Checking domain rights

To check rights for domains:

Management console

CLI

Terraform

API

In the management console, select the folder the certificate was added to.
In the list of services, select Certificate Manager.
Select the certificate to check from the list and click it.
In the window that opens, the details you need to pass the domain rights check can be found under Check rights for domains. For more information, see Checking rights for domain.
When the domain rights check is passed, the domain check status under Check rights for domain changes to Valid.
After the rights check status for all your domains changes to Valid, the certificate is issued and its status becomes Issued.

If you don't have the Nebius Israel command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

View a description of the command:

yc certificate-manager certificate get --help

Run the following command:

yc certificate-manager certificate get \
  --id fpq6gvvm6piu******** \
  --full

Where:

--id: Certificate ID.
--full: Show a list of active checks for domain rights.

Result:

id: fpq6gvvm6piu********
folder_id: b1g7gvsi89m3********
created_at: "2020-09-15T08:49:11.533771Z"
name: mymanagedcert
type: MANAGED
domains:
- example.com
status: VALIDATING
updated_at: "2020-09-15T08:49:11.533771Z"
challenges:
- domain: example.com
  type: HTTP
  created_at: "2020-09-15T08:49:11.533771Z"
  updated_at: "2020-09-15T08:51:44.991065Z"
  status: PENDING
  message: Create a file in your web server's base directory.
  http_challenge:
    url: http://example.com/.well-known/acme-challenge/3LiH-nrTC7GdMbRgVqttEvdTODeNeaD0TtXteWgtAH8
    content: 3LiH-nrTC7GdMbRgVqttEvdTODeNeaD0TtXteWgtAH8.ZHCju15sJiKBwT8G5FTl7UtfmJWp1gKNYYPLcVtVL44

The information required for passing the rights check for a domain can be found under http_challenge. For more information, see Checking rights for domain.

When the rights check for a domain is passed, the domain check status changes to Valid:

yc certificate-manager certificate get --id fpq6gvvm6piu******** --full
...
domains:
- example.com
status: VALID
...

After the rights check status for all your domains changes to Valid, the certificate is issued and its status becomes Issued:
```
yc certificate-manager certificate get --id fpq6gvvm6piu******** --full
...
domains:
- example.com
status: ISSUED
...
```

If you do not have Terraform yet, install it and configure the Nebius Israel provider.

For more information about Terraform, see the documentation.

With Terraform, you can create a DNS record required to pass a check for domain rights. To do this:

In the Terraform configuration file, describe the parameters of the resources you want to create:
```
resource "yandex_cm_certificate" "le-certificate" {
  name    = "<certificate_name>"
  domains = ["<domain>"]

  managed {
  challenge_type = "DNS_CNAME"
  }
}

resource "yandex_dns_recordset" "validation-record" {
  zone_id = "<zone_ID>"
  name    = yandex_cm_certificate.le-certificate.challenges[0].dns_name
  type    = yandex_cm_certificate.le-certificate.challenges[0].dns_type
  data    = [yandex_cm_certificate.le-certificate.challenges[0].dns_value]
  ttl     = <record_lifetime_in_seconds>
}

data "yandex_cm_certificate" "example" {
  depends_on      = [yandex_dns_recordset.validation-record]
  certificate_id  = yandex_cm_certificate.le-certificate.id
  wait_validation = true
}

# Use data.yandex_cm_certificate.example.id to get validated certificate

output "cert-id" {
  description = "Certificate ID"
  value       = data.yandex_cm_certificate.example.id
}
```
Where:
- The yandex_cm_certificate resource parameters are as follows:
  - domains: Domain to create a certificate for.
  - challenge_type: Domain owner verification method. Possible values:
    - DNS_CNAME: Create a DNS record in CNAME format with the specified value. Method recommended for automatic certificate renewal.
    - DNS_TXT: Create a DNS record in TXT format with the specified value.
- The yandex_dns_recordset resource parameters are as follows:
  - zone_id: ID of the DNS zone where the record for owner verification will be located.
  - name: Record name.
  - type: DNS record type.
  - data: Record value.
  - ttl: Record time to live (TTL) in seconds before updating the record value.
- The yandex_dns_recordset data source parameters are as follows:
  - depends_on: Indicates dependence on another Terraform resource.
  - certificate_id: Certificate ID.
  - wait_validation: Certificate validation wait flag. If true, the operation will not be completed while the certificate status is VALIDATING. The default value is false.
For more information about the resource parameters, see the Terraform provider documentation.
Create resources:
1. In the terminal, change to the folder where you edited the configuration file.
2. Make sure the configuration file is correct using the command:
```
terraform validate
```
  If the configuration is correct, the following message is returned:
```
Success! The configuration is valid.
```
3. Run the command:
```
terraform plan
```
  The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
4. Apply the configuration changes:
```
terraform apply
```
5. Confirm the changes: type yes in the terminal and press Enter.

This will create a certificate and DNS record in the specified folder. You can check if the certificate is there and properly configured either from the management console or using this CLI command:

yc certificate-manager certificate get <certificate_name> --full

To get the information required to pass the rights check for a domain, use the get REST API method for the Certificate resource or the CertificateService/Get gRPC API call with the view=FULL flag.