By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

ACM: Renewal Status is pending validation even after correct DNS Configuration

0

Certificate is configured with the DNS validation Method, and recently received an email which says

AWS Certificate Manager (ACM) was unable to renew the certificate automatically using DNS validation. You must take action to ensure that the renewal can be completed.

It is going to expired after 14th October 2023

Current Certificate, Status: Issued Renewal status: Pending validation Type: Amazon Issued Renewal eligibility: Eligible

CNAME Record is added correctly too. Domain also does not have any CAA records.

What can be done to renew it

Topics
Security, Identity, & Compliance
Tags
AWS Certificate Manager
Language
English
Zain Abbas
asked 7 months ago206 views
2 Answers
0

Hello.

If you receive that message, it may work if you delete the ACM verification DNS record and then register it again.
https://repost.aws/knowledge-center/certificate-fails-to-auto-renew

profile picture
EXPERT
Riku_Kobayashi
answered 7 months ago
  • Zain Abbas
    7 months ago

    Thank you for the anwser, but unfortunately it doesnt work

  • Riku_Kobayashi EXPERT
    7 months ago

    If I create the domain for verification again in ACM and re-register it, will it be updated?

  • Zain Abbas
    7 months ago

    Not sure what exactly you meant in your last comment, but I removed the CNAME and from the DNS and added again but issue still persist

0

Validate that your CNAME validation record is resolvable by using a tool like dig or nslookup or similar to resolve it. A correctly working CNAME should be resolvable as follows from any computer on the Internet. In this case, I am looking up the CNAME _e5f000fdaea220228e420f2b5256e43f.example.com. (Note, this is a fictitious example, you need to use your own CNAME here).

% dig _e5f000fdaea220228e420f2b5256e43f.example.com.

; <<>> DiG 9.10.6 <<>> _e5f000fdaea220228e420f2b5256xxx.swyd.ca.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11832
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_e5f000fdaea220228e420f2b5256xxx.example.com. IN A

;; ANSWER SECTION:
_e5f000fdaea220228e420f2b5256xxx.swyd.ca. 300 IN CNAME _aba7aefb0cab414f85c552723a7dxxx.gbwdrhjxvn.acm-validations.aws.

;; AUTHORITY SECTION:
gbwdrhjxvn.acm-validations.aws. 900 IN  SOA ns-94.awsdns-11.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

If it is not resolvable, or it does not return the CNAME value specified on the Domains section of the Certificate Status page, then you need to identify where your DNS needs to be updated. Note that DNS TTLs can affect how much time you have to wait for a record to be correctly present on the Internet.

AWS
EXPERT
Max Clements
answered 7 months ago
  • Zain Abbas
    7 months ago

    Thank you for the anwser, but unfortunately i did tried with nslookup -type=CNAME _aasd2123.example.com it does given the info regarding DNS

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content