Getting started with Certificate Manager

By following these instructions, you'll create your first Let's Encrypt^® certificate and use it to set up HTTPS access to your static website hosted in Yandex Object Storage.

Before you start

To get started with Certificate Manager, you need:

1. A folder in Yandex Cloud. If you don't have a folder, create one:

   1. Click Create folder on the cloud page.

   2. Enter the folder name. Naming requirements:

      • The length can be from 3 to 63 characters.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • The first character must be a letter. The last character can't be a hyphen.

   3. (Optional) Enter a description of the folder.

   4. Select the Create a default network option. A network is created with subnets in each availability zone. A default security group, where all network traffic is allowed inside, will also be created in this network.

   5. Click Create.

2. A third level (or higher) domain that the Let's Encrypt^® certificate is issued for.

   Note

   To pass the domain rights check, you must have control of the domain.

3. A public bucket in Object Storage with exactly the same name as the domain. If that bucket doesn't exist, create it:

   Management console

   1. In the management console, select the folder where you want to create a bucket.
   2. Select Object Storage.
   3. Click Create bucket.
   4. Enter exactly the same name for the bucket as the domain name.
   5. Selected the type of access Public.
   6. Select the default storage class.
   7. Click Create bucket to complete the operation.

4. Set up hosting in the bucket:

   Management console

   1. In the management console, select Object Storage.
   2. In the Buckets tab, click the bucket with the same name as the domain.
   3. In the left pane, select Website.
   4. Select Hosting and enter your website home page.
   5. Click Save to complete the operation.

5. Configure the alias for your bucket at your provider's DNS or on your own DNS server.

   For instance, for the www.example.com domain, add the following record:

   www.example.com CNAME www.example.com.website.yandexcloud.net
   

6. Install and configure the AWS CLI by following our instructions.

Create a request for a Let's Encrypt certificate

Passing the domain rights check

1. Create a file for the check:

   1. Go to the management console.
   2. Select Certificate Manager.
   3. Select a certificate with the Validating status in the list and click it.
   4. Under Check rights for domains:
      1. Copy the link from the Link for hosting file field:
         • The part of the link that looks like http://example.com/.well-known/acme-challenge/ is the path to host the file at.
         • The second part of the link, rG1Mm1bJ..., is the file name that you should use.
      2. Copy the contents of the file from the Contents field.

2. Upload the created file to the bucket so that it's hosted in the directory .well-known/acme-challenge:

   AWS CLI

   aws --endpoint-url=https://storage.yandexcloud.net \ 
      s3 cp <file name> s3://<bucket name>/.well-known/acme-challenge/<file name>
   

3. Wait until the certificate status changes to Issued.

4. Delete the file you created from the bucket:

   AWS CLI

   aws --endpoint-url=https://storage.yandexcloud.net \ 
      s3 rm s3://<bucket name>/.well-known/acme-challenge/<file name>
   

Set up static website access over HTTPS

See also

• Let's Encrypt^® certificate
• Check rights for domain
• Set up HTTPS in a bucket