Why can't I resend the validation email from ACM when renewing a certificate?

Last updated: 2019-12-18

I am renewing a certificate using AWS Certificate Manager (ACM), and I want to resend the validation email. However, the option is unavailable, or I receive an error message. How do I resolve this issue?

Short Description

If you use email to validate domain ownership, then ACM sends emails to the three contact addresses listed in WHOIS and to the five common system addresses for the domains specified in the certificate request. If the certificate's renewal status is pending validation, you can request a domain validation email for certificate renewal.

You can't resend the validation email if:

  • The certificate renewal status isn't pending validation.
  • The certificate renewal status is pending validation, and the subject alternative name (SAN) doesn't have the domain validation status as pending validation.
  • The domain was validated using Domain Name System (DNS).

Resolution

The certificate renewal status isn't pending validation

Check the certificate's renewal status. If the certificate renewal status isn't pending validation, then the option to resend the validation email is unavailable (grayed out), or you receive the following error message:

Certificate arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com.

If the certificate's renewal status is pending validation, then resend the validation email.

If the certificate's renewal status is failed, then you can't request to resend the validation email. Instead, you must request a public certificate.

The certificate renewal status is pending validation, and the SAN doesn't have the domain validation status as pending validation

During the renewal process, if at least one of your domains is automatically validated and you attempt to resend validation emails for the same domains, then you receive the following error:

Certificate arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com.

To confirm which domains must be validated, use the AWS Command Line Interface (AWS CLI) command for describe-certificate. You can use the AWS CLI to specify the base validation domain for the email that isn't validated. For more information, see resend-validation-email.

Note: You can only resend validation emails for domains with the renewal status as pending validation.

The domain was validated using DNS

If you use DNS to validate domain ownership, the validation email can't be sent again, and the option to resend the validation isn't available (grayed out) in the ACM console. If you're using the AWS CLI, you might receive the following error message:

An error occurred (InvalidStateException) when calling the ResendValidationEmail operation: Certificate arn:aws:acm:us-arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com.