ACM was unable to renew the certificate automatically using DNS validation


We are getting monthly emails from AWS telling us "AWS Certificate Manager (ACM) was unable to renew the certificate automatically using DNS validation. You must take action to ensure that the renewal can be completed" etc and tells us about the CNAME records it wants.

When I created the certificates, I used DNS validation with Route 53. Since then I thought "hmm, I should delete those ugly DNS entries", which I did. When we got the email above in May, I realised I'd screwed up so I put them back. I was not allowed to put them back by clicking a button (why not?), I had to do it manually in Route 53. So that was done.

Now in June we got the same email again, but the records it wants have been there for weeks. I tried to recreate them and Route 53 told me the record was already there. So now I don't know whether the email is telling me about a problem or not. Next month, when the certificate really does need to be renewed, I don't know whether it will work or not.

The certificate is:
Status: Issued
Renewal status: Pending validation
Type: Amazon Issued
Renewal eligibility: Eligible
In use?: Yes

It's the "pending validation" bit and the emails that worry me. Is there something I can do that will make Amazon say "yes that's all good I'm happy now"? Because then I know we will not lose our certificate in a month. Thank you.

asked 5 years ago234 views
2 Answers

I finally figured this out! It was a stupid mistake on my part but I'll describe it here in case someone else makes the same stupid mistake in future. So I went to ACM and it said I have to put in a CNAME record with value _complicatedstuff. So I copied from the page, went to Route 53, created a new record, pasted it in, copied the _complicatedstuff and pasted that in, and hit OK and it did it.

But Route 53 supplies the for me, so in fact I had created a record for, which is not what I needed at all. And of course because I was looking at the _argleblargle bit, I didn't notice.

So if you're tempted to do as I did, trim off the

answered 5 years ago

very useful as this issue popped up for me with same warning language near the end of 2020. On my ACM console the CNAME Name and Values are visible, but I don't understand what does the instruction mean by "copy the CNAME info into your DNS database", until I found this post.

My naive understanding now is that "database" is what I stored in Route 53. Again, as the OP mentioned, in my ACM UI, the "Create Record in Route 53" button is greyed out and non-clickable. I need to copy those CNAME value manually into the corresponding Route53-> hosted zone entity. For some reason I only had "NS", "A", and "SOA" type records there, but no "CNAME".

Then I clicked "create record" button in Rout53 UI, then copied the CNAME Name and Value (both started with a _) over. After about an hour, I got an AWS email notifying that the DNS validate has succeeded.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions