Checking rights for a domain
To get and renew a Let's Encrypt certificate, check the rights for each domain specified in the certificate. You can use two types of checks in Certificate Manager: HTTP and DNS. When you create a certificate, you can choose any type of check. Checking rights for domains may take a long time.
Note
You only need to check domain rights for Let's Encrypt certificates. Certificate Manager does not check domain rights for imported user certificates.
Certificate Manager waits for each domain from the certificate to pass the check (all checks have the Valid status). After that, Let's Encrypt will issue a certificate. Then the certificate changes its status to Issued and you can use it in services integrated with Certificate Manager.
If the check is not passed within one week, the certificate status becomes Invalid (if you are obtaining the certificate) or Renewal_failed (if you are renewing the certificate). To obtain a certificate after that, request another certificate from Let's Encrypt.
Certificate challenge statuses
Certificate checks can have the following statuses:
Pending: Waiting to complete. Certificate Manager determines whether the check is complete.Validating: Pending approval from Let's Encrypt.Valid: Complete.Invalid: The rights check for a specific domain failed or the one-week period allocated for the procedure expired.Renewal_failed: The rights check performed when renewing a certificate failed or the one-week period allocated for the procedure expired.Issued: Certificate issued.
HTTP
Note
You cannot use the HTTP check type for Wildcard certificates.
To check the rights for the example.com domain:
-
In the management console, select the folder where you added the certificate.
-
In the list of services, select Certificate Manager and click the name of the certificate you need.
-
Prepare a file that will allow the Let's Encrypt certificate authority (CA) to verify your ownership of the domain specified in the certificate:
-
Use your hosting control panel to create a file on the server with the name and path matching the value of the Link for hosting file field under HTTP record. For example:
/.well-known/acme-challenge/: File path.di2o3VRsbS6H_eUntKnW3Xcefw_1DOSpZ1B********: File name.
-
Insert into the file you created the value of the Contents field from HTTP record. For example:
di2o3VRsbS6H_eUntKnW3Xcefw_1DOSpZ1BLW0QUDbE._TYLpfPMbwHQZ1aEmsdpidY5bPUnVyDvqSO********
As a result, a file named
http://example.com/.well-known/acme-challenge/di2o3VRsbS6H_eUntKnW3Xcefw_1DOSpZ1B********containing the textdi2o3VRsbS6H_eUntKnW3Xcefw_1DOSpZ1BLW0QUDbE._TYLpfPMbwHQZ1aEmsdpidY5bPUnVyDvqSO********should appear on your web server. -
-
Wait for the Let's Encrypt CA to issue a certificate and its status to change to
Issued. -
Delete the file created for certificate verification from your web server.
DNS
If you do not have access to the web server or you need to get a Wildcard certificate with masks for subdomains in *.example.com format, use the DNS check type.
To pass the check, you need to add a special DNS record of one of the following two types: TXT or CNAME.
Alert
Add only one record. If you add both records, the caching servers will come into conflict.
When using a TXT record, you will have to pass the check every 60 days as part of the automatic certificate renewal.
Using a CNAME record enables you to undergo a check only once. To do this, you need to delegate to Certificate Manager the right to respond in the domain's DNS zone used for the check. This will pass the check.
Adding a CNAME record
To automatically check the rights for the example.com domain:
-
In the management console, select the folder where you added the certificate.
-
In the list of services, select Certificate Manager.
-
In the certificate list, select the certificate to check.
-
Further steps to follow will depend on whether your domain is managed by Yandex Cloud DNS or a third-party DNS provider.
Yandex Cloud DNSThird-party DNS providerUnder Check rights for domains, in the section with the
CNAMErecord type, click Create record in the Cloud DNS field. In the window that opens:- If the current folder contains an appropriate DNS zone, it will be automatically inserted into the Zone field. If there is no appropriate DNS zone, click Create zone and set its parameters to create a new zone.
- Click Create.
-
Under Check rights for domains, in the section with the
CNAMErecord type, check out the record value for the domain in the Value field. -
Add a
CNAMErecord to your DNS provider or to your own DNS server to delegate management privileges to the DNS zone used for the check:_acme-challenge.example.com CNAME <value>The
<value>string is created using the template:<certificate_ID>.cm.yandexcloud.net.For a successful DNS domain rights check based on a
CNAMErecord, make sure the_acme-challengesubdomain of the domain name you are checking has no resource records created, exceptCNAME. For example, for the_acme-challenge.example.com.domain name there should only be a CNAME record and no TXT record.
Note
Checking rights for domains may take from a few hours to a few days.
Adding a TXT record
To check the rights for the example.com domain:
-
In the management console, select the folder where you added the certificate.
-
In the list of services, select Certificate Manager.
-
In the certificate list, select the certificate to check.
-
Further steps to follow will depend on whether your domain is managed by Yandex Cloud DNS or a third-party DNS provider.
Yandex Cloud DNSThird-party DNS providerUnder Check rights for domains, in the section with the
TXTrecord type, click Create record in the Cloud DNS field. In the window that opens:- If the current folder contains an appropriate DNS zone, it will be automatically inserted into the Zone field. If there is no appropriate DNS zone, click Create zone and set its parameters to create a new zone.
- Click Create.
-
Under Check rights for domains, in the section with the
TXTrecord type, check out the record value for the domain in the Value field. -
Add a
TXTrecord to your DNS provider or to your own DNS server:_acme-challenge.example.com. IN TXT <value>
Note
Checking rights for domains may take from a few hours to a few days.
-
After the certificate status changes to
Issued, delete theTXTrecord you added from the DNS server.
Validating rights automatically
In some cases, the domain rights check requires no user input.
CNAME record applicable to a zone
A check is performed automatically if the following conditions are met:
-
The certificate status is
Renewing: it is being renewed. -
A DNS record is configured for each certificate domain:
_acme-challenge.example.com CNAME <certificate_ID>.cm.yandexcloud.net.
Redirecting a static website Object Storage
A check is performed automatically if the following conditions are met:
- The certificate status is
Renewing: it is being renewed. - The certificate is used in the HTTPS configuration of a static website in Object Storage.
- For each certificate domain, the following is configured:
- The certificate is not a Wildcard certificate: it does not contain masks for subdomains.
Redirecting to a validation server on a web server
A check is performed automatically if the following conditions are met:
- The certificate status is
Renewing: it is being renewed. - The certificate is not a Wildcard certificate: it does not contain masks for subdomains.
- For each certificate domain in the web server, a redirect is configured from
to
http://<domain>/.well-known/acme-challenge/*This endpoint is only available over IPv6.https://validation.certificate-manager.api.cloud.yandex.net/<certificate_ID>/*
Example of setting up a redirect in the nginx configuration:
server {
location ~ ^/.well-known/acme-challenge/([a-zA-Z0-9-_]+)$ {
return 301 https://validation.certificate-manager.api.cloud.yandex.net/<certificate_ID>/$1;
}
}