Hi There ,
I understand that your Amazon issued certificate is stuck on "Pending Validation". All CNAMEs for DNS validation have been added to route53 and the renewal status for all domains is: Success and the notice email states that: "To renew this certificate, you must ensure that the proper CNAME records are present in your DNS configuration for each domain listed below." and it lists zero domains that require validation: "The following 0 domains require validation:"
Please note that if ACM cannot automatically validate a domain name, it notifies the domain owner that manual action is needed to validate the domain and complete certificate renewal. These notifications are sent at 45 days, 30 days, seven days, and one day prior to expiration. The most common reason for automatic validation to fail is that the required CNAME has been inadvertently changed or removed. 
------Reasons for the certificate would not be renewed------
Managed renewal is fully automated for ACM certificates that were originally issued using DNS validation. At 60 days prior to expiration, ACM checks for the renewal criteria: 
The certificate is currently in use by an AWS service.
A valid DNS record for the apex domain exists.
The required CNAME token is present and accessible in the DNS record.
Each domain and subdomain that is named in the certificate is present in the DNS record.
Since you mentioned your domain are all validated successfully , then it means the issue must be CAA records and this case Amazon is not a trusted party, hence ACM wasn't able to issue certificates for your domain. ACM can issue certificates for your domain only when you have a CAA "issuewild" and "issue" record for one of the following :
To resolve the issue I suggest you update your CAA records to include "issuewild" and "issue" for -amazonaws.com and. The record would look like this:
0 issuewild "amazon.com"
0 issue "amazon.com"
by doing the following:
Add a CAA record for your domain trusting amazon.
-Sign in to your AWS Management Console -Navigate to Route53 -Select the HostedZone -Click on the checkbox next to the current CAA record present in your hosted zone -Click on the Edit Record button on the right side panel that appears -In the 'Value' box, ADD the following records 0 issuewild "amazon.com" 0 issue "amazon.com" -Click on Save
Once the CAA records are added ACM should be able to renew the certificate. Managed renewal for ACM certificates is an asynchronous process. This means that the steps don't occur in immediate succession. After all domain names in an ACM certificate have been validated, there might be a delay before ACM obtains the new certificate. An additional delay can occur between the time when ACM obtains the renewed certificate and the time when that certificate is deployed to the AWS resources that use it.
I hope this information will come in handy for you.
Troubleshooting Managed Certificate Renewal https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-renewal.html
 Renewal for Domains Validated by DNS https://docs.aws.amazon.com/acm/latest/userguide/dns-renewal-validation.html
** Please note that I personally value your feedback, please accept this answer if you find it helpful to you. **
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 11 days ago
- AWS OFFICIALUpdated a month ago
- Why is my certificate renewal still pending after I validated my domain names using the ACM managed renewal process?AWS OFFICIALUpdated a year ago
- EXPERTpublished 6 months ago