By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Why can't I resend the validation email from ACM to renew a certificate?

3 minute read
0

I used AWS Certificate Manager (ACM) to renew a certificate, and I want to resend the validation email. However, the option is unavailable, or I receive an error message.

Short description

To renew an ACM certificate, you can use either email-validated renewals or DNS-validated renewals.

Important: In 2024, ACM will discontinue WHOIS lookup for email-validated certificates. It's a best practice to use DNS validation instead of email validation.

If you use email to validate domain ownership, then ACM sends emails to the five common system addresses for the specified domains in the request. ACM also sends emails to the three contact addresses that are listed in the WHOIS database for the domains. If the certificate's renewal status is pending validation, then you can request a domain validation email for certificate renewal.

You can't resend the validation email in the following scenarios:

  • The certificate renewal status isn't pending validation.
  • The certificate renewal status is pending validation, and the subject alternative name (SAN) doesn't have the domain validation status as pending validation.
  • You used DNS to validate the certificate's domain.

Resolution

Follow the troubleshooting steps for your use case.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

The certificate renewal status isn't pending validation

Check the certificate's renewal status. If the certificate renewal status isn't pending validation, then the option to resend the validation email is unavailable, or you receive the following error:

"Certificate arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com."

If the certificate's renewal status is pending validation, then resend the validation email. If the certificate's renewal status is failed, then you can't request to resend the validation email. Instead, you must request a new public certificate.

The certificate renewal status is pending validation, and the SAN doesn't have the domain validation status as pending validation

If one of your domains is automatically validated and you try to resend validation emails for the same domains, then you receive the following error:

"Certificate arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com."

To confirm domains that you must validate, run the describe-certificate. Replace your-certificate-arn with your certificate's ARN:

aws acm describe-certificate --certificate-arn your_certificate_arn --query Certificate.RenewalSummary.DomainValidationOptions

Example output:

[
  {
    "DomainName": "example.com",
    "ValidationEmails": [
      "hostmaster@example.com",
      "postmaster@example.com",
      "admin@example.com",
      "webmaster@example.com",
      "administrator@example.com"
    ],
    "ValidationDomain": "example.com",
    "ValidationStatus": "SUCCESS",
    "ResourceRecord": null,
    "ValidationMethod": "EMAIL"
  },
  {
    "DomainName": "example.net",
    "ValidationEmails": [
      "hostmaster@example.net",
      "postmaster@example.net",
      "admin@example.net",
      "webmaster@example.net",
      "administrator@example.net"
    ],
    "ValidationDomain": "example.net",
    "ValidationStatus": "PENDING_VALIDATION",
    "ResourceRecord": null,
    "ValidationMethod": "EMAIL"
  }
]

In the preceding example, the domain names example.com and example.net are included in the certificate. The validation status for example.com is SUCCESS because the validation is completed. The validation status for example.net is PENDING VALIDATION because the domain validation didn't complete.

Use either the ACM console or the AWS CLI to resend the validation email.

Note: You can resend validation emails for only domains that have the renewal status as pending validation.

You used DNS to validate the domain

If you used DNS to validate domain ownership, then you don't receive a validation email. If you created a certificate with email validation, then you can't use DNS to validate the certificate. The option to resend the validation is unavailable in the ACM console.

For more information, see Why didn't I receive the validation email to issue or renew ACM certificates?

Related information

Troubleshoot email validation problems

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago