Why am I not receiving validation emails when using ACM to issue or renew a certificate?
5 minute read
Why didn't I receive the validation email to issue or renew AWS Certificate Manager (ACM) certificates?
ACM sends the validation emails to the five common system addresses as long as an MX record exists for the domain. For a list of the default email addresses, see MX record.
ACM also sends a domain validation email to the email addresses associated with the domain registrant, technical contact, and administrative contact fields in the WHOIS listing. For more information, see validate domain ownership with email.
Some domain registrars don't populate the contact information in WHOIS ("Who is") data. Your ACM certificate issue or renewal can be affected if:
Your domain registrar doesn't include contact email addresses in WHOIS data.
You use custom emails addresses in WHOIS for certificate validation.
The WHOIS lookup for email validation is performed on the apex domain and searches for email addresses in the domain registrant, technical contact, and administrative contact fields. Verify your listed email addresses using a WHOIS query. For additional information, see Enabling or disabling privacy protection for contact information for a domain. If your domain has privacy protection enabled, you might not receive a reply or received a response similar to the following:
Name: Data Protected Data Protected
Organization: Data Protected
Mailing Address: 123 Data Protected, Toronto ON M6K 3M1 CA
ACM isn't compatible with CAPTCHA. ACM might not locate WHOIS data configured with a CAPTCHA text.
AWS doesn't control WHOIS data and can't prevent WHOIS server throttling. For more information, see WHOIS throttling.
Two options are available depending on your preference and the effort required for maintaining or switching.
You can't convert an ACM certificate's validation method from email to DNS or from DNS to email. To switch validation methods, request a new ACM certificate to replace the previous one.
To switch to DNS validation, recreate the ACM certificate, and then select DNS for validation. DNS validation has several advantages over email validation, especially if Amazon Route 53 is the DNS provider for your domain.
DNS requires that you create one CNAME record per domain name used only for requesting an ACM certificate. Email validation sends up to eight email messages per domain name.
You can request additional ACM certificates for your fully qualified domain name (FQDN) if the DNS record is in use.
ACM automatically renews certificates that you validated using DNS. ACM renews each certificate before expiration if the certificate and DNS record are both in use.
ACM can add the CNAME record for you if you use Route 53 to manage your public DNS records.
Automation using the DNS validation process is less complex than using the email validation process.
You can switch to DNS validation at no additional cost.
Services integrated with AWS Certificate Manager using the previous ACM certificate must be updated to use the new certificate. This is because new ACM certificates generate an Amazon Resource Name (ARN). You can't retain the ARN with a new ACM certificate. Only renewed ACM certificates retain the same ARN.
You can establish the Region for an ACM certificate by running the AWS CLI command describe-certificate similar to the following:
$aws acm describe-certificate --certificate-arn arn:aws:acm:region:12345678911:certificate/123456-1234-1234-1234-123456789 --output text |grep INUSEBY