By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Renewal pending validation even though 0 domains require validation

0

Our Amazon issued certificate is stuck in "Pending Validation". All CNAMEs for DNS validation have been added to route53 and the renewal status for all domains is Success.

The notice email states that: "To renew this certificate, you must ensure that the proper CNAME records are present in your DNS configuration for each domain listed below."

But lists zero domains that require validation: "The following 0 domains require validation:"

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon Route 53AWS Certificate Manager
Language
English
rePost-User-7790139
asked 2 years ago550 views
1 Answer
0

Hi There ,

I understand that your Amazon issued certificate is stuck on "Pending Validation". All CNAMEs for DNS validation have been added to route53 and the renewal status for all domains is: Success and the notice email states that: "To renew this certificate, you must ensure that the proper CNAME records are present in your DNS configuration for each domain listed below." and it lists zero domains that require validation: "The following 0 domains require validation:"

Please note that if ACM cannot automatically validate a domain name, it notifies the domain owner that manual action is needed to validate the domain and complete certificate renewal. These notifications are sent at 45 days, 30 days, seven days, and one day prior to expiration. The most common reason for automatic validation to fail is that the required CNAME has been inadvertently changed or removed. [1]

------Reasons for the certificate would not be renewed------

Managed renewal is fully automated for ACM certificates that were originally issued using DNS validation. At 60 days prior to expiration, ACM checks for the renewal criteria: [2]

  1. The certificate is currently in use by an AWS service.

  2. A valid DNS record for the apex domain exists.

  3. The required CNAME token is present and accessible in the DNS record.

  4. Each domain and subdomain that is named in the certificate is present in the DNS record.

Since you mentioned your domain are all validated successfully , then it means the issue must be CAA records and this case Amazon is not a trusted party, hence ACM wasn't able to issue certificates for your domain. ACM can issue certificates for your domain only when you have a CAA "issuewild" and "issue" record for one of the following :

-amazon.com

-amazontrust.com

-awstrust.com

-amazonaws.com

Resolution

To resolve the issue I suggest you update your CAA records to include "issuewild" and "issue" for -amazonaws.com and. The record would look like this:

0 issuewild "amazon.com"

0 issue "amazon.com"

by doing the following:

Add a CAA record for your domain trusting amazon.

-Sign in to your AWS Management Console
-Navigate to Route53
-Select the HostedZone
-Click on the checkbox next to the current CAA record present in your hosted zone
-Click on the Edit Record button on the right side panel that appears
-In the 'Value' box, ADD the following records
       0 issuewild "amazon.com"
       0 issue "amazon.com"
-Click on Save

Once the CAA records are added ACM should be able to renew the certificate. Managed renewal for ACM certificates is an asynchronous process. This means that the steps don't occur in immediate succession. After all domain names in an ACM certificate have been validated, there might be a delay before ACM obtains the new certificate. An additional delay can occur between the time when ACM obtains the renewed certificate and the time when that certificate is deployed to the AWS resources that use it.

I hope this information will come in handy for you.

Refrences:

[1]Troubleshooting Managed Certificate Renewal https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-renewal.html

[2] Renewal for Domains Validated by DNS https://docs.aws.amazon.com/acm/latest/userguide/dns-renewal-validation.html

[3] https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html

[4] https://aws.amazon.com/premiumsupport/knowledge-center/acm-troubleshoot-caa-errors/

[5] https://aws.amazon.com/blogs/security/easier-certificate-validation-using-dns-with-aws-certificate-manager/

[6] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-editing.html

[7] https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-deleting.html

** Please note that I personally value your feedback, please accept this answer if you find it helpful to you. **

Mfanelo
answered 2 years ago
  • Rhyas
    2 years ago

    I have this same issue, but adding the correct CAA record does not seem to resolve the problem. Any other ideas or solutions?

  • Mfanelo
    2 years ago

    Hi Rhyas, Perhaps consider this document to troubleshoot and isolate your issue: https://aws.amazon.com/premiumsupport/knowledge-center/acm-troubleshoot-caa-errors/

  • Rhyas
    2 years ago

    Unfortunately, none of that helps. I have a single CAA record in the Route53 zone for that domain name, with the appropriate Issue record. That second article also notes that a CAA record isn't specifically required. (But it still doesn't work without one.) The domain name shows validated, the CNAME record exists properly, the certificate is all green, it just shows Pending Validation with no other errors, and in the Health Status message, it shows "The following 0 domains require validation:". I can dig both records and they return the proper values. It's a little frustrating that there seems to be an error somewhere, but AWS does not expose it, and without Premium support, one can't get any information about it.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content