[Yandex Cloud documentation](../../index.md) > [Yandex Certificate Manager](../index.md) > [Concepts](index.md) > Domain rights check

# Domain ownership verification

To get and renew a Let's Encrypt certificate, verify ownership for each domain specified in the certificate. In Certificate Manager, there are two types of checks available: `HTTP` and `DNS`. When you create a certificate, you can choose any type of check. Domain ownership verification may take a while.

{% note info %}

You only need to verify domain ownership for Let's Encrypt certificates. Certificate Manager does not check domain ownership for imported user certificates.

{% endnote %}

Certificate Manager waits for each domain from the certificate to pass the check (all checks have the `Valid` status). After that, Let's Encrypt will issue a certificate. Then the certificate changes its status to `Issued` and you can use it in services integrated with Certificate Manager.

If you fail to pass the check within one week, the certificate status will become `Invalid` (if you are obtaining the certificate) or `Renewal_failed` (if you are renewing the certificate). To obtain a certificate after that, request another certificate from Let's Encrypt.

## Certificate challenge statuses {#status}

Certificate checks can have the following statuses:
* `Pending`: Awaiting completion. Certificate Manager determines whether the check is complete.
* `Validating`: Pending approval from Let's Encrypt.
* `Valid`: Complete.
* `Invalid`: Checking the rights for a specific domain failed or the one-week period allocated for the procedure expired.
* `Renewal_failed`: Checking the rights upon certificate renewal failed or the one-week period allocated for the procedure expired.
* `Issued`: Certificate is issued.

## HTTP {#http}

{% note info %}

You cannot use the `HTTP` check type for [Wildcard certificates](https://en.wikipedia.org/wiki/Wildcard_certificate).

{% endnote %}

To check the rights for the `example.com` domain:

1. In the [management console](https://console.yandex.cloud), select the folder you added the certificate to.
1. Navigate to **Certificate Manager** and click the certificate name.
1. Prepare a file that will allow the Let's Encrypt certificate authority (CA) to verify your ownership of the domain specified in the certificate:

    1. Use your hosting control panel to create a file on the server with the name and path matching the **Link for hosting file** field value under **Check rights for domains**. For example:

        * `/.well-known/acme-challenge/`: Path to the file.
        * `di2o3VRsbS6H_eUntKnW3Xcefw_1DOSpZ1B********`: File name.

    1. Add the **Contents** field value from the **Check rights for domains** section into the file you created. For example:

        > di2o3VRsbS6H_eUntKnW3Xcefw_1DOSpZ1BLW0QUDbE._TYLpfPMbwHQZ1aEmsdpidY5bPUnVyDvqSO********

    As a result, on your web server, you should have a file named `http://example.com/.well-known/acme-challenge/di2o3VRsbS6H_eUntKnW3Xcefw_1DOSpZ1B********` with this text inside it: `di2o3VRsbS6H_eUntKnW3Xcefw_1DOSpZ1BLW0QUDbE._TYLpfPMbwHQZ1aEmsdpidY5bPUnVyDvqSO********`.

1. Wait for the Let's Encrypt CA to issue a certificate and its status to change to `Issued`.
1. Delete the file created for certificate verification from your web server.

## DNS {#dns}

If you do not have access to the web server or you need to get a [Wildcard certificate](https://en.wikipedia.org/wiki/Wildcard_certificate) with masks for subdomains in `*.example.com` format, use the `DNS` check type.

To pass the check, you need to add a special DNS record of one of the following two types: `TXT` or `CNAME`.

{% note alert %}

Add only one record. If you add both records, the caching servers will come into conflict.

{% endnote %}

When using a TXT record, you will have to pass the check every 60 days as part of the automatic certificate renewal.

Using a CNAME record enables you to undergo a check only once. To do this, you need to delegate to Certificate Manager the right to respond in the domain's DNS zone used for the check. This will pass the check.

### Adding a CNAME record {#cname}

To automatically check the rights for the `example.com` domain:
1. In the [management console](https://console.yandex.cloud), select the folder you added the certificate to.
1. Navigate to **Certificate Manager**.
1. In the certificate list, select the certificate to check.
1. Further steps to follow will depend on whether your domain is managed by Yandex Cloud DNS or a third-party DNS provider.

    {% list tabs group=instructions %}
    
    - Yandex Cloud DNS {#dns}
    
      Under **Check rights for domains**, in the `CNAME` record section, click **Create record**. In the window that opens:
    
      1. If the current folder contains an appropriate DNS zone, it will be automatically inserted into the **Zone** field. If there is no such DNS zone, click **Create zone** and set its parameters to [create](../../dns/operations/zone-create-public.md) a new zone.
      1. Click **Create**.
    
