Adding a Let's Encrypt® certificate
You can use a certificate from Certificate Manager in the specified Yandex Cloud services only.
Adding a new certificate
-
In the management console
, select the folder to add a certificate to. -
From the list of services, select Certificate Manager.
-
Click Add certificate.
-
In the menu that opens, select Let's Encrypt certificate.
-
In the window that opens, enter a name for your certificate in the Name field.
-
(Optional) In the Description field, enter a description for the certificate.
-
In the Domains field, list the domains to issue a certificate for.
Domain names may contain a mask, e.g.,
*.example.com
. If so, selectDNS
as the type of domain rights check. For more information, see Check rights for domain. -
Select the type of domain rights check:
DNS
orHTTP
. -
Click Create.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name
or --folder-id
parameter.
-
View a description of the command:
yc certificate-manager certificate request --help
-
Run this command:
yc certificate-manager certificate request \ --name mymanagedcert \ --domains example.com
Where:
--name
: Certificate name--domains
: Certificate domains
Result:
id: fpq6gvvm6piu******** folder_id: b1g7gvsi89m3******** created_at: "2020-09-15T08:49:11.533771Z" ... - example.com status: VALIDATING updated_at: "2020-09-15T08:49:11.533771Z"
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the Terraform configuration file, define the parameters of the resource you want to create:
resource "yandex_cm_certificate" "le-certificate" { name = "<certificate_name>" domains = ["<domain>"] managed { challenge_type = "<check_type>" } }
Where:
domains
: List of domains you need to create a certificate for.challenge_type
: Type of domain rights check the domain owner should pass. The possible values are:DNS_CNAME
: Create a DNS record in CNAME format with the specified value. This method is recommended for automatic certificate renewal.DNS_TXT
: Create a DNS record in TXT format with the specified value.HTTP
: Place the specified value in the specified URL.
For more information about the
yandex_cm_certificate
resource properties, see the Terraform provider documentation . -
Create the resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
A certificate will then be created in the specified folder. You can check the new certificate and its settings using the management console
yc certificate-manager certificate get <certificate_name>
To add a certificate, use the requestNew REST API method for the Certificate resource or the CertificateService/RequestNew gRPC API call.
A new certificate with the Validating
status will appear in the certificate list. This status means that a request for a Let's Encrypt® certificate has been created. You need to get your domain rights confirmed for the request to be processed.
Note
For a successful DNS domain rights check based on a CNAME
record, make sure the _acme-challenge
subdomain of the domain name you are checking has no other resource records except CNAME
. For example, for the _acme-challenge.example.com.
domain name, there should only be a CNAME record and no TXT record.
Viewing certificate issue status
You can view the certificate issue status and possible issue errors in the management console
-
Select Certificate Manager.
-
Select the certificate from the list.
The certificate's current issue stage will be shown next to the Validation field.
-
To view the stage description and outcome, click Show logs.
For more information about certificate issue stages, see Let's Encrypt certificate.