Let’s Encrypt® Certificates

Last update: May 30 2026

If you issue a Let’s Encrypt® certificate in the Certificate Manager, DNS-01 validation will occur automatically. The domain’s DNS records are stored in the Selectel infrastructure, so the service independently creates a TXT record to issue the certificate. The service will monitor the certificate expiration date and automatically renew it 30 days before it expires. If you issue the certificate yourself, you must confirm domain ownership and pass validation, and then renew the certificate every 60 days.

The certificate is only valid in the project in which it was issued.

To issue a certificate, the domain must have an IP address in an A record.

Issue a Let’s Encrypt® certificate

You can issue a Let’s Encrypt® certificate that will be valid:

• only for the primary domain or for the primary domain and all its subdomains (Wildcard certificate);
• only for a subdomain. The certificate will not be valid for the primary domain.

warning

After a Let’s Encrypt® certificate is issued, your site, service, or application will not automatically open over HTTPS — you need to download the certificate and install it on your web server.

For primary domain and subdomains

1. Create a zone for the domain in DNS hosting.

2. Delegate the domain.

3. In the Control panel, on the top menu, click Products and select Certificate Manager.

4. In the Certificates section, click Add certificate.

5. Select Certificates from Let’s Encrypt®.

6. Enter a name for the certificate.

7. Select the domain you delegated to DNS hosting in step 2.

8. Optional: to add a subdomain to the certificate for the primary domain, click Add additional domain.

   Enter the subdomain name. To issue a Wildcard certificate, enter a subdomain in the format *.example.com

9. Click Issue certificate.

Only for a subdomain

1. Create a zone for the subdomain in DNS hosting.
2. Delegate the subdomain.
3. In the Control panel, on the top menu, click Products and select Certificate Manager.
4. In the Certificates section, click Add certificate.
5. Select Certificates from Let’s Encrypt®.
6. Enter a name for the certificate.
7. Select the subdomain you delegated to DNS hosting in step 2.
8. Click Issue certificate.

Download a Let’s Encrypt® certificate

1. In the Control panel, on the top menu, click Products and select Certificate Manager.
2. In the Certificates section, open the certificate page.
3. In the Certificate files block, select the certificate, intermediate certificate chain, root certificate, and private key.
4. Click Download.

View the status of a Let’s Encrypt® certificate

1. In the Control panel, on the top menu, click Products and select Certificate Manager.

2. In the Certificates section, view the status in the certificate row → the Status column.

   ACTIVE	The certificate is valid and ready for use
   CREATING	The certificate is being issued
   RENEWING	30 days remain until certificate expiration, automatic renewal is in progress
   INVALID	The certificate is invalid for one of the following reasons: invalid signature; broken certificate chain of trust (the root certificate could not be verified or the intermediate certificate has expired); the certificate signature cannot be verified; DNS-01 validation failed
   ERROR	An error occurred during certificate issuance. Ensure your domain registrar has NS records configured that point to Selectel servers: a.ns.selectel.ru, b.ns.selectel.ru, c.ns.selectel.ru, d.ns.selectel.ru. If the problem persists, create a ticket