Get Hands-on with Amazon EKS - Workshop Event Series

Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!

Why did my publicly trusted ACM certificate fail managed renewal?

2 minute read

My AWS Certificate Manager (ACM) certificate failed managed renewal, and I want to resolve this issue.

Short description

Managed renewal for publicly trusted ACM certificates can fail for the following reasons:

The ACM certificate isn't in use or associated with any of the services that are integrated with ACM.
A DNS validated certificate's CNAME record is missing or not configured correctly.
The Certificate Authority Authorization (CAA) record check failed.

For DNS-validated certificate renewals, ACM checks that certain criteria are met 60 days before the certificate expires.

For email-validated certificate renewals, ACM begins to send renewal notices 45 days before the certificate expires. The notices include actions that you must take to renew your certificate.

Important: In 2024, ACM will discontinue WHOIS lookup for email-validated certificates. It's a best practice to use DNS validation instead of email validation.

Resolution

DNS and email validated certificates

Check whether the ACM certificate is in use and that it's associated with one of the services that are integrated with ACM.

DNS validated certificates

Update your DNS configuration to include the CNAME records that ACM provides. ACM looks for the CNAME record in the DNS configuration for the domain names that are included in the certificates.

After ACM renews the certificate, the Amazon Resource Name (ARN) of the renewed ACM certificate remains the same. Renewed ACM certificates are automatically updated to your integrated AWS resources that are in use.

For more information, see Why didn't the CNAME record resolve for my ACM issued certificate and the DNS validation status is still "Pending validation"?

Email validated certificates

ACM must send email-validated renewals to the WHOIS mailbox addresses and the five common administrator addresses for each domain listed in your certificate. After all listed domains are validated, ACM issues a renewed certificate with the same ARN.

For more information, see How does the ACM managed renewal process work with email-validated certificates?

The CAA record check failed

If you configured a CAA record for your domain and received the "Failed" error, then see How do I resolve CAA "Failed" error when an ACM certificate is issued or renewed?

Related information

Troubleshooting managed certificate renewal

Check a certificate's renewal status

Topics: Security, Identity, & Compliance
Tags: AWS Certificate Manager
Language: English

AWS OFFICIALUpdated 2 years ago

No comments

Relevant content

The certitificate auto renewal got failed in ACM
rePost-User-3171285
asked 3 years ago
ACM domain validation: Renewal for internal or non public Load-Balancers
Accepted Answer
AWS-User-5268614
asked 8 years ago
Problem for CAA certificate renewal in ACM
Accepted Answer
rePost-User-2267186
asked a year ago
AWS Certificate Manager failing to renew certificates - for 0 domains?
ThElInK
asked 9 months ago
ACM Certificate not getting renewed
virenderdubey88
asked 3 years ago
Why is my ACM certificate renewal status still "Pending validation" after I used the ACM managed renewal process for my domain name?
AWS OFFICIALUpdated 2 years ago
How does the ACM managed renewal process work with DNS-validated certificates?
AWS OFFICIALUpdated 2 years ago
Why is my ACM certificate marked as ineligible for renewal?
AWS OFFICIALUpdated a year ago
How can I roll back my recently renewed ACM certificate?
AWS OFFICIALUpdated 2 years ago
AWS re:Post Knowledge Center Spotlight: AWS Certificate Manager (ACM)
EXPERT
AWS Official
published 2 years ago