How to Configure SSL on Aliyun DNS for an AWS Application Load Balancer for $0

In just 3 steps, go from an insecure http zero to an https hero using Aliyun and AWS.

(Skippable) Preface

Web development in China isn’t always (or ever) very straightforward. If you’ve had the pleasure of navigating cloud service providers from behind the Great Firewall, you might be familiar with many platforms all promising a massive suite of services suspiciously reminiscent of their AWS counterparts, but not necessarily the same. Something which might be fairly straightforward on AWS, might be a horrifically different experience on the biggest cloud provider in China: Aliyun.

This article is a humble attempt at making one such simple and necessary service a little bit better for my fellow China-dwelling developers. While it’s intended for those using an AWS Application Load Balancer, you can take a similar approach to uploading an Aliyun-generated SSL certificate to any server configuration you can upload a certification to.

Step 1: Order a Certificate

Let’s first get a certificate by navigating to the aliyun console under the “SSL Certificates” tab in the sidebar.

We’ll choose the free option because we’re broke.

This page was auto-translated and might appear different on your own browser. It’s kinda wonky, but you can get to the free configuration by cycling through the options in either Symantec or GeoTrust providers. Back to the “SSL Certificates” tab, complete the application process.

Step 2: Verify the Certificate in Our DNS

Copy the TXT record information from the SSL Certificates page.

Go to the “Alibaba Cloud DNS” tab and fill in the _dnsauth record with the information from the certificate.

Verify. This step might take over 10 minutes to succeed, so we can come back after we deploy our certificate. (Be patient, young one).

Step 3: Deploy to our ALB

Download the certificate and unzip the .key and .pem files.

If you aren’t using an ALB, you can still use these files to deploy to your current server configuration Now’s the time to finally head over to AWS. Go to the EC2 console and select the “Load Balancers” side tab. Then look for the “Listeners” tab and select “View/edit certificates”.

Name the certificate after your domain and copy/paste from the .key and .pem files.

This should be good enough, but to ensure that the right certificate is being served by your ALB, set the default certificate to the one you’ve just uploaded.

Bing Bam Boom Rinse and Repeat about once a year.

Note: Once your certificate has been issued, you can safely delete your _dnsauth TXT records from Aliyun.


Hopefully this article will help someone on their windy path to security on Chinese IAAS providers. Of course, feel free to reach out to me if you have any questions or suggest future topics for web development in China.

Last Updated: 10/5/2019, 9:11:16 AM

Get the News