ACM was unable to automatically renew your certificate, AWS is the domain controller. Stranded.

0

I got the: "ACM was unable to automatically renew your certificate" ... for domain "smurf.sad" (example) AWS is the domain controller.

Email verification is (for some reason) turned on and the emails in questions are set on the smurf.sad. For instance: admin@smurf.sad, webmaster@smurf.sad, etc. Therefore the renewal certificates end up in dev/null. Is there an easy way to get those emails? (I tried lambda email forwarding but got lost in the SES/S3/lambda policies and rules).

I'd be happy to switch to domain record verification, but for some reason such an option is not available. See: https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html

The 'Create record in Route 53' is not available, and the instructions on page https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-DNS-validation.html#troubleshooting-route53-1 left me stranded as I feel I am compliant with all the requirements... I believe the button is not there because the certificate has still not expired.

If there's a simple way to add a CNAME / TXT entry, I'd like to learn what would be the values.

By all accounts I should be able to renew the certificate as I am the sole admin with full access privileges and the domain is controlled by AWS.

Any hints?

2 Answers
1

Hi

As per the your problem above, I am assuming that you are not able to see the CREATE RECORDS button from the ACM console,

ACM Console does not display "Create record in Route 53" button --> This is the same link you have shared above

If you select Amazon Route 53 as your DNS provider, AWS Certificate Manager can interact directly with it to validate your domain ownership. Under some circumstances, the console's Create record in Route 53 button may not be available when you expect it. If this happens, check for the following possible causes.

  • On the Validation page, you did not click the down-arrow next to your domain name.
  • You are not using Route 53 as your DNS provider.
  • You are logged into ACM and Route 53 through different accounts.
  • You lack IAM permissions to create records in a zone hosted by Route 53.
  • You or someone else has already validated the domain.
  • The domain is not publicly addressable.

Suggestions/Recommendations:

You can use DNS validation for the ACM certificates instead of the Email validation. as far as i remember the DNS records generated by ACM are always the same if you create the certificate in any AWs account, So once DNS records are updated thats all ne need to update it again.

Hope it works for you. Thank You

GK
answered a year ago
  • Hi,

    The certificate in question is (type) Amazon issued. I would like to let AWS recreate it automatically.

    I would like to solve this via DNS validation, but I do not know what should be added to the CNAME record to be able to do this. a) do I need to manually switch to DNS validation or the CNAME check is done implicitly even if I have email validation turned on? b) should I just put the certificate ID in CNAME? c) if not the certificate ID, then what should be added to my zone's records? d) I do not understand the CloudFormation proposal at the slightest. e) Would an easy way out also be to create a new public certificate and DNS validate it?

    Thanks

  • Hi

    Great, You got the SSL issued. If you would like to know how to add the DNS records here is the info this can help you , Pls check this link https://aws.amazon.com/premiumsupport/knowledge-center/route-53-validate-acm-certificates/

    a) Once Certificate is ISSUED it is not possible to change, So instead of that you can create new ACM and use DNS validation. b) No CNAME records you have got you need to update like the same, Example screenshot https://knowledge.amimoto-ami.com/hubfs/Knowledge%20Base%20Import/downloads.intercomcdn.comio19113792531e905dadade1d235a7570cdimage.png c) You shoud not add Certificate ID, you need to add the DNS records, because ACM is going to check you are the owner of the domain or not . once DNS is updated you need to wait till the DNS propagated. d) The Cloudformation is simple way, If will create ACM certificate also update the DNS entry you dont have to add manually e) it is very simple and not much technical knowledge required. Youtube video link help you more https://www.youtube.com/watch?v=ookzXuMr8eY

    Thank You

0
Accepted Answer

After reading more about the issue and listening to GK's suggestions, I decided to drop the whole 'renewal' approach and did the following:

  1. Created a new certificate (DNS verification)
  2. Added the provided CNAME name/value via Route 53 to the hosted zone

... after a few seconds, the new certificate was validated.

  1. I went to my EC2 load balancer and associated the new certificate with https:443

... the new certificate was correctly associated with the https:433.

Thank you GK for your prompt help and kind suggestions

TomTom
answered a year ago
  • Please accept above answer if you are solved

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions