The certificate is going to expire soon. We cannot open a ticket since technical support is not included with the company's plan. Does anyone have any idea how to remediate this issue if the DNS entries are all correct?
having the exact same issue with cloudflare as dns provider.
Anyone have advice? I have all the cnames in, set to dns only, not proxy, and it still won't pick it up.
nslookup all looks up.
I noticed that cloudflare strips my fqd.com from the dns.
so, it ends up as _dsadsadas.cdn instead of _dasdas.cdn.mydomain.com. in the record.
I was able to open a ticket with Amazon support. The root cause of the issue was that we needed to add a CAA record in DNS. Details are below. I hope this helps others experiencing similar problems.
Please note that For DNS automatic renewable validation, below criteria should meet:
- The certificate has to be in use.
- The CNAME record originally given by ACM to validate your domain must be present with your domain provider.
To deep dive further, I could see that certificate is in use with two Elastic Load Balancers. Hence, condition (1) meets the criteria.
Again, I checked for CNAME records for every domain included in the certificate and that too is in place too. Hence, no issues so far.
Moving ahead, please note that when ACM renews the certificate, ACM CAA record checks climbs up the DNS hierarchy (till it reaches the apex domain) to see if it is allowed to issue the certificate.
I have verified for the CAA records through your DNS hierarchy and found that you have the following CAA records configured for parent domain.
a) dig CAA mycompany.com
$ dig CAA yeti.com +short
0 issue "certificateauthoritythatisnotamazon1.com"
0 issue "certificateauthoritythatisnotamazon2.com"
0 issue "certificateauthoritythatisnotamazon3.com"
From the above command I could see that you have an 'issue’ or ‘renew’ record for only the above mentioned CAs which means that only those CA can renew the certificate for your domain. We can see, there are no Amazon CA configured for mycompany.com.
Due to this reason ACM was to unable renew for your domain.
In order to get this certificate renewed successfully, please authorize the Amazon CA as well in your DNS setting.
To add Amazon as an authorized CA, the value field in the CAA record must contain one of the following domain names:
The new CAA record can be like this, for example :
Domain Record type Flags Tag Value
mycompany.com. CAA 0 issue "amazon.com"
ACM Certificate not getting renewedasked a month ago
Certificate renewal is not possibleasked 4 months ago
DNS validation failing by emailasked 2 years ago
ACM Certificate issued for an private hosted zone, status stuck on pending validationasked a month ago
ACM was unable to renew the certificate automatically using DNS validationasked a year ago
ACM was unable to renew the certificate automatically using DNS validationasked 3 years ago
Unused issued certificate issueasked 2 months ago
ACM was unable to renew the certificate automatically using DNS validation. Next step verification.Accepted Answerasked 4 months ago
Certificate Renewalasked 2 months ago
SSL/TLS Certificate Renewalasked 2 months ago