Certificate Manager: renewal with domain validation fails to renew, expecting CAA records

0

I received the "Action Required: Your certificate renewal" email indicating that automatic renewal had failed to issue a new/updated certificate. The email suggested we fix the issue with CAA records [1]. Looking at the existing certificate, it currently uses a CNAME record for domain validation and the certificate status and domain info all look good, with green "Success" badges everywhere except for under the Renewal Status item where it reads "Pending validation."

We had tried to add the CAA records, however the domain (it is a subdomain, "blog.domain.com") did not accept the record citing that the the primary domain already has a record of that type.

Now I'm not sure what to do. Shouldn't the existing CNAME record be sufficient for renewing the certificate? Is there some way to use a wildcard certificate on the primary domain (and offer zero records for this troublesome subdomain)? Is there something else I am missing?

--

  1. https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-caa.html
1 回答
0

Thanks for the detailed description.

You might find this article https://aws.amazon.com/premiumsupport/knowledge-center/acm-troubleshoot-caa-errors/ helpful as it explains how ACM checks CAA record following CNAME record.

To move forward, either

  • Include Amazon CA in the CAA records in the domain domain.com and clear up all CAA records in the sub-domain blog.domain.com
  • or include Amazon CA in the sub-domain (should be possible, not sure why it's returning an error)
  • or remove all CAA records

If the issue persists, please feel free to provide additional information for further discussions. Thank you.

AWS
weidi
已回答 1 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则