ACM was unable to renew the certificate automatically using DNS validation

0

Status: Issued. Type: Amazon issued certificate. In use: Yes. Renewal eligibility: Eligible. Received email from Amazon that contained 'AWS Certificate Manager (ACM) was unable to renew the certificate automatically using DNS validation. You must take action to ensure that the renewal can be completed. If the certificate is not renewed and the current certificate expires, your website or application may become unreachable.' Verified that all correct CNAME records are present in the DNS configuration for each of the four domains on the cert. If I select the certificate and select Actions, all options are greyed out except 'delete.' Anyone know how to resend a validation email or another method to force a re-check so the certificate will automatically renew?

asked 3 years ago1612 views
3 Answers
0

The certificate is going to expire soon. We cannot open a ticket since technical support is not included with the company's plan. Does anyone have any idea how to remediate this issue if the DNS entries are all correct?

answered 3 years ago
0

having the exact same issue with cloudflare as dns provider.

Anyone have advice? I have all the cnames in, set to dns only, not proxy, and it still won't pick it up.

nslookup all looks up.

I noticed that cloudflare strips my fqd.com from the dns.

so, it ends up as _dsadsadas.cdn instead of _dasdas.cdn.mydomain.com. in the record.

breal42
answered 3 years ago
0

I was able to open a ticket with Amazon support. The root cause of the issue was that we needed to add a CAA record in DNS. Details are below. I hope this helps others experiencing similar problems.

From support:
Please note that For DNS automatic renewable validation, below criteria should meet:

  1. The certificate has to be in use.
  2. The CNAME record originally given by ACM to validate your domain must be present with your domain provider.

To deep dive further, I could see that certificate is in use with two Elastic Load Balancers. Hence, condition (1) meets the criteria.
Again, I checked for CNAME records for every domain included in the certificate and that too is in place too. Hence, no issues so far.

Moving ahead, please note that when ACM renews the certificate, ACM CAA record checks climbs up the DNS hierarchy (till it reaches the apex domain) to see if it is allowed to issue the certificate.

I have verified for the CAA records through your DNS hierarchy and found that you have the following CAA records configured for parent domain.
a) dig CAA mycompany.com

$ dig CAA yeti.com +short
0 issue "certificateauthoritythatisnotamazon1.com"
0 issue "certificateauthoritythatisnotamazon2.com"
0 issue "certificateauthoritythatisnotamazon3.com"

From the above command I could see that you have an 'issue’ or ‘renew’ record for only the above mentioned CAs which means that only those CA can renew the certificate for your domain. We can see, there are no Amazon CA configured for mycompany.com.
Due to this reason ACM was to unable renew for your domain.

RESOLUTION:

In order to get this certificate renewed successfully, please authorize the Amazon CA as well in your DNS setting.
To add Amazon as an authorized CA, the value field in the CAA record must contain one of the following domain names:
amazon.com
amazontrust.com
awstrust.com
amazonaws.com

The new CAA record can be like this, for example :

Domain Record type Flags Tag Value
mycompany.com. CAA 0 issue "amazon.com"

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions