By using AWS re:Post, you agree to the Terms of Use

ACM domain validation: Renewal for internal or non public Load-Balancers


A customer is using ACM managed certificates and domain validation. Their load balancers are not publicly reachable (protected by security groups, but this probably applies also to internal load balancers), but for the renewal of the certificates a HTTPS is made from ACM to the domains in the certificate:

"ACM must be able to establish an HTTPS connection with each domain in the certificate."
The want to be able to automate the renewal process, e.g. they don't want to use email validation.

I wonder why the HTTPS request is necessary at all for DNS validation and renewal (this is in general not required with DNS validation by other certificate providers)

Do we have any workaround for this? E.g. allow a defined IP range from ACM in the security groups?

1 Answer
Accepted Answer

As specified in the launch blog post: and in the DNS Public Docs:

If the customer validates a certificate using DNS:

ACM automatically renews certificates that are deployed and in use with other AWS services as long as the CNAME record remains in your DNS configuration. To learn more about ACM DNS validation, see the ACM FAQs and the ACM documentation.

Establishing a TLS connection to the domain will not be necessary to automatically renew DNS-Validated Certificates as long as the CNAMEs used to initially validate the domain(s) are still reachable via public DNS.

Hope that helps!

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions