Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Certificate Manager lists certificate as ineligible for renewal even though it is active in App Runner custom domain

0

I used Certificate Manager to create a certificate that I am using in an App Runner custom domain. The custom domain is active and SSL/TLS for the custom domain and App Runner is all working as expected, App Runner is running, and yet when I check the created certificate it is marked as ineligible for automatic renewal because In Use says "No". I used Route 53 for the domain and all of the setup for the certificate and custom domain.

I would expect actively using a certificate in an active App Runner custom domain would show as In Use = "Yes" and therefore eligible for automatic renewal. This seems like a bug in Certificate Manager or App Runner.

EDIT: All CNAMEs that were created for certificate validation and the App Runner custom domain are still present in Route 53 and have not been removed. The certificate status is Issued. Everything is working perfectly, except that "In Use" for the certificate is set to "No", which is incorrect.

Topics
ComputeContainersNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon Route 53AWS Certificate ManagerAWS App Runner
Language
English
asked 2 years ago243 views
1 Answer
0

  1. The issue you are facing with the Certificate Manager certificate being marked as "ineligible for renewal" even though it is actively being used in an App Runner custom domain is likely due to the following reasons:

    The CNAME records required for certificate validation were removed from the DNS server. App Runner uses these CNAME records to validate the domain ownership, and if they are removed, the certificate can no longer be automatically renewed. The original certificate has expired, and the renewal process has failed. The renewal status may show as "Pending validation" if ACM is unable to automatically validate the domain names in the certificate.

  2. To troubleshoot and resolve this issue, you can try the following steps:

    Check the DNS records for the custom domain in your DNS server. Ensure that the CNAME records provided by App Runner for certificate validation are still present. Use the AWS CLI or the ACM console to check the renewal status of the certificate. You can use the describe-certificate command or the console to view the renewal status. If the renewal status is "Pending validation", you may need to manually validate the domain ownership by adding the required CNAME records to your DNS server. If the original certificate has expired, you may need to request a new certificate and update the custom domain configuration in App Runner.

  3. To renew the custom domain certificate in App Runner, you can follow these steps:

    Retrieve the certificate validation CNAME records

    aws apprunner describe-custom-domain --service-arn <your-app-runner-service-arn> --domain-name <your-custom-domain>

    Add the CNAME records to your DNS server Wait for the DNS changes to propagate Confirm the certificate validation is successful

    Associate the updated custom domain with your App Runner service

    aws apprunner associate-custom-domain --service-arn <your-app-runner-service-arn> --domain-name <your-custom-domain>

AWS
EXPERT
answered 2 years ago
  • Greg G
    2 years ago

    Thanks for the suggestions. All CNAMEs that were created for certificate validation and the App Runner custom domain are still present in Route 53 and have not been removed. The certificate status is Issued. Everything is working perfectly, except that "In Use" for the certificate is set to "No", which is incorrect.

    The certificate has not expired, but I want it to automatically renew next year so I don't have the set a calendar reminder to manually do it myself. Automated renewal is one of the best features of Certificate Manager and has worked great for me for Cloudfront distributions in the past, but appears to be broken for App Runner.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content