ACM certificate not validating

Question

Had a single certificate that is stuck on "Pending auto-renewal" this is a cert that has renewed in the past, was originally requested in 2021.
I have confirmed the NS records are correct and that the CNAME record exists and can be seen from multiple sites.
This has been checked multiple days ago and no DNS changes have been made.

The email notification also seems to be a bit weird, it states the certificate correctly but at the bottom, it says "The following 0 domains require validation:".

This is for a cert for a subdomain splog.slog.com in us-east-1 where we also have a wildcard *.splog.slog.com in eu-west-2 which is renewing correctly.

Accepted Answer

After having the certificate expire I finally hit the issue when trying to request another.
There was no CAA record for this subdomain.

Following https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html even with it listed as Optional allowed for a requesting of a new certificate.

The AWS UI is abysmal for not saying this was the issue and really needs to be fixed to stop these issues happening again.

Answer

We have exactly the same problem.

Got a notice email from AWS regarding this.

Yet everything seems to be correct. Records are there, have never been removed.

We also manage infra as code using AWS CDK, so no chance anything was deleted.

I think this is a bug in AWS, I'd suggest AWS engineering to really look into this.

![Enter image description here](/media/postImages/original/IMalEaQgzSQ6ivx7JR4vNajA)

![Enter image description here](/media/postImages/original/IMv7Y_wRU9QEG9ef4BXLXzrg)

![Enter image description here](/media/postImages/original/IMpSx-1NOwRKaeQkhDQ5rh-g)

Answer

Hello,

From the description, I understand that you are facing issues with pending auto renewal status for requested ACM certificates.

**Pending automatic renewal** 
    
* ACM is attempting to automatically validate the domain names in the certificate.

**Managed renewal is fully automated for ACM certificates that were originally issued using DNS validation. At 60 days prior to expiration, ACM checks for the renewal criteria:**
   
* The certificate is currently in use by an AWS service.

*  A valid DNS record for the apex domain exists.

* The required CNAME token is present and accessible in the DNS record.

* Each domain and subdomain that is named in the certificate is present in the DNS record.

If these criteria are met, ACM considers the domain names validated and renews the certificate.

Please, make sure that all criteria were followed.

References:

[1]Troubleshooting Managed Certificate Renewal https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-renewal.html

[2] Renewal for Domains Validated by DNS https://docs.aws.amazon.com/acm/latest/userguide/dns-renewal-validation.html

[3] https://aws.amazon.com/blogs/security/easier-certificate-validation-using-dns-with-aws-certificate-manager/

ACM certificate not validating

相關內容