Why did my publicly trusted ACM certificate fail managed renewal?

Last updated: 2022-03-25

My AWS Certificate Manager (ACM) certificate failed to renew. Why didn't my ACM certificate renew?

Short description

ACM provides managed renewal for your AWS issued SSL/TLS certificates. This means that ACM either renews your certificates automatically if you are using DNS validation, or sends you an email notification when expiration is approaching. ACM tries to validate each domain name included in the certificate. After all domain names associated with the certificate are validated, the ACM certificate is renewed. For more information, see Troubleshooting managed certificate renewal.

Managed renewal can fail for email and DNS validated certificates if:

  • The certificate was imported into ACM. Imported certificates aren't renewed automatically.
  • The ACM certificate that's being renewed is not in use—the ACM certificate isn't associated with any of the services integrated with ACM.

Renewal for domains validated by email require manual action. ACM begins sending email renewal notices 45 days before expiration using the domain's WHOIS mailbox addresses and to five common administrator addresses. The notifications contain a link that the domain owner can select for renewal. After all listed domains are validated, ACM issues a renewed certificate with the same ARN.

Managed renewal for domains validated by DNS can fail if ACM was unable to find the appropriate CNAME record in the DNS database.

Resolution

Email and DNS validated certificates

Be sure that the ACM certificate is in use with one of the services integrated with ACM.

Email validated certificates

For email-validated certificates, ACM must be able to send to the WHOIS mailbox addresses and the five common administrator addresses for each domain listed in your certificate. After all listed domains are validated, ACM issues a renewed certificate with the same ARN. For more information, see Email validation.

DNS validated certificates

Update your DNS configuration to include the CNAME records provided by ACM. ACM looks for the CNAME record in the DNS configuration for the domain names included in the DNS-validated certificates.

After the certificate is renewed, the Amazon Resource Name (ARN) of the renewed ACM certificate remains the same. Renewed ACM certificates are automatically updated to the integrated, in-use AWS resources.

For more information, see Troubleshooting managed certificate renewal.