Contact UsGet started

Getting started with Certificate Manager

Written by
Updated at October 31, 2024

By following this guide, you will add your first Let's Encrypt certificate to Certificate Manager and use it to set up HTTPS access to a static website hosted in Yandex Object Storage.

Getting started

To get started with Certificate Manager, you need:

  1. Folder in Yandex Cloud. If there is no folder yet, create one:

    1. In the management console, select the appropriate cloud in the list on the left.

    2. At the top right, click Create folder.

    3. Enter the folder name. The naming requirements are as follows:

      • The name must be from 3 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • The first character must be a letter and the last character cannot be a hyphen.

    4. (Optional) Enter a description of the folder.

    5. Select Create a default network. This will create a network with subnets in each availability zone. Within this network, a default security group will be created, inside which all network traffic is allowed.

    6. Click Create.

  2. Third-level (or higher) domain that the Let's Encrypt certificate is issued for.

    Note

    To pass the domain rights check, you must have the management access to the domain.

  3. Public bucket in Object Storage with exactly the same name as the domain. If you do not have a bucket yet, create one:

    1. In the management console, select the folder you want to create a bucket in.
    2. Select Object Storage.
    3. Click Create bucket.
    4. Enter exactly the same name for the bucket as the domain name.
    5. Select the Public access type.
    6. Select the default storage class.
    7. Click Create bucket to complete the operation.

  4. Set up hosting in your bucket:

    1. In the management console, select Object Storage.
    2. In the Buckets tab, click the bucket with the same name as the domain.
    3. In the left-hand panel, select Settings.
    4. Open the Website tab.
    5. Select Hosting and specify the website's homepage.
    6. Click Save to complete the operation.

  5. Set up an alias for the bucket through your DNS provider or on your own DNS server.

    For instance, for the www.example.com domain, add the following record:

    www.example.com CNAME www.example.com.website.yandexcloud.net

  6. Install and configure the AWS CLI by following this guide.

Create a request for a Let's Encrypt certificate

  1. Go to the management console.
  2. Select Certificate Manager.
  3. Click Add certificate.
  4. In the menu that opens, select Let's Encrypt certificate.
  5. In the window that opens, enter a name for the certificate.
  6. (Optional) Add a description for the certificate.
  7. In the Domains field, specify the domains you want to issue the certificate for.
  8. Select the rights check type for the HTTP domain.
  9. Click Create.

Passing the domain rights check

Creating a check file

  1. In the management console, select Certificate Manager.
  2. Select a certificate with the Validating status in the list and click it.
  3. Under Check rights for domains:
    1. Copy the URL from the Link for hosting file field:
      • The http://example.com/.well-known/acme-challenge/ part of the link is the file path.
      • The second part, rG1Mm1bJ..., is the file name you should use.
    2. Copy the Contents field to the file.

Uploading the file and performing the check

  1. In the management console, select Object Storage.
  2. In the Buckets tab, click the bucket with the same name as the domain.
  3. At the top right, click Create folder and create a directory named .well-known.
  4. Under .well-known, create the acme-challenge directory.
  5. In acme-challenge, click Upload.
  6. In the window that opens, select the file with a record and click Open.
  7. Click Upload.
  8. Wait until the certificate status switches to Issued.
  9. Go to acme-challenge.
  10. Click to the right of the file and select Delete.
  11. Confirm the deletion.

  1. Upload your file to the bucket so that it resides in the .well-known/acme-challenge subdirectory:

    aws --endpoint-url=https://storage.yandexcloud.net \
  s3 cp <file_name> s3://<bucket_name>/.well-known/acme-challenge/<file_name>

  2. Wait until the certificate status switches to Issued.

  3. Delete the file you created from the bucket:

    aws --endpoint-url=https://storage.yandexcloud.net \
   s3 rm s3://<bucket_name>/.well-known/acme-challenge/<file_name>

Warning

To renew a certificate, you have to perform certain actions. Keep track of the lifecycle of your certificates to renew them on time. For more information, see Renew a certificate.

Set up static website access over HTTPS

  1. Log in to the management console.
  2. Select Object Storage.
  3. In the Buckets tab, click the bucket with the same name as the domain.
  4. In the left-hand panel, select Security.
  5. Go to the HTTPS tab.
  6. Click Configure at the top right.
  7. In the Source field, select Certificate Manager.
  8. In the Certificate field, select the certificate from the list that opens.
  9. Click Save.

See also

Next
All guides