By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Problem for CAA certificate renewal in ACM

0

Currently at ACM I have a certificate "pending auto-renewal". The certificate is eligible for renewal but is not being renewed. The DNS is external to AWS, however the CAA "amazon.com" records were assigned as indicated in the documentation (https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-caa.html) on the domain server.

I don't understand why it's not being renewed. Is there a way to manually retry the renewal? Thank you!

  • I was able to fix this by adding the following CAA records to the external DNS provider:

    0 issuewild "amazon.com" 0 issue "amazon.com" 0 issue "amazontrust.com" 0 issue "awstrust.com" 0 issue "amazonaws.com"

    Then you have to wait a moment for ACM to try again for the renewal. However, I'm not sure if that renewal can be done manually.

asked 3 months ago175 views
1 Answer
1
Accepted Answer

If ACM can't automatically validate one or more domain names in the certificate, then the renewal status is Pending validation.

The following reasons can cause the renewal status to remain in Pending validation:

Not all the domains that are listed in the ACM certificate are validated. The renewal is stuck because of the Certification Authority Authorization (CAA) record. The automatic validation failed. The managed renewal process is asynchronous. The original certificate expired. Resolution To check whether a domain is validated, expand the certificate's details in the ACM console. Or, run the describe-certificate command in the AWS Command Line Interface (AWS CLI).

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version

If your domain is stuck in Pending validation renewal status, then use the following resolution to troubleshoot your ACM certificate.

Note: For email-validated certificate renewals, ACM begins to send renewal notices 45 days before the certificate expires. The notices include actions that you must take to renew your certificate. For DNS-validated certificate renewals, ACM checks that certain criteria are met 60 days before the certificate expires to automatically renew your ACM certificates. Not all the domains that are listed in the ACM certificate are validated If you manually validate domains, then you must validate each domain in the ACM certificate.

If you use email validation, then ACM sends a set of validation emails for each domain. To validate the domains, complete the steps that are in the emails.

The renewal is stuck because of the CAA record If you configured a CAA record to allow ACM to issue your certificate, then make sure that the issuance didn't block the renewal. To resolve this issue, see How do I resolve CAA errors for issuing or renewing an ACM certificate?

The automatic validation failed If ACM can't automatically validate a domain, then see Handling failures in managed certificate renewal.

The managed renewal process is asynchronous It can take up to a few hours for ACM to obtain the new certificate. During this time, the status in the ACM console remains Pending validation.

If the update is delayed, then the domain's validation status in the ACM console is Success and the certificate's renewal status is Pending validation.

The original certificate expired If the original email-validated ACM certificate expires, then the certificate status changes from Issued to Pending validation. You must validate the domain within 72 hours, or the renewal status changes from Pending validation to Failed.

If the renewal fails, then you must request another public certificate for the domains.

profile pictureAWS
EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
profile picture
EXPERT
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions