end encrypted traffic across both the main application and personalized recommendation endpoints.

Products involved

Scenario

Use this workflow when you need to unify TLS encryption across your core application infrastructure and AIRec recommendation endpoints. By centralizing certificate lifecycle in CAS and mapping certificates to AIRec, you ensure consistent HTTPS termination at the edge (SLB/CDN) and secure, encrypted API calls to personalized recommendation services.

Integration steps

Provision Certificate in CAS: Upload or issue your SSL certificate via the CAS console. Ensure the certificate chain and private key are in PEM format.
Deploy to Edge Infrastructure: Attach the certificate to your SLB or CDN using the CAS deployment API:

``bash aliyun cas DeployCertificateToCloudResource \ --CertificateId "cert-8a9b2c" \ --CloudServiceType "SLB" \ --CloudServiceInstanceId "lb-xyz789" \ --RegionId "cn-hangzhou" ``

Prepare AIRec Mapping File: Download the certificate_info.xlsx template from the AIRec console. Populate domain, certificate_id, and cert_type columns with your CAS certificate details.
Bind Certificate to AIRec: Upload the mapping file and certificate artifacts to your AIRec instance:

``bash curl -X POST "https://airec.cn-hangzhou.aliyuncs.com/v2/openapi/instances/{InstanceId}/certificates/bind" \ -H "Authorization: Bearer <TOKEN>" \ -F "mapping_file=@certificate_info.xlsx" \ -F "[email protected]" \ -F "key=@private_key.pem" ``

Validate Domain Ownership: AIRec triggers DNS CNAME or HTTP file validation. Monitor progress via GET /v2/openapi/instances/{InstanceId}/certificates/status.
Enforce HTTPS on AIRec: Once validation returns SUCCESS, enable HTTPS enforcement in the AIRec instance settings. Update your recommendation client base URL to https://<custom-domain>.
Verify End-to-End Encryption: Test both the main app and AIRec endpoints:

``bash openssl s_client -connect <airec-domain>:443 -servername <airec-domain> | grep "Verify return code" ``

Architecture

CAS acts as the centralized certificate orchestrator for general cloud resources, handling TLS termination at SLB/CDN/ECS. AIRec consumes the certificate via certificate_info.xlsx mapping to secure its recommendation API endpoints. Client traffic hits the CAS-managed edge first, routes to your application server, and forwards personalized queries to AIRec over a dedicated HTTPS channel. Both layers operate independently but share the same certificate trust chain.

Prerequisites

Active Alibaba Cloud account with CAS and AIRec enabled
Valid SSL certificate (PEM format) issued/uploaded to CAS
Provisioned AIRec instance with a custom domain configured
RAM user with AliyunCASFullAccess and AliyunAIRecFullAccess policies
Completed certificate_info.xlsx matching AIRec schema requirements

Common pitfalls

Domain mismatch: Certificate SAN/CN must exactly match both the SLB listener hostname and AIRec custom domain.
Excel schema errors: Missing domain or certificate_id columns in certificate_info.xlsx causes silent binding failures.
SLB listener misconfiguration: Deploying via CAS does not auto-create HTTPS listeners; manually configure port 443 and attach the cert.
Key format rejection: AIRec rejects PKCS#12/PFX; always convert with openssl pkcs12 -in cert.pfx -out cert.pem -nodes.
Validation latency: CAS deployment and AIRec DNS validation take 5–15 minutes; immediate testing yields false TLS errors.

Typical questions

deploy ssl certificate across services
enable https for my platform
configure https for airec and servers
install ssl cert on all resources
deploy certificate to airec and ECS
full stack https setup
统一配置HTTPS
部署SSL证书到AIRec和服务器