By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Certificate Manager Pending Validation when DNS validation is successful

0

I'm attempting to renew a certificate created in AWS Certificate Manager (ACM), but I'm stuck in the dreadful PENDING_VALIDATION status; this is a DNS validated certificate where I validated using the CNAME record.

Under domains I can see the domain validation has a status of Success and Renewal Status of Success

If I run aws acm describe-certificate --certificate-arn "examplearn", I get a return showing DomainValidationOptions with the ValidationStatus being success for the CNAME validation.

Replaced with "example" for sensitive values

{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:us-east-1:example:certificate/certid",
        "DomainName": "*.example.com",
        "SubjectAlternativeNames": [
            "*.example.com"
        ],
        "DomainValidationOptions": [
            {
                "DomainName": "*.example.com",
                "ValidationDomain": "*.example.com",
                "ValidationStatus": "SUCCESS",
                "ResourceRecord": {
                    "Name": "examplename",
                    "Type": "CNAME",
                    "Value": "examplevalue"
                },
                "ValidationMethod": "DNS"
            }
        ],
        "Serial": "",
        "Subject": "CN=*.example.com",
        "Issuer": "Amazon",
        "CreatedAt": "2019-01-17T12:53:01-08:00",
        "IssuedAt": "2021-10-22T21:21:50.177000-07:00",
        "Status": "ISSUED",
        "NotBefore": "2021-10-22T17:00:00-07:00",
        "NotAfter": "2022-11-23T15:59:59-08:00",
        "KeyAlgorithm": "RSA-2048",
        "SignatureAlgorithm": "SHA256WITHRSA",
        "InUseBy": [
            "example",
            "example",
            "example",
            "example"
        ],
        "Type": "AMAZON_ISSUED",
        "RenewalSummary": {
            "RenewalStatus": "PENDING_VALIDATION",
            "DomainValidationOptions": [
                {
                    "DomainName": "*.example.com",
                    "ValidationDomain": "*.example.com",
                    "ValidationStatus": "SUCCESS",
                    "ResourceRecord": {
                        "Name": "examplename",
                        "Type": "CNAME",
                        "Value": "examplevalue"
                    },
                    "ValidationMethod": "DNS"
                }
            ],
            "UpdatedAt": "2022-09-21T23:39:15.161000-07:00"
        },
        "KeyUsages": [
            {
                "Name": "DIGITAL_SIGNATURE"
            },
            {
                "Name": "KEY_ENCIPHERMENT"
            }
        ],
        "ExtendedKeyUsages": [
            {
                "Name": "TLS_WEB_SERVER_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.1"
            },
            {
                "Name": "TLS_WEB_CLIENT_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.2"
            }
        ],
        "RenewalEligibility": "ELIGIBLE",
        "Options": {
            "CertificateTransparencyLoggingPreference": "ENABLED"
        }
    }
}

Followed instructions successfully in https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-pending-validation/ (checking cname response exactly matches what is in acm CNAME values when copy pasting)

The site domain registration is in Route 53 with NS pointing to cloudflare, where DNS is managed.

Is there something obvious that pops out to you? Thank you!

Topics
Security, Identity, & Compliance
Tags
AWS Certificate Manager
Language
English
rePost-User-6135265
asked a year ago643 views
1 Answer
0
Accepted Answer

The update is an asynchronous process, so you should wait a little longer and contact support if it seems impossible.

Understanding renewal timing

Managed renewal for ACM certificates is an asynchronous process. This means that the steps don't occur in immediate succession. After all domain names in an ACM certificate have been validated, there might be a delay before ACM obtains the new certificate. An additional delay can occur between the time when ACM obtains the renewed certificate and the time when that certificate is deployed to the AWS resources that use it. Therefore, changes to the certificate status can take up to several hours to appear in the console

https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-renewal.html

profile picture
takakuni
answered a year ago
profile pictureAWS
EXPERT
Tushar_J
reviewed a year ago
  • rePost-User-6135265
    a year ago

    Thank you for the consolation! Decided to finally pay for the upgrade for support since this has been over a day.

  • rePost-User-6135265
    a year ago

    Certificate was renewed after contacting amazon support; yay!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content