Certificate from Let's Encrypt

You can use Certificate Manager to create Let's Encrypt certificates. Request a certificate and pass the domain rights check. After that, Certificate Manager will manage your certificate by working with Let's Encrypt on your behalf.

Let's Encrypt provides Domain Validation TLS certificates with a 90-day validity period. If you need Organization Validation or Extended Validation certificates, use a third-party certificate authority to get the certificate, and then upload it to Certificate Manager. For more information, see User certificate.

You can use a certificate created with Certificate Manager in the specified Yandex Cloud services only.

Get a certificateGet a certificate

1. Specify the list of domains you need to issue a certificate for.

2. Select the type of domain rights check: HTTP or DNS.

   When the request is created, the certificate status becomes Validating.

3. To issue a certificate, check the rights for the domains you specified in the previous step.

   Depending on the selected type of check, put the file on the web server or add a TXT or CNAME resource record with the appropriate value in the DNS service. To learn more about the types of checks and ways to pass them, see Checking rights for a domain.

   For a successful DNS domain rights check based on a CNAME record, make sure the _acme-challenge subdomain of the domain name you are checking has no resource records created, except CNAME. For example, for the _acme-challenge.example.com. domain name there should only be a CNAME record and no TXT record.

4. When the domain rights are checked, the certificate is issued and its status becomes Issued. You can use the certificate in services that are integrated with Certificate Manager.

Renew a certificateRenew a certificate

1. Certificate Manager initiates the certificate renewal procedure 30 days before it expires.

   After the renewal starts, the certificate status changes to Renewing.

2. Check the rights for the domains.

   Depending on the type of check you selected, update the file on the web server or update the TXT record in the DNS service to the new value. For more information, see Check rights for domain.

   Note

   If the certificate is used for a static website in Object Storage and doesn't contain masked domains,
   the rights can be checked automatically. For more information, see Checking rights automatically.

3. After you check the rights for the domains, the certificate renews and its status becomes Issued. All the resources that use the certificate will get its new version.

The certificate isn't renewed if the domain rights check fails for at least one domain. The certificate status changes to Renewal_failed. However, the certificate stays valid until it expires.
Some time after the failed renewal, a new attempt is made to update the certificate.

To avoid issues accessing resources that use the certificate with the Renewal_failed status:

1. Before the certificate expires, issue and add a new Let's Encrypt certificate.
2. Check the rights for the domains.
3. Use the new certificate in your resources.

See alsoSee also

• Check rights for domain
• Services integrated with Certificate Manager