Certificate from Let's Encrypt
You can use Certificate Manager to create Let's Encrypt certificates. Request a certificate and pass the domain rights check. After that, Certificate Manager will manage your certificate by working with Let's Encrypt on your behalf.
Let's Encrypt provides Domain Validation TLS certificates with a 90-day validity period. If you need Organization Validation or Extended Validation certificates, use a third-party certificate authority to get the certificate, and then upload it to Certificate Manager. For more information, see User certificate.
You can use a certificate created with Certificate Manager in the specified Yandex Cloud services only.
Get a certificate
-
Specify the list of domains you need to issue a certificate for.
-
Select the type of domain rights check:
HTTP
orDNS
.When the request is created, the certificate status becomes
Validating
. -
To issue a certificate, check the rights for the domains you specified in the previous step.
Depending on the selected type of check, put the file on the web server or add a
TXT
orCNAME
resource record with the appropriate value in the DNS service. To learn more about the types of checks and ways to pass them, see Checking rights for a domain.For a successful DNS domain rights check based on a
CNAME
record, make sure the_acme-challenge
subdomain of the domain name you are checking has no resource records created, exceptCNAME
. For example, for the_acme-challenge.example.com.
domain name there should only be a CNAME record and no TXT record. -
When the domain rights are checked, the certificate is issued and its status becomes
Issued
. You can use the certificate in services that are integrated with Certificate Manager.
Warning
If you fail to pass the domain rights check within a week, the certificate isn't issued and its status becomes Invalid
.
Renew a certificate
Warning
To renew a certificate, follow the steps below. Keep track of the lifecycle of your certificates to renew them on time.
-
Certificate Manager initiates the certificate renewal procedure 30 days before it expires.
After the renewal starts, the certificate status changes to
Renewing
. -
Check the rights for the domains.
Depending on the type of check you selected, update the file on the web server or update the
TXT
record in the DNS service to the new value. For more information, see Check rights for domain.Note
If the certificate is used for a static website in Object Storage and doesn't contain masked domains
,
the rights can be checked automatically. For more information, see Checking rights automatically. -
After you check the rights for the domains, the certificate renews and its status becomes
Issued
. All the resources that use the certificate will get its new version.
The certificate isn't renewed if the domain rights check fails for at least one domain. The certificate status changes to Renewal_failed
. However, the certificate stays valid until it expires.
Some time after the failed renewal, a new attempt is made to update the certificate.
To avoid issues accessing resources that use the certificate with the Renewal_failed
status:
- Before the certificate expires, issue and add a new Let's Encrypt certificate.
- Check the rights for the domains.
- Use the new certificate in your resources.