- Newest
- Most votes
- Most comments
After having the certificate expire I finally hit the issue when trying to request another. There was no CAA record for this subdomain.
Following https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html even with it listed as Optional allowed for a requesting of a new certificate.
The AWS UI is abysmal for not saying this was the issue and really needs to be fixed to stop these issues happening again.
We have exactly the same problem.
Got a notice email from AWS regarding this.
Yet everything seems to be correct. Records are there, have never been removed.
We also manage infra as code using AWS CDK, so no chance anything was deleted.
I think this is a bug in AWS, I'd suggest AWS engineering to really look into this.
Hello,
From the description, I understand that you are facing issues with pending auto renewal status for requested ACM certificates.
Pending automatic renewal
- ACM is attempting to automatically validate the domain names in the certificate.
Managed renewal is fully automated for ACM certificates that were originally issued using DNS validation. At 60 days prior to expiration, ACM checks for the renewal criteria:
-
The certificate is currently in use by an AWS service.
-
A valid DNS record for the apex domain exists.
-
The required CNAME token is present and accessible in the DNS record.
-
Each domain and subdomain that is named in the certificate is present in the DNS record.
If these criteria are met, ACM considers the domain names validated and renews the certificate.
Please, make sure that all criteria were followed.
References:
[1]Troubleshooting Managed Certificate Renewal https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-renewal.html
[2] Renewal for Domains Validated by DNS https://docs.aws.amazon.com/acm/latest/userguide/dns-renewal-validation.html
Relevant content
- Accepted Answerasked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 months ago
All these criteria are correct and have not changed. This environment is configured via Terraform and the code base around these have not been modified since they were initially deployed back in 2021.