ACM tries to automatically renew your ACM certificates 60 days before the certificate expires for DNS-validated certificates. To confirm that a domain is validated, expand the certificate's details in the ACM console. Or, use the describe-certificate command in the AWS Command Line Interface (AWS CLI). If ACM can't automatically validate one or more domain names in the certificate, then the renewal status is "Pending validation."
This can happen because:
Not all the domains listed in the ACM certificate are validated.
The automatic validation failed.
The managed renewal process is asynchronous.
The original certificate expired.
Note: For email-validated certificates renewals, ACM begins sending renewal notices 45 days before expirations that require action by the domain owner.
Use the following instructions to troubleshoot the ACM renewal status "Pending validation."
Not all the domains listed in the ACM certificate are validated
If you validate domains manually, then each domain included in the ACM certificate must be validated.
If you use email validation, then a set of validation emails is sent for each domain. You must complete the steps included in these emails to validate the domains. For more information, see Email validation.
If the update is delayed, then the domain's validation status in the ACM console is Success and the certificate's renewal status is Pending validation.
The original certificate expired
If the original email-validated ACM certificate expires, then the certificate status changes from Issued to Pending validation. You must validate the domain within 72 hours, or the renewal status changes from Pending validation to Failed. If the renewal fails, you must request another public certificate for the domains.