By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Why did my publicly trusted ACM certificate fail managed renewal?

2 minute read
0

My AWS Certificate Manager (ACM) certificate failed managed renewal, and I want to resolve this issue.

Short description

Managed renewal for publicly trusted ACM certificates can fail for the following reasons:

  • The ACM certificate isn't in use or associated with any of the services that are integrated with ACM.
  • A DNS validated certificate's CNAME record is missing or not configured correctly.
  • The Certificate Authority Authorization (CAA) record check failed.

For DNS-validated certificate renewals, ACM checks that certain criteria are met 60 days before the certificate expires.

For email-validated certificate renewals, ACM begins to send renewal notices 45 days before the certificate expires. The notices include actions that you must take to renew your certificate.

Important: In 2024, ACM will discontinue WHOIS lookup for email-validated certificates. It's a best practice to use DNS validation instead of email validation.

Resolution

DNS and email validated certificates

Check whether the ACM certificate is in use and that it's associated with one of the services that are integrated with ACM.

DNS validated certificates

Update your DNS configuration to include the CNAME records that ACM provides. ACM looks for the CNAME record in the DNS configuration for the domain names that are included in the certificates.

After ACM renews the certificate, the Amazon Resource Name (ARN) of the renewed ACM certificate remains the same. Renewed ACM certificates are automatically updated to your integrated AWS resources that are in use.

For more information, see Why didn't the CNAME record resolve for my ACM issued certificate and the DNS validation status is still "Pending validation"?

Email validated certificates

ACM must send email-validated renewals to the WHOIS mailbox addresses and the five common administrator addresses for each domain listed in your certificate. After all listed domains are validated, ACM issues a renewed certificate with the same ARN.

For more information, see How does the ACM managed renewal process work with email-validated certificates?

The CAA record check failed

If you configured a CAA record for your domain and received the "Failed" error, then see How do I resolve CAA "Failed" error when an ACM certificate is issued or renewed?

Related information

Troubleshooting managed certificate renewal

Check a certificate's renewal status

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago