Help Center/ CloudTable Service/ User Guide/ Using ClickHouse/ Connecting to a ClickHouse Cluster/ Using HTTPS to Connect to a ClickHouse Secure Cluster
Updated on 2025-08-12 GMT+08:00
View PDF
Share

Using HTTPS to Connect to a ClickHouse Secure Cluster

HTTPS is a secure version of HTTP. It protects data transmission by adding an SSL/TLS encryption layer between HTTP and TCP. You can connect to a ClickHouse cluster using HTTPS.

Constraints

  • Disabling HTTPS will pose risks to enterprise services.
  • The HTTPS option is enabled during cluster creation and cannot be disabled later.
  • If the HTTPS option is not enabled during cluster creation, it cannot be enabled later.
  • The cluster restarts after the secure channels are enabled on the cluster details page.
  • The secure and non-secure channels cannot be disabled after being enabled concurrently.

Enabling the Secure Channel

  1. Log in to the CloudTable console.
  2. Select a region in the upper left corner.
  3. On the Cluster Management page, click Buy Cluster in the upper right corner. The Buy Cluster page is displayed.
  4. Check whether Security Channel is toggled on (default).

    Additionally, you can toggle Enable Secure and Non-secure Channels on the cluster details page post-creation. This enables both secure and non-secure channels.
    Figure 1 Secure channel

  5. Set the parameters and click Next.
  6. Confirm the cluster information and click Submit. After the cluster is created, go to its details page to view its security channel status.

Downloading the Security Certificate and Connecting to a ClickHouse Secure Cluster

  1. After a ClickHouse secure cluster is created, click the cluster name and click Details.
  2. On the cluster details page and click Download certificates on the right of Channel Status in the cluster information area.
  3. Use the SSH login tool to remotely log in to the Linux ECS through the EIP.

    For details, see Logging In to a Linux ECS Using an SSH Password in the Elastic Cloud Server User Guide.

  4. Customize the certificate path by updating the certificate storage path in the following configuration file. Save the file to the root directory.

    • <caConfig>/etc/ssl/certificate.crt</caConfig> indicates the path where certificates are stored.
    • The certificate can be downloaded only once per minute.
    <config>
    <secure>true</secure>
    <openSSL>
      <client>
        <caConfig>/etc/ssl/certificate.crt</caConfig>
      </client>
    </openSSL>
</config>

  5. Connect to the ClickHouse secure cluster.

    Run the curl command to connect to the cluster. 
    echo 'select 1' | curl -H 'X-ClickHouse-User: user' -H 'X-ClickHouse-Key: password' --cacert /clickhouse/client/client/bin/certificate.crt 'https://host:port/?' --data-binary @-
    Table 1 Parameter description

    Parameter

    Description

    select 1

    Executed SQL statement

    user

    Username for connecting to the cluster

    password

    Password created during cluster creation

    /clickhouse/client/client/bin/certificate.crt

    Path for storing the certificate

    host, port

    host indicates the private IP address, and port indicates the HTTPS port.