Certificate Manager: renewal with domain validation fails to renew, expecting CAA records

Question

I received the "Action Required: Your certificate renewal" email indicating that automatic renewal had failed to issue a new/updated certificate. The email suggested we fix the issue with CAA records [1]. Looking at the existing certificate, it currently uses a CNAME record for domain validation and the certificate status and domain info all look good, with green "Success" badges everywhere except for under the Renewal Status item where it reads "Pending validation."

We had tried to add the CAA records, however the domain (it is a subdomain, "blog.domain.com") did not accept the record citing that the the primary domain already has a record of that type.

Now I'm not sure what to do. Shouldn't the existing CNAME record be sufficient for renewing the certificate? Is there some way to use a wildcard certificate on the primary domain (and offer zero records for this troublesome subdomain)? Is there something else I am missing?

--
1. https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-caa.html

Answer

Thanks for the detailed description.

You might find this article https://aws.amazon.com/premiumsupport/knowledge-center/acm-troubleshoot-caa-errors/ helpful as it explains how ACM checks CAA record following CNAME record.

To move forward, either
* Include Amazon CA in the CAA records in the domain `domain.com` and clear up all CAA records in the sub-domain `blog.domain.com`
* or include Amazon CA in the sub-domain (should be possible, not sure why it's returning an error)
* or remove all CAA records

If the issue persists, please feel free to provide additional information for further discussions. Thank you.

Certificate Manager: renewal with domain validation fails to renew, expecting CAA records

관련 콘텐츠