Certificate renewal fails: DNS correctly set and email contains 0 domains to validate, but domain is waiting for auto-renewal

Question

Hello,
i've received the allerts that the certificate is going to expire in 10 days.
The status on the console says:

![Enter image description here](/media/postImages/original/IM10IZXcuCRCSM3fPdfJmhLQ)

**status: issued**

**Renewal status:Pending auto-renewal**

Below, where there are the domain listed there's

**Status & renewal status: Success**

In the email i've this, and the strange thing is the ***The following 0 domains require validation:***

> You have an SSL/TLS certificate from AWS Certificate Manager in your AWS account that expires on Feb 23, 2024 at 23:59:59 UTC. This certificate includes the primary domain  and a total of 2 domains.
AWS account ID: 
AWS Region name: eu-central-1
Certificate identifier 
AWS Certificate Manager (ACM) was unable to renew the certificate automatically using DNS validation. You must take action to ensure that the renewal can be completed before Feb 23, 2024 at 23:59:59 UTC. If the certificate is not renewed and the current certificate expires, your website or application may become unreachable.
.... cut .... 
**The following 0 domains require validation:**

**The DNS are correctly set**
The only thing is that the domains are accessible only to specific IP and not public to all world, can it that be a problem?
**What should I do? how can I check why it fails?
**

Accepted Answer

it seesm that i miss https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html
once set, how can i renew it and see if it works?

Answer

I checked via the CLI and i've found this

**   "RenewalStatusReason": "CAA_ERROR"**

```
"RenewalSummary": {
            "RenewalStatus": "PENDING_AUTO_RENEWAL",
            "DomainValidationOptions": [
                {
                    "DomainName": "cxxxxo",
                    "ValidationDomain": "cuxxxno.io",
                    "ValidationStatus": "SUCCESS",
                    "ResourceRecord": {
                        "Name": "_91aadc030b21xxxxxxo.",
                        "Type": "CNAME",
                        "Value": "_68beccdbb7cfxxxxxxws."
                    },
                    "ValidationMethod": "DNS"
                },
                {
                    "DomainName": "sxxxxxxxxxo",
                    "ValidationDomain": "scrixxxxxxo",
                    "ValidationStatus": "SUCCESS",
                    "ResourceRecord": {
                        "Name": "_c16a9xxxxxxxo.",
                        "Type": "CNAME",
                        "Value": "_1bad219c6xxxxxxs."
                    },
                    "ValidationMethod": "DNS"
                }
            ],
            "RenewalStatusReason": "CAA_ERROR",
            "UpdatedAt": "2024-02-14T09:00:05.224000+01:00"
        },
```

Certificate renewal fails: DNS correctly set and email contains 0 domains to validate, but domain is waiting for auto-renewal

관련 콘텐츠