Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
Why didn't I receive the validation email to issue or renew ACM certificates?
I used email validation with AWS Certificate Manager (ACM) to issue or renew a certificate, but I didn’t receive the validation email.
Short description
To renew an ACM certificate, you can use either email-validated renewals or DNS-validated renewals.
Important: ACM has discontinued WHOIS lookup for email-validated certificates. It's a best practice to use DNS validation instead of email validation.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
To resolve this issue, follow these instructions to continue to use email validation or switch to DNS validation.
Note:
- For email-validated certificate renewals, ACM begins to send renewal notices 45 days before the certificate expires. The notices include actions that you must take to renew your certificate.
- For DNS-validated certificate renewals, ACM checks that certain criteria are met 60 days before the certificate expires to automatically renew your ACM certificates.
Option 1: Continue to use email validation
Check your ACM certificate for your domain to verify the email addresses for the validation email.
-
Open the ACM console, and then choose List certificates.
-
In Certificates, choose the certificate that you want to renew.
-
In Certificate status, note the ARN value.
-
Run the describe-certificate AWS CLI command:
Note: Replace your_certificate_arn with your ACM certificate ARN from the previous step.aws acm describe-certificate --certificate-arn your_certificate_arn --query Certificate.RenewalSummary.DomainValidationOptionsExample output:
[ { "DomainName": "www.example.com", "ValidationEmails": [ "hostmaster@example.com", "postmaster@example.com", "admin@example.com", "webmaster@example.com", "administrator@example.com" ], "ValidationDomain": "example.com", "ValidationStatus": "PENDING_VALIDATION", "ResourceRecord": null, "ValidationMethod": "EMAIL" } ]The validation emails are sent to the email addresses listed under ValidationEmails fields.
-
Check for the validation email from the emails listed under "ValidationEmails". Be sure to also check your spam folder for the validation email.
-
If you found the validation email, then open the link to complete the validation. If you didn't find the validation email, then resend the validation mail.
Note: Validation emails are valid for only 72 hours.
Option 2: Use DNS
You can switch to DNS validation at no additional cost. To switch to DNS validation, recreate the ACM certificate and then follow the steps to set up DNS validation.
You must update services integrated with ACM that used the previous ACM certificate to use the new certificate. You must do this because new ACM certificates generate a new and separate ARN. You can't retain the ARN with a new ACM certificate. Only renewed ACM certificates retain the same ARN.
-
Open the ACM console, and then choose List certificates.
-
In Certificates, choose the certificate that you want to renew.
-
In Certificate status, note the ARN value.
-
Run the describe-certificate AWS CLI command:
Note: Replace your_certificate_arn with your ACM certificate ARN from the previous step.aws acm describe-certificate --certificate-arn your_certificate_arn --output text | grep INUSEBYExample output:
INUSEBY arn:aws:cloudfront::111122223333:distribution/E1WG1ZNPRXT0 INUSEBY arn:aws:elasticloadbalancing:us-east-1:111122223333:loadbalancer/app/myalbname/1234567890abcdef
Related information
Managed certificate renewal in AWS Certificate Manager
Relevant content
- asked 9 months ago
- asked 3 years ago
