Why can't I resend the validation email from ACM to renew a certificate?

3 minute read
0

I used AWS Certificate Manager (ACM) to renew a certificate, and I want to resend the validation email. However, the option is unavailable, or I receive an error message.

Short description

If you use email to validate domain ownership, then ACM sends emails to the three contact addresses that are listed in WHOIS. ACM also sends emails to the five common system addresses for the domains that are specified in the certificate request. If the certificate's renewal status is pending validation, then you can request a domain validation email for certificate renewal.

You can't resend the validation email in the following situations:

  • The certificate renewal status isn't pending validation.
  • The certificate renewal status is pending validation, and the subject alternative name (SAN) doesn't have the domain validation status as pending validation.
  • You used DNS to validate the domain.

Resolution

The certificate renewal status isn't pending validation

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Check the certificate's renewal status. If the certificate renewal status isn't pending validation, then the option to resend the validation email is unavailable, or you receive this error message:

"Certificate arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com."

If the certificate's renewal status is pending validation, then resend the validation email. If the certificate's renewal status is failed, then you can't request to resend the validation email. Instead, you must request a public certificate.

The certificate renewal status is pending validation, and the SAN doesn't have the domain validation status as pending validation

If one of your domains is automatically validated and you try to resend validation emails for the same domains, then you receive this error:

"Certificate arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com."

To confirm which domains you must validate, run the describe-certificate AWS CLI command. You can use the AWS CLI to specify the base validation domain for the email that isn't validated. For more information, see resend-validation-email.

Note: You can resend validation emails only for domains that have the renewal status as pending validation.

You used DNS to validate the domain

If you use DNS to validate domain ownership, the you can't send the validation email again. The option to resend the validation is unavailable in the ACM console.

If you used the AWS CLI, then you might receive this error message:

"An error occurred (InvalidStateException) when calling the ResendValidationEmail operation: Certificate arn:aws:acm:us-arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com."

Related information

Why am I not receiving validation emails when using ACM to issue or renew a certificate?

Troubleshoot email validation problems

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago