使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

AWS Certificate Manager Pending Validation when DNS validation is successful

0

I'm attempting to renew a certificate created in AWS Certificate Manager (ACM), but I'm stuck in the dreadful PENDING_VALIDATION status; this is a DNS validated certificate where I validated using the CNAME record.

Under domains I can see the domain validation has a status of Success and Renewal Status of Success

If I run aws acm describe-certificate --certificate-arn "examplearn", I get a return showing DomainValidationOptions with the ValidationStatus being success for the CNAME validation.

Replaced with "example" for sensitive values

{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:us-east-1:example:certificate/certid",
        "DomainName": "*.example.com",
        "SubjectAlternativeNames": [
            "*.example.com"
        ],
        "DomainValidationOptions": [
            {
                "DomainName": "*.example.com",
                "ValidationDomain": "*.example.com",
                "ValidationStatus": "SUCCESS",
                "ResourceRecord": {
                    "Name": "examplename",
                    "Type": "CNAME",
                    "Value": "examplevalue"
                },
                "ValidationMethod": "DNS"
            }
        ],
        "Serial": "",
        "Subject": "CN=*.example.com",
        "Issuer": "Amazon",
        "CreatedAt": "2019-01-17T12:53:01-08:00",
        "IssuedAt": "2021-10-22T21:21:50.177000-07:00",
        "Status": "ISSUED",
        "NotBefore": "2021-10-22T17:00:00-07:00",
        "NotAfter": "2022-11-23T15:59:59-08:00",
        "KeyAlgorithm": "RSA-2048",
        "SignatureAlgorithm": "SHA256WITHRSA",
        "InUseBy": [
            "example",
            "example",
            "example",
            "example"
        ],
        "Type": "AMAZON_ISSUED",
        "RenewalSummary": {
            "RenewalStatus": "PENDING_VALIDATION",
            "DomainValidationOptions": [
                {
                    "DomainName": "*.example.com",
                    "ValidationDomain": "*.example.com",
                    "ValidationStatus": "SUCCESS",
                    "ResourceRecord": {
                        "Name": "examplename",
                        "Type": "CNAME",
                        "Value": "examplevalue"
                    },
                    "ValidationMethod": "DNS"
                }
            ],
            "UpdatedAt": "2022-09-21T23:39:15.161000-07:00"
        },
        "KeyUsages": [
            {
                "Name": "DIGITAL_SIGNATURE"
            },
            {
                "Name": "KEY_ENCIPHERMENT"
            }
        ],
        "ExtendedKeyUsages": [
            {
                "Name": "TLS_WEB_SERVER_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.1"
            },
            {
                "Name": "TLS_WEB_CLIENT_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.2"
            }
        ],
        "RenewalEligibility": "ELIGIBLE",
        "Options": {
            "CertificateTransparencyLoggingPreference": "ENABLED"
        }
    }
}

Followed instructions successfully in https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-pending-validation/ (checking cname response exactly matches what is in acm CNAME values when copy pasting)

The site domain registration is in Route 53 with NS pointing to cloudflare, where DNS is managed.

Is there something obvious that pops out to you? Thank you!

主題
安全性、身分識別與合規
標籤
AWS Certificate Manager
語言
English
rePost-User-6135265
已提問 1 年前檢視次數 651 次
1 個回答
0
已接受的答案

The update is an asynchronous process, so you should wait a little longer and contact support if it seems impossible.

Understanding renewal timing

Managed renewal for ACM certificates is an asynchronous process. This means that the steps don't occur in immediate succession. After all domain names in an ACM certificate have been validated, there might be a delay before ACM obtains the new certificate. An additional delay can occur between the time when ACM obtains the renewed certificate and the time when that certificate is deployed to the AWS resources that use it. Therefore, changes to the certificate status can take up to several hours to appear in the console

https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-renewal.html

profile picture
takakuni
已回答 1 年前
profile pictureAWS
專家
Tushar_J
已審閱 1 年前
  • rePost-User-6135265
    1 年前

    Thank you for the consolation! Decided to finally pay for the upgrade for support since this has been over a day.

  • rePost-User-6135265
    1 年前

    Certificate was renewed after contacting amazon support; yay!

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容