Getting started with Certificate Manager
By following these instructions, you'll create your first Let's Encrypt® certificate and use it to set up HTTPS access to your static website hosted in Yandex Object Storage.
Before you start
To get started with Certificate Manager, you need:
-
A folder in Yandex.Cloud. If you don't have a folder, create one:
-
Click Create folder in the Home page of the management console.
-
Enter the folder name.
- Length — from 3 to 63 characters.
- The name may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter. The last character can't be a hyphen.
-
Select Create a default network. A network is created with subnets in each availability zone.
-
Click Create.
-
-
A third level (or higher) domain that the Let's Encrypt® certificate is issued for.
Note
To pass the domain rights check, you must have control of the domain.
-
A public bucket in Object Storage with exactly the same name as the domain. If that bucket doesn't exist, create it:
Management console- In the management console, select the folder where you want to create a bucket.
- Select Object Storage.
- Click Create bucket.
- Enter exactly the same name for the bucket as the domain name.
- Selected the type of access Public.
- Select the default storage class.
- Click Create bucket to complete the operation.
-
Set up hosting in the bucket:
Management console- In the management console, select Object Storage.
- In the Buckets tab, click the bucket with the same name as the domain.
- In the left pane, select Website.
- Select Hosting and enter your website home page.
- Click Save to complete the operation.
-
Configure the alias for your bucket at your provider's DNS or on your own DNS server.
For instance, for the
www.example.comdomain, add the following record:www.example.com CNAME www.example.com.website.yandexcloud.net -
Install and configure the AWS CLI by following our instructions.
Create a request for a Let's Encrypt certificate
- Go to the management console.
- Select Certificate Manager.
- Click Add certificate.
- In the menu that opens, select Let's Encrypt certificate.
- In the window that opens, enter a name for the certificate.
- (Optional) Add a description for the certificate.
- In the Domains field, specify the domains you want to issue the certificate for.
- For the Check type of the domain rights check, select:
HTTP. - Click Create.
Passing the domain rights check
-
Create a file for the check:
- Go to the management console.
- Select Certificate Manager.
- Select a certificate with the
Validatingstatus in the list and click it. - Under Check rights for domains:
- Copy the link from the Link for hosting file field:
- The part of the link that looks like
http://example.ru/.well-known/acme-challenge/is the path to host the file at. - The second part of the link,
rG1Mm1bJ..., is the file name that you should use.
- The part of the link that looks like
- Copy the contents of the file from the Contents field.
- Copy the link from the Link for hosting file field:
-
Upload the created file to the bucket so that it's hosted in the directory
.well-known/acme-challenge:AWS CLIaws --endpoint-url=https://storage.yandexcloud.net \ s3 cp <file name> s3://<bucket name>/.well-known/acme-challenge/<file name> -
Wait until the certificate status changes to
Issued. -
Delete the file you created from the bucket:
AWS CLIaws --endpoint-url=https://storage.yandexcloud.net \ s3 rm s3://<bucket name>/.well-known/acme-challenge/<file name>
Warning
To renew a certificate, you have to perform certain actions. Keep track of the lifecycle of your certificates to renew them on time. For more information, see Renew a certificate.
Set up static website access over HTTPS
- Log in to the management console.
- Select Object Storage.
- In the Buckets tab, click the bucket with the same name as the domain.
- Go to the HTTPS tab.
- In the panel that opens on the right, click Configure.
- Under Source, select Certificate Manager.
- In the Certificate field, select the certificate from the list that opens.
- Click Save.