    - Third-party DNS provider {#third-party-dns-server}
    
      1. Under **Check rights for domains**, in the `CNAME` record section, check the record value for the domain in the **Value** field.
      1. Add a `CNAME` record to your DNS provider or to your own DNS server to delegate management privileges to the DNS zone used for the check:
    
          ```
          _acme-challenge.example.com CNAME <value>
          ```
          The `<value>` string is formatted as follows: `<certificate_ID>.cm.yandexcloud.net.`
    
    {% endlist %}
    
    {% note info %}
    
    For a successful DNS domain rights check based on a `CNAME` record, make sure the `_acme-challenge` subdomain of the domain name you are checking has no other [resource records](../../dns/concepts/resource-record.md) except `CNAME`. For example, for the `_acme-challenge.example.com.` domain name, there should only be a CNAME record and no TXT record.
    
    {% endnote %}

    {% note info %}
    
    A domain rights check may take from a few hours to a few days.
    
    {% endnote %}


### Adding a TXT record {#txt}

To check rights for the `example.com` domain, follow these steps:
1. In the [management console](https://console.yandex.cloud), select the folder you added the certificate to.
1. Navigate to **Certificate Manager**.
1. In the certificate list, select the certificate to check.
1. Further steps to follow will depend on whether your domain is managed by Yandex Cloud DNS or a third-party DNS provider.

    {% list tabs group=instructions %}

    - Yandex Cloud DNS {#dns}

      Under **Check rights for domains**, in the `TXT` record type section, click **Create record** in the **Cloud DNS** field. In the window that opens:

      1. If the current folder contains an appropriate DNS zone, it will be automatically inserted into the **Zone** field. If there is no such DNS zone, click **Create zone** and set its parameters to [create](../../dns/operations/zone-create-public.md) a new zone.
      1. Click **Create**.

    - Third-party DNS provider {#third-party-dns-server}

      1. Under **Check rights for domains**, in the `TXT` record type section, check out the record value for the domain in the **Value** field.
      1. Add a `TXT` record to your DNS provider or to your own DNS server:

          ```
          _acme-challenge.example.com. IN TXT <value>
          ```

    {% endlist %}

    {% note info %}
    
    A domain rights check may take from a few hours to a few days.
    
    {% endnote %}

1. After the certificate status changes to `Issued`, delete the `TXT` record you added from the DNS server.

## Validating rights automatically {#auto}

In some cases, the domain rights check requires no user input.

### CNAME record applicable to a zone {#auto-cname}

A check is performed automatically if the following conditions are met:
* The certificate’s status is `Renewing`, which means it is being [renewed](managed-certificate.md#renew).
* There is a DNS record configured for each certificate domain:

    ```
    _acme-challenge.example.com CNAME <certificate_ID>.cm.yandexcloud.net.
    ```

### Redirecting a static Object Storage website {#auto-s3}

A check is performed automatically if the following conditions are met:
* The certificate’s status is `Renewing`, which means it is being [renewed](managed-certificate.md#renew).
* The certificate is used in the [HTTPS configuration](../../storage/operations/hosting/certificate.md#cert-manager) of a static website in [Object Storage](../../tutorials/web/static/index.md).
* For each certificate domain, the following is configured:
    * An [alias](../../storage/operations/hosting/own-domain.md) for the static website bucket where the certificate is used.
    * Or a [redirect](../../storage/operations/hosting/multiple-domains/index.md) to the domain with the alias for the bucket.
* The certificate is not a [Wildcard certificate](https://en.wikipedia.org/wiki/Wildcard_certificate): it does not contain masks for subdomains.

### Redirecting to a validation server on a web server {#auto-vs}

A check is performed automatically if the following conditions are met:
* The certificate’s status is `Renewing`, which means it is being [renewed](managed-certificate.md#renew).
* The certificate is not a [Wildcard certificate](https://en.wikipedia.org/wiki/Wildcard_certificate): it does not contain masks for subdomains.
* For each certificate domain in the web server, a redirect is configured from
    ```
    http://<domain>/.well-known/acme-challenge/*
    ```
    with
    ```
    https://validation.certificate-manager.api.cloud.yandex.net/<certificate_ID>/*
    ```
    This endpoint is only available over IPv6.

Example of setting up a redirect in the nginx configuration:
```
server {
  location ~ ^/.well-known/acme-challenge/([a-zA-Z0-9-_]+)$ {
    return 301 https://validation.certificate-manager.api.cloud.yandex.net/<certificate_ID>/$1;
  }
}
```

#### Useful links {#see-also}

* [Let's Encrypt documentation: Types of challenges](https://letsencrypt.org/docs/challenge-types/)