By using AWS re:Post, you agree to the Terms of Use

ACM Cert Renewal Problem when GoDaddy is the Registrar

2

I recently received an email from AWS saying that my cert was about to expire and that since I had email validation turned on they had sent me a separate email with a link to verify renewal.

I never received the separate e-mail.

My domain is hosted on Route53 but GoDaddy is the registrar. I finally figured out that since ACM uses the email addresses in the whois records as the authoritative e-mail address for validating cert renewals, it doesn't work with certain godaddy domain configurations. At godaddy, I had their privacy features turned on. I finally figured out that godaddy has stopped putting valid email addresses into whois records and instead puts links to the godaddy web site in those whois fields. That means that any emails sent from ACM will never arrive or will silently fail to send.

I worked around the problem by briefly turning off domain privacy at godaddy, then having ACM resend the emails, then turning privacy back on. But as long as godaddy doesn't write valid email addresses in the whois records ACM email validation won't work for domains registered at godaddy that have privacy turned on.

This is actually a godaddy bug, but it bites anyone who is hosting their zone at route53 and using ACM certs. In the past, godaddy would write a valid email address in whois records (e.g. foo.com@domainsbyproxy.com) and forward emails sent to that address to the domain name owner. Not anymore.

I'm just posting this here for the benefit of anyone who has a domain registered at godaddy but is using ACM certs on AWS.

1 Answers
0

Asides from the email delivery issue you highlighted, Email-validated ACM certificates require manual intervention to get them renewed. This is why the AWS recommended validation method is DNS Validation [1].

With DNS Validation, you don't have to worry about emails being delivered or not. All you need do is insert a validation CNAME provided by ACM to your DNS database and the certificate will be validated and automatically renewed as long as it is in use [2] (i.e associated with one of the supported services) and all these other conditions stated here [3] are met.

[1] DNS validation https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html

[2] Services integrated with AWS Certificate Manager https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html

[3] Managed renewal for ACM certificates https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html

answered 16 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions