Certificate Manager: renewal with domain validation fails to renew, expecting CAA records


I received the "Action Required: Your certificate renewal" email indicating that automatic renewal had failed to issue a new/updated certificate. The email suggested we fix the issue with CAA records [1]. Looking at the existing certificate, it currently uses a CNAME record for domain validation and the certificate status and domain info all look good, with green "Success" badges everywhere except for under the Renewal Status item where it reads "Pending validation."

We had tried to add the CAA records, however the domain (it is a subdomain, "blog.domain.com") did not accept the record citing that the the primary domain already has a record of that type.

Now I'm not sure what to do. Shouldn't the existing CNAME record be sufficient for renewing the certificate? Is there some way to use a wildcard certificate on the primary domain (and offer zero records for this troublesome subdomain)? Is there something else I am missing?


  1. https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-caa.html
1 Answer

Thanks for the detailed description.

You might find this article https://aws.amazon.com/premiumsupport/knowledge-center/acm-troubleshoot-caa-errors/ helpful as it explains how ACM checks CAA record following CNAME record.

To move forward, either

  • Include Amazon CA in the CAA records in the domain domain.com and clear up all CAA records in the sub-domain blog.domain.com
  • or include Amazon CA in the sub-domain (should be possible, not sure why it's returning an error)
  • or remove all CAA records

If the issue persists, please feel free to provide additional information for further discussions. Thank you.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions