Check rights for domain
To get and renew a Let's Encrypt® certificate, check the rights for each domain specified in the certificate. You can use two types of checks in Certificate Manager: HTTP
and DNS
. When you create a certificate, you can choose any type of check. Checking rights for domains may take a long time.
Note
You only need to check rights for domains for Let's Encrypt certificates. Certificate Manager doesn't check domain rights for imported user certificates.
Certificate Manager waits for challenges to complete for each domain in a certificate (all checks have the Valid
status). After that, Let's Encrypt issues the certificate. Then the certificate changes its status to Issued
and you can use it in services integrated with Certificate Manager.
If the check is not passed within one week, the certificate status becomes Invalid
(if you are obtaining the certificate) or Renewal_failed
(if you are renewing the certificate). To obtain a certificate after that, request another certificate from Let's Encrypt.
Certificate challenge statuses
Certificate checks can have the following statuses:
Pending
: The check is waiting to be completed. Certificate Manager determines whether the check is complete.Processing
: The check is awaiting approval from Let's Encrypt.Valid
: The check is complete.Invalid
: The rights check for a specific domain failed or the one-week period allocated for the check expired.
HTTP
Note
You can't use the HTTP
check type for Wildcard certificates.
To check the rights for the example.com
domain:
-
Create a file with the name and contents specified under Check rights for domains on the certificate details page:
- Copy the link from the Link for hosting file field:
- The part of the link like
http://example.com/.well-known/acme-challenge/
is the path to host your file at. - The second part of the link,
rG1Mm1bJ...
, is the file name that you should use.
- The part of the link like
- Copy the link from the Link for hosting file field:
-
Put the file on the web server to make it available at the path:
http://<domain name>/.well-known/acme-challenge/<file name>
-
After the certificate status changes to
Issued
, delete the file hosted on the web server.
DNS
If you don't have access to the web server or you need to get a Wildcard certificate with masks for subdomains like *.example.com
, use DNS
as the challenge type.
To pass the check, you need to add a special DNS record of one of the following two types: TXT
or CNAME
.
When using a TXT record, you will have to pass the check every 60 days as part of the automatic certificate renewal.
Using a CNAME record enables you to undergo a check only once. To do this, you need to delegate to Certificate Manager the right to respond in the domain's DNS zone used for the check. This will pass the check.
Note
Please note that you only need one of the above records. Adding both records can result in caching server conflicts.
Adding a CNAME record
To check the rights for the domain example.com
automatically:
-
In the management console, select the folder where the certificate was created.
-
In the list of services, select Certificate Manager.
-
In the certificate list, please select the certificate that is involved in the check.
-
Under Check rights for domains, look at the value for the domain in the Value field.
-
Have your DNS provider or your own DNS server host a
CNAME
record to delegate management privileges to the DNS zone used for the check:_acme-challenge.example.com CNAME <Value>
The <Value>
string is created using the following template: <Certificate ID>.cm.yandexcloud.net.
Adding a TXT record
To check the rights for the domain example.com domain
:
-
In the management console, select the folder where the certificate was created.
-
In the list of services, select Certificate Manager.
-
In the certificate list, please select the certificate that is involved in the check.
-
Under Check rights for domains, look at the value for the domain in the Value field.
-
With your DNS provider or on your own DNS server, host a
TXT
record:_acme-challenge.example.com. IN TXT <Value>
-
After the certificate status changes to
Issued
, delete theTXT
record you added from the DNS server.
Validating rights automatically
In some cases, domain rights checks require no interaction from the user.
CNAME record applicable to a zone
A check is performed automatically if the following conditions are met:
-
The certificate status is
Renewing
: it is being renewed. -
A DNS record is configured for each certificate domain:
_acme-challenge.example.com CNAME <certificate ID>.cm.yandexcloud.net.
Redirecting a static Object Storage site
A check is performed automatically if the following conditions are met:
- The certificate status is
Renewing
: it is being renewed. - The certificate is used in the HTTPS configuration of a static website in Object Storage.
- For each certificate domain, the following is configured:
- The certificate is not a Wildcard certificate: it doesn't contain masks for subdomains.
Redirecting to a validation server on a web server
A check is performed automatically if the following conditions are met:
- The certificate status is
Renewing
: it is being renewed. - The certificate is not a Wildcard certificate: it doesn't contain masks for subdomains.
- For each certificate domain in the web server, a redirect is configured from
http://<Domain>/.well-known/acme-challenge/*
https://validation.certificate-manager.api.cloud.yandex.net/<Certificate ID>/*
Example of setting up a redirect in the nginx configuration:
server {
location ~ ^/.well-known/acme-challenge/([a-zA-Z0-9-_]+)$ {
return 301 https://validation.certificate-manager.api.cloud.yandex.net/<certificate ID>/$1.
}
}