Adding a Let's Encrypt® certificate
You can use a certificate from Certificate Manager in the specified Yandex Cloud services only.
To add a new Let's Encrypt® certificate:
-
In the management console
, select the folder to add a certificate to. -
In the list of services, select Certificate Manager.
-
Click Add certificate.
-
In the menu that opens, select Let's Encrypt certificate.
-
In the window that opens, enter a name for your certificate in the Name field.
-
(Optional) In the Description field, enter a description for the certificate.
-
In the Domains field, list the domains to issue a certificate for.
Domain names may contain a mask, e.g.,
*.example.com
. If so, selectDNS
as the type of domain rights check. For more information, see Check rights for domain. -
Select the type of check for domain rights:
DNS
orHTTP
. -
Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View a description of the command:
yc certificate-manager certificate request --help
-
Run this command:
yc certificate-manager certificate request \ --name mymanagedcert \ --domains example.com
Where:
--name
: Certificate name--domains
: Certificate domains
Result:
id: fpq6gvvm6piu******** folder_id: b1g7gvsi89m3******** created_at: "2020-09-15T08:49:11.533771Z" ... - example.com status: VALIDATING updated_at: "2020-09-15T08:49:11.533771Z"
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the Terraform configuration file, describe the parameters of the resource to create:
resource "yandex_cm_certificate" "le-certificate" { name = "<certificate_name>" domains = ["<domain>"] managed { challenge_type = "<type_of_check>" } }
Where:
domains
: List of domains to create a certificate for.challenge_type
: Type of domain rights check the domain owner should pass. The possible values include:DNS_CNAME
: Create a DNS record in CNAME format with the specified value. This method is recommended for automatic certificate renewal.DNS_TXT
: Create a DNS record in TXT format with the specified value.HTTP
: Place the specified value in the specified URL.
For more information about the
yandex_cm_certificate
resource parameters, see the Terraform provider documentation . -
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
A certificate will then be created in the specified folder. You can check the new certificate and its configuration using the management console
yc certificate-manager certificate get <certificate_name>
To add a certificate, use the requestNew REST API method for the Certificate resource or the CertificateService/RequestNew gRPC API call.
The new certificate will appear in the certificate list with the Validating
status. This status means that a Let's Encrypt® certificate was requested and you need to pass a domain rights check for it to be successfully processed.
Note
For a successful DNS domain rights check based on a CNAME
record, make sure the _acme-challenge
subdomain of the domain name you are checking has no resource records created, except CNAME
. For example, for the _acme-challenge.example.com.
domain name there should only be a CNAME record and no TXT record.