Why didn't I receive the validation email to issue or renew ACM certificates?

4 minute read
0

I used email validation with AWS Certificate Manager (ACM) to issue or renew a certificate but I didn’t receive the validation email.

Short description

To renew an ACM certificate, you can use either email-validated renewals or DNS-validated renewals.

If an MX record exists for the domain, then ACM sends validation emails to five common system addresses. ACM also sends validation emails to email addresses registered in the WHOIS database for the domain registrant, technical contact, and administrative contact.

Important: In 2024, ACM will discontinue WHOIS lookup for email-validated certificates. It's a best practice to use DNS validation instead of email validation.

Resolution

To resolve this issue, follow these instructions to continue to use email validation or switch to DNS validation.

Note:

Option 1: Continue to use email validation

Check your ACM certificate for your domain to verify the email addresses for the validation email.

  1. Open the ACM console, and then choose List certificates.

  2. In Certificates, choose the certificate that you want to renew.

  3. In Certificate status, note the ARN value.

  4. Run the following AWS CLI command describe-certificate:
    Note: Replace your_certificate_arn with your ACM certificate Amazon Resource Name (ARN) from the previous step.

    aws acm describe-certificate --certificate-arn your_certificate_arn --query Certificate.RenewalSummary.DomainValidationOptions

    Example output:

    [
      {
        "DomainName": "www.example.com",
        "ValidationEmails": [
          "hostmaster@example.com",
          "postmaster@example.com",
          "admin@example.com",
          "webmaster@example.com",
          "administrator@example.com"
        ],
        "ValidationDomain": "example.com",
        "ValidationStatus": "PENDING_VALIDATION",
        "ResourceRecord": null,
        "ValidationMethod": "EMAIL"
      }
    ]

    The validation emails are sent to the email addresses listed under ValidationEmails fields.

  5. Check for the validation email from the emails listed under "ValidationEmails". Be sure to also check your spam folder for the validation email.

  6. If you found the validation email, then open the link to complete the validation. If you didn't find the validation email, then resend the validation mail.
    Note: Validation emails are valid for only 72 hours.

  7. If you still didn't find or receive the validation email, then check if a valid MX record exists for the validation domain name. Run the following commands to check for the validation domain example.com for the domain name www.example.com:

    Linux and macOS

    $dig mx example.com

    Windows

    $nslookup -q=mx example.com

    This example output shows that the mail servers in the MX record received the validation emails:

    ;; ANSWER SECTION:
    example.com.             599     IN      MX      10 mail1.example.com.
    example.com.             599     IN      MX      20 mail2.example.com.
  8. If you don't have an MX record and your domain registrar doesn't support email forwarding, then you must follow additional steps to troubleshoot the issue. For more information, see How can I resend the validation email to verify my domain for ACM?

Option 2: Use DNS

You can switch to DNS validation at no additional cost. To switch to DNS validation, recreate the ACM certificate and then follow the steps to set up DNS validation.

You must update services integrated with ACM that used the previous ACM certificate to use the new certificate. You must do this because new ACM certificates generate a new and separate ARN. You can't retain the ARN with a new ACM certificate. Only renewed ACM certificates retain the same ARN.

  1. Open the ACM console, and then choose List certificates.

  2. In Certificates, choose the certificate that you want to renew.

  3. In Certificate status, note the ARN value.

  4. Run the AWS CLI command describe-certificate similar to the following:
    Note: Replace your_certificate_arn with your ACM certificate ARN from the previous step.

    aws acm describe-certificate --certificate-arn your_certificate_arn --output text | grep INUSEBY

    Example output:

    INUSEBY arn:aws:cloudfront::111122223333:distribution/E1WG1ZNPRXT0
    INUSEBY arn:aws:elasticloadbalancing:us-east-1:111122223333:loadbalancer/app/myalbname/1234567890abcdef

Related information

Managed renewal for ACM certificates

Check a certificate's renewal status

Why is my ACM certificate renewal status still "Pending validation" after I used the ACM managed renewal process for my domain name?

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago