Impossibile to renew SSL with dns validation


Hello, I have one SSL certificate that is about to expire. ACM is unable to renew it because it says that there is some error in the cname records. I have checked my dns and changes the cname records with the ones listed in the console. How can I say to acm to try to renew the certificate?

asked 8 months ago39 views
2 Answers


For a DNS-validated certificate to be renewed, two conditions have to be met:

  1. The certificate is associated with one of the ACM-integrated services.
  2. The CNAME record of the certificate is resolvable.

It is important to note that there is a 1:1 relationship between domain names and CNAME records. In other words, if your certificate has three domains in its scope there would be three CNAME records. For the certificate to be renewed, all CNAME records need to be resolvable, something that you can verify with the following command:

dig -t CNAME <CNAME name> +short

If a single CNAME record does not return any output then renewal will fail since all domain names need to be validated, something which can be done only if ACM can query the CNAME records associated with those domain names.

You can see which domains have been validated by calling the DescribeCertificate API against the affected certificate.

I hope this helps but let us know if you have any more questions.

profile picture
answered 7 months ago

I need more clarity more like step by step way of resolving this issue, please.

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions