Why is my ACM certificate renewal status still "Pending validation" after I used the ACM managed renewal process for my domain name?

Short description

If ACM can't automatically validate one or more domain names in the certificate, then the renewal status is Pending validation.

The following reasons can cause the renewal status to remain in Pending validation:

• Not all the domains that are listed in the ACM certificate are validated.
• The renewal is stuck because of the Certification Authority Authorization (CAA) record.
• The automatic validation failed.
• The managed renewal process is asynchronous.
• The original certificate expired.

Resolution

To check whether a domain is validated, expand the certificate's details in the ACM console. Or, run the describe-certificate command in the AWS Command Line Interface (AWS CLI).

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version

If your domain is stuck in Pending validation renewal status, then use the following resolution to troubleshoot your ACM certificate.

Note:

• For email-validated certificate renewals, ACM begins to send renewal notices 45 days before the certificate expires. The notices include actions that you must take to renew your certificate.
• For DNS-validated certificate renewals, ACM checks that certain criteria are met 60 days before the certificate expires to automatically renew your ACM certificates.

Not all the domains that are listed in the ACM certificate are validated

If you manually validate domains, then you must validate each domain in the ACM certificate.

If you use email validation, then ACM sends a set of validation emails for each domain. To validate the domains, complete the steps that are in the emails.

The renewal is stuck because of the CAA record

If you configured a CAA record to allow ACM to issue your certificate, then make sure that the issuance didn't block the renewal. To resolve this issue, see How do I resolve CAA errors for issuing or renewing an ACM certificate?

The automatic validation failed

If ACM can't automatically validate a domain, then see Handling failures in managed certificate renewal.

The managed renewal process is asynchronous

It can take up to a few hours for ACM to obtain the new certificate. During this time, the status in the ACM console remains Pending validation.

If the update is delayed, then the domain's validation status in the ACM console is Success and the certificate's renewal status is Pending validation.

The original certificate expired

If the original email-validated ACM certificate expires, then the certificate status changes from Issued to Pending validation. You must validate the domain within 72 hours, or the renewal status changes from Pending validation to Failed.

If the renewal fails, then you must request another public certificate for the domains.

Related information

Managed renewal for ACM certificates

Check a certificate's renewal status

Why did my publicly trusted ACM certificate fail managed renewal?