By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

HELP please! URG: SSL/TLS certificate from AWS Certificate Manager (ACM) in my AWS account expired

0

I got an e-mail notification from AWS saying "AWS Certificate Manager (ACM) was unable to renew the certificate automatically using DNS validation. You must take action to ensure that the renewal can be completed before 06 July. If the certificate is not renewed and the current certificate expires, your website or application may become unreachable.

I followed the instructions on July 3rd and added the CNAME records in the route 53 under the domain name. It said it was successful. Now i received an email that the certificate has expired! I have requested a certificate successfully and I get a banner saying that further action is needed but I don't know what the next step is on my end. When i see the description of the certificate it says "renewal inelegible". What should I do next?

Topics
Security, Identity, & Compliance
Tags
AWS Certificate Manager
Language
English
Ale
asked 8 months ago878 views
3 Answers
1

Hello.

The certificate may have expired and could not be renewed for some reason.
Once the certificate expires, automatic renewal will not be possible, so you will need to issue a new one.
https://repost.aws/knowledge-center/acm-certificate-ineligible

Therefore, please follow the steps in the document below to issue a new certificate with ACM and switch the certificate used by ALB etc. to the newly issued certificate.
https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html

profile picture
EXPERT
Riku_Kobayashi
answered 8 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed 8 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 8 months ago
1

Hi,

Automatic ACM cerificate renewal happens under a few restrictions listed here: https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html

ELIGIBLE if associated with another AWS service, such as Elastic Load Balancing or CloudFront.
ELIGIBLE if exported since being issued or last renewed.
ELIGIBLE if it is a private certificate issued by calling the ACM RequestCertificate API and then exported or associated with another AWS service.
ELIGIBLE if it is a private certificate issued through the management console and then exported or associated with another AWS service.
NOT ELIGIBLE if it is a private certificate issued by calling the AWS Private CA IssueCertificate API.
NOT ELIGIBLE if imported.
NOT ELIGIBLE if already expired.

As your current certificate expired, automatic renewal is no longer possible: see last line.

You'll have to create a new one

Please, follow instruction to create the new one and validate it in Route53: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 8 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed 8 months ago
0

Just to be sure, if you open the expired certificate in the ACM console, does the associated resources list show any resources? AWS won't automatically renew a certificate that isn't used.

EXPERT
Leo K
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content