BestHub
Sign in
Information Security 9 min read

How to Secure Your WeChat Mini‑Program with Free SSL and TLS 1.2 on Nginx

This guide walks you through obtaining a free SSL certificate, configuring Nginx for HTTPS, and upgrading to TLS 1.2 on a CentOS server, ensuring your WeChat mini‑program can securely communicate with the backend, including detailed command‑line steps and essential software dependencies.

Java High-Performance Architecture
Java High-Performance Architecture
Java High-Performance Architecture
How to Secure Your WeChat Mini‑Program with Free SSL and TLS 1.2 on Nginx
Main content: 1. SSL free certificate application steps 2. Nginx HTTPS configuration 3. TLS 1.2 upgrade process

WeChat mini‑programs require https requests, so the web server must support https, which first requires an SSL certificate.

The mini‑program also requires the TLS protocol version to be at least 1.2; if the configured TLS version is lower, an upgrade is needed.

Server‑side environment configuration steps:

Apply for an SSL certificate.

Configure the web server (e.g., Nginx) to support https.

Upgrade to TLS 1.2.

SSL Certificate Application

https

requires an SSL certificate, which can cost several thousand yuan per year; for small teams or hobbyists, a free certificate is preferable.

You can also use cloud services such as WildDog or LeanCloud, which support https and simplify the process.

Free certificate: Alibaba Cloud's Symantec free DV SSL.

Application process: wanwang.aliyun.com Log in to the console, click Security → Certificate Service, then the Buy Certificate button, select Free DV SSL, and complete the purchase flow.

The order amount is 0 yuan; after completing the flow, return to the Certificate Service page to see the certificate in the list.

First perform the " Complete " step, filling in your domain and basic information.

After completion, the link changes to " Progress ", click it and follow the prompts, typically using file verification by uploading a file to your server.

Once verification succeeds, the SSL certificate can be downloaded in about ten minutes.

Nginx HTTPS Configuration

Upload the certificate to an Nginx directory, e.g.: /usr/local/nginx/cert Edit conf/nginx.conf and add an HTTPS server block with SSL settings:

# HTTPS server
server {
    listen 443 ssl;
    server_name localhost;
    ...
    ssl on;
    ssl_certificate /usr/local/nginx/cert/213994146300992.pem;
    ssl_certificate_key /usr/local/nginx/cert/213994146300992.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        root html;
        index index.html index.htm;
    }
    ...
}

Reload the configuration and access your domain via https to verify proper operation.

Upgrade to TLS 1.2

Check TLS Version

Visit the https URL; the lock icon in the address bar shows the TLS version.

If the version is below 1.2, an upgrade is required.

The following steps assume a CentOS Linux environment.

1) Check OpenSSL Version

openssl version -a

If the version is 1.0.2 or older, upgrade is needed.

2) Upgrade OpenSSL

Download the new version from the official site: https://www.openssl.org/source/ Example download location:

/usr/local
cd /usr/local
tar zxvf openssl-1.0.2j.tar.gz
cd openssl-1.0.2j
./config --prefix=/usr/local/openssl
make && make install
mv /usr/bin/openssl /usr/bin/openssl.OFF
mv /usr/include/openssl /usr/include/openssl.OFF
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo "/usr/local/openssl/lib" >>/etc/ld.so.conf
ldconfig -v

3) Verify OpenSSL Upgrade

openssl version -a

4) Recompile Nginx

After upgrading OpenSSL, Nginx must be recompiled to link against the new library.

The following shows a basic installation; adjust as needed for your requirements.

Required Software

openssl (already installed above)

pcre

Download PCRE: http://www.pcre.org/ Example download location:

/usr/local
cd /usr/local
tar -zxv -f pcre-8.39.tar.gz
cd pcre-8.39
./configure --prefix=/usr/local/pcre/
make && make install

zlib

Download Zlib: http://www.zlib.net/ Example download location:

/usr/local
cd /usr/local
tar -zxv -f zlib-1.2.10.tar.gz
cd zlib-1.2.10
./configure --prefix=/usr/local/zlib/
make && make install

Compile Nginx

tar -zxvf nginx-1.10.2.tar.gz
cd nginx-1.10.2
./configure \
--user=用户 \
--group=组 \
--prefix=/usr/local/nginx \
--with-http_ssl_module \
--with-openssl=/usr/local/openssl-1.0.2j \
--with-pcre=/usr/local/pcre-8.39 \
--with-zlib=/usr/local/zlib-1.2.10 \
--with-http_stub_status_module \
--with-threads

make && make install

After compilation, modify the configuration file to add the SSL information, then start Nginx and verify the TLS version via an https URL.

Summary

After completing these steps, the WeChat mini‑program can communicate with the backend securely.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

WeChat mini-programNginxHTTPSSSLCentOSTLS1.2
Java High-Performance Architecture
Written by

Java High-Performance Architecture

Sharing Java development articles and resources, including SSM architecture and the Spring ecosystem (Spring Boot, Spring Cloud, MyBatis, Dubbo, Docker), Zookeeper, Redis, architecture design, microservices, message queues, Git, etc.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment