- Newest
- Most votes
- Most comments
Hello,
For a DNS-validated certificate to be renewed, two conditions have to be met:
- The certificate is associated with one of the ACM-integrated services.
- The CNAME record of the certificate is resolvable.
It is important to note that there is a 1:1 relationship between domain names and CNAME records. In other words, if your certificate has three domains in its scope there would be three CNAME records. For the certificate to be renewed, all CNAME records need to be resolvable, something that you can verify with the following command:
dig -t CNAME <CNAME name> +short
If a single CNAME record does not return any output then renewal will fail since all domain names need to be validated, something which can be done only if ACM can query the CNAME records associated with those domain names.
You can see which domains have been validated by calling the DescribeCertificate API against the affected certificate.
I hope this helps but let us know if you have any more questions.
I need more clarity more like step by step way of resolving this issue, please.
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago