I used AWS Certificate Manager (ACM) to renew a certificate, and I want to resend the validation email. However, the option is unavailable, or I receive an error message.
Short description
To renew an ACM certificate, you can use either email-validated renewals or DNS-validated renewals.
Important: In 2024, ACM will discontinue WHOIS lookup for email-validated certificates. It's a best practice to use DNS validation instead of email validation.
If you use email to validate domain ownership, then ACM sends emails to the five common system addresses for the specified domains in the request. ACM also sends emails to the three contact addresses that are listed in the WHOIS database for the domains. If the certificate's renewal status is pending validation, then you can request a domain validation email for certificate renewal.
You can't resend the validation email in the following scenarios:
- The certificate renewal status isn't pending validation.
- The certificate renewal status is pending validation, and the subject alternative name (SAN) doesn't have the domain validation status as pending validation.
- You used DNS to validate the certificate's domain.
Resolution
Follow the troubleshooting steps for your use case.
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
The certificate renewal status isn't pending validation
Check the certificate's renewal status. If the certificate renewal status isn't pending validation, then the option to resend the validation email is unavailable, or you receive the following error:
"Certificate arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com."
If the certificate's renewal status is pending validation, then resend the validation email. If the certificate's renewal status is failed, then you can't request to resend the validation email. Instead, you must request a new public certificate.
The certificate renewal status is pending validation, and the SAN doesn't have the domain validation status as pending validation
If one of your domains is automatically validated and you try to resend validation emails for the same domains, then you receive the following error:
"Certificate arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com."
To confirm domains that you must validate, run the describe-certificate. Replace your-certificate-arn with your certificate's ARN:
aws acm describe-certificate --certificate-arn your_certificate_arn --query Certificate.RenewalSummary.DomainValidationOptions
Example output:
[
{
"DomainName": "example.com",
"ValidationEmails": [
"hostmaster@example.com",
"postmaster@example.com",
"admin@example.com",
"webmaster@example.com",
"administrator@example.com"
],
"ValidationDomain": "example.com",
"ValidationStatus": "SUCCESS",
"ResourceRecord": null,
"ValidationMethod": "EMAIL"
},
{
"DomainName": "example.net",
"ValidationEmails": [
"hostmaster@example.net",
"postmaster@example.net",
"admin@example.net",
"webmaster@example.net",
"administrator@example.net"
],
"ValidationDomain": "example.net",
"ValidationStatus": "PENDING_VALIDATION",
"ResourceRecord": null,
"ValidationMethod": "EMAIL"
}
]
In the preceding example, the domain names example.com and example.net are included in the certificate. The validation status for example.com is SUCCESS because the validation is completed. The validation status for example.net is PENDING VALIDATION because the domain validation didn't complete.
Use either the ACM console or the AWS CLI to resend the validation email.
Note: You can resend validation emails for only domains that have the renewal status as pending validation.
You used DNS to validate the domain
If you used DNS to validate domain ownership, then you don't receive a validation email. If you created a certificate with email validation, then you can't use DNS to validate the certificate. The option to resend the validation is unavailable in the ACM console.
For more information, see Why didn't I receive the validation email to issue or renew ACM certificates?
Related information
Troubleshoot email validation problems