Certificate Manager: renewal with domain validation fails to renew, expecting CAA records

0

I received the "Action Required: Your certificate renewal" email indicating that automatic renewal had failed to issue a new/updated certificate. The email suggested we fix the issue with CAA records [1]. Looking at the existing certificate, it currently uses a CNAME record for domain validation and the certificate status and domain info all look good, with green "Success" badges everywhere except for under the Renewal Status item where it reads "Pending validation."

We had tried to add the CAA records, however the domain (it is a subdomain, "blog.domain.com") did not accept the record citing that the the primary domain already has a record of that type.

Now I'm not sure what to do. Shouldn't the existing CNAME record be sufficient for renewing the certificate? Is there some way to use a wildcard certificate on the primary domain (and offer zero records for this troublesome subdomain)? Is there something else I am missing?

--

  1. https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-caa.html
1回答
0

Thanks for the detailed description.

You might find this article https://aws.amazon.com/premiumsupport/knowledge-center/acm-troubleshoot-caa-errors/ helpful as it explains how ACM checks CAA record following CNAME record.

To move forward, either

  • Include Amazon CA in the CAA records in the domain domain.com and clear up all CAA records in the sub-domain blog.domain.com
  • or include Amazon CA in the sub-domain (should be possible, not sure why it's returning an error)
  • or remove all CAA records

If the issue persists, please feel free to provide additional information for further discussions. Thank you.

AWS
weidi
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