For a DNS-validated certificate to be renewed, two conditions have to be met:
- The certificate is associated with one of the ACM-integrated services.
- The CNAME record of the certificate is resolvable.
It is important to note that there is a 1:1 relationship between domain names and CNAME records. In other words, if your certificate has three domains in its scope there would be three CNAME records. For the certificate to be renewed, all CNAME records need to be resolvable, something that you can verify with the following command:
dig -t CNAME <CNAME name> +short
If a single CNAME record does not return any output then renewal will fail since all domain names need to be validated, something which can be done only if ACM can query the CNAME records associated with those domain names.
You can see which domains have been validated by calling the DescribeCertificate API against the affected certificate.
I hope this helps but let us know if you have any more questions.
I need more clarity more like step by step way of resolving this issue, please.
Impossibile to renew SSL with dns validationasked 8 months ago
SSL/TLS Certificate Renewalasked 4 months ago
AWS Certificate Manager (ACM) was unable to renew the certificateAccepted Answerasked a month ago
ACM was unable to renew the certificate automatically using DNS validationasked 4 years ago
SSL creation require additional verification to request a certificate for one or more domain names in this request. (.ru domain zone)Accepted Answerasked 6 months ago
SSL/TLS Manual Renewalasked 3 months ago
ACM was unable to renew the certificate automatically using DNS validation. Next step verification.Accepted Answerasked 6 months ago
ACM Renew issue with Correct DNSasked 3 months ago
Is it possible to renew an expired Certificate?Accepted Answerasked 7 months ago
ACM was unable to renew the certificate automatically using DNS validationasked 2 years ago