Getting started with Certificate Manager
By following this guide, you will add your first Let's Encrypt certificate to Certificate Manager and use it to set up HTTPS access to a static website hosted in Yandex Object Storage.
Getting started
To get started with Certificate Manager, you need:
-
Folder in Yandex Cloud. If there is no folder yet, create one:
-
In the management console
, select the appropriate cloud from the list on the left. -
At the top right, click Create folder.
-
Enter the folder name. The naming requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
(Optional) Enter a description of the folder.
-
Select Create a default network. This will create a network with subnets in each availability zone. Within this network, a default security group will be created, inside which all network traffic is allowed.
-
Click Create.
-
-
Third-level (or higher) domain that the Let's Encrypt certificate is issued for.
Note
To pass the domain rights check, you must have the management access to the domain.
-
Public bucket in Object Storage with exactly the same name as the domain. If you do not have a bucket yet, create one:
Management console- In the management console
, select the folder you want to create a bucket in. - Select Object Storage.
- Click Create bucket.
- Enter exactly the same name for the bucket as the domain name.
- Select the
Public
access type. - Select the default storage class.
- Click Create bucket to complete the operation.
- In the management console
-
Set up hosting in your bucket:
Management console- In the management console
, select Object Storage. - In the Buckets tab, click the bucket with the same name as the domain.
- In the left-hand panel, select Settings.
- Open the Website tab.
- Select
Hosting
and specify the website's homepage. - Click Save to complete the operation.
- In the management console
-
Set up an alias for the bucket through your DNS provider or on your own DNS server.
For instance, for the
www.example.com
domain, add the following record:www.example.com CNAME www.example.com.website.yandexcloud.net
-
Install and configure the AWS CLI by following this guide.
Create a request for a Let's Encrypt certificate
- Go to the management console
. - Select Certificate Manager.
- Click Add certificate.
- In the menu that opens, select Let's Encrypt certificate.
- In the window that opens, enter a name for the certificate.
- (Optional) Add a description for the certificate.
- In the Domains field, specify the domains you want to issue the certificate for.
- Select the rights check type for the
HTTP
domain. - Click Create.
Passing the domain rights check
Creating a check file
- In the management console
, select Certificate Manager. - Select a certificate with the
Validating
status in the list and click it. - Under Check rights for domains:
- Copy the URL from the Link for hosting file field:
- The
http://example.com/.well-known/acme-challenge/
part of the link is the file path. - The second part,
rG1Mm1bJ...
, is the file name you should use.
- The
- Copy the Contents field to the file.
- Copy the URL from the Link for hosting file field:
Uploading the file and performing the check
- In the management console
, select Object Storage. - In the Buckets tab, click the bucket with the same name as the domain.
- At the top right, click Create folder and create a directory named
.well-known
. - Under
.well-known
, create theacme-challenge
directory. - In
acme-challenge
, click Upload. - In the window that opens, select the file with a record and click Open.
- Click Upload.
- Wait until the certificate status switches to
Issued
. - Go to
acme-challenge
. - Click
to the right of the file and select Delete. - Confirm the deletion.
-
Upload your file to the bucket so that it resides in the
.well-known/acme-challenge
subdirectory:aws --endpoint-url=https://storage.yandexcloud.net \ s3 cp <file_name> s3://<bucket_name>/.well-known/acme-challenge/<file_name>
-
Wait until the certificate status switches to
Issued
. -
Delete the file you created from the bucket:
aws --endpoint-url=https://storage.yandexcloud.net \ s3 rm s3://<bucket_name>/.well-known/acme-challenge/<file_name>
Warning
To renew a certificate, you have to perform certain actions. Keep track of the lifecycle of your certificates to renew them on time. For more information, see Renew a certificate.
Set up static website access over HTTPS
- Log in to the management console
. - Select Object Storage.
- In the Buckets tab, click the bucket with the same name as the domain.
- In the left-hand panel, select Security.
- Go to the HTTPS tab.
- Click Configure at the top right.
- In the Source field, select
Certificate Manager
. - In the Certificate field, select the certificate from the list that opens.
- Click Save.