By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ACM certificate not validating

0

Had a single certificate that is stuck on "Pending auto-renewal" this is a cert that has renewed in the past, was originally requested in 2021. I have confirmed the NS records are correct and that the CNAME record exists and can be seen from multiple sites. This has been checked multiple days ago and no DNS changes have been made.

The email notification also seems to be a bit weird, it states the certificate correctly but at the bottom, it says "The following 0 domains require validation:".

This is for a cert for a subdomain splog.slog.com in us-east-1 where we also have a wildcard *.splog.slog.com in eu-west-2 which is renewing correctly.

Topics
Security, Identity, & Compliance
Tags
AWS Certificate Manager
Language
English
rePost-User-7506040
asked 5 months ago225 views
3 Answers
1

We have exactly the same problem.

Got a notice email from AWS regarding this.

Yet everything seems to be correct. Records are there, have never been removed.

We also manage infra as code using AWS CDK, so no chance anything was deleted.

I think this is a bug in AWS, I'd suggest AWS engineering to really look into this.

Enter image description here

Enter image description here

Enter image description here

profile picture
m0ltar
answered 5 months ago
0
Accepted Answer

After having the certificate expire I finally hit the issue when trying to request another. There was no CAA record for this subdomain.

Following https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html even with it listed as Optional allowed for a requesting of a new certificate.

The AWS UI is abysmal for not saying this was the issue and really needs to be fixed to stop these issues happening again.

rePost-User-7506040
answered 5 months ago
0

Hello,

From the description, I understand that you are facing issues with pending auto renewal status for requested ACM certificates.

Pending automatic renewal

  • ACM is attempting to automatically validate the domain names in the certificate.

Managed renewal is fully automated for ACM certificates that were originally issued using DNS validation. At 60 days prior to expiration, ACM checks for the renewal criteria:

  • The certificate is currently in use by an AWS service.

  • A valid DNS record for the apex domain exists.

  • The required CNAME token is present and accessible in the DNS record.

  • Each domain and subdomain that is named in the certificate is present in the DNS record.

If these criteria are met, ACM considers the domain names validated and renews the certificate.

Please, make sure that all criteria were followed.

References:

[1]Troubleshooting Managed Certificate Renewal https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-renewal.html

[2] Renewal for Domains Validated by DNS https://docs.aws.amazon.com/acm/latest/userguide/dns-renewal-validation.html

[3] https://aws.amazon.com/blogs/security/easier-certificate-validation-using-dns-with-aws-certificate-manager/

profile pictureAWS
Paulo C Barbosa
answered 5 months ago
  • rePost-User-7506040
    5 months ago

    All these criteria are correct and have not changed. This environment is configured via Terraform and the code base around these have not been modified since they were initially deployed back in 2021.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content