How does the ACM managed renewal process work with email-validated certificates that use wildcards and subdomains?

Last updated: 2019-07-08

I use email to validate domain ownership, and I have AWS Certificate Manager (ACM) certificates that use wildcards and subdomains. How does ACM managed renewal work with certificates that use wildcards and subdomains?

Short Description

If ACM-issued wildcard certificates are due for renewal and are associated with Services Integrated with AWS Certificate Manager, ACM attempts to renew the certificates automatically. To illustrate the renewal process for ACM-issued certificates that are associated with more than one AWS resource, consider the following scenarios.

These scenarios assume that:

  • Your domains are deployed to two Elastic Load Balancing (ELB) load balancers: load balancer A and load balancer B.
  • You configured Amazon Route 53 Active-Passive Failover between the two load balancers.
  • You configured load balancer A as the primary resource and load balancer B as the secondary resource, which is on standby in case the primary resource becomes unavailable.
  • You associated ACM certificates (certificate 1 and certificate 2) to each load balancer, and the certificates are 60 days from expiration.

Note: These scenarios don't apply if you Use DNS to Validate Domain Ownership.  

Resolution

Scenario one

  • The domain test.example.com is deployed to both load balancers: - load balancer A: test.example.com - load balancer B: test.example.com.
  • The domain name on certificate 1 is test.example.com, and the certificate is associated with load balancer A.
  • The domain name on certificate 2 is test.example.com, and the certificate is associated with load balancer B.

Before the ACM certificate expires, ACM tries to validate the domain name in each certificate. To validate domain test.example.com, ACM sends periodic HTTPS requests to www.test.example.com and test.example.com. For more information, see Understanding Automatic Domain Validation. If ACM makes a successful HTTPS connection and certificate 1 is returned in the response, then the domain test.example.com is validated. The domain test.example.com is validated, and the certificate is renewed. Certificate 1 is returned in response to ACM's HTTPS requests to validate the domain, because load balancer A is the active one. The automatic validation for certificate 2 fails. On the 45th day from expiration for certificate 2, ACM tries to validate certificate 2 by sending:

Scenario two

  • The domain www.example.com is deployed on two load balancers: - load balancer A: www.example.com - load balancer B: www.example.com.
  • The domain name on certificate 1 is www.example.com, and the certificate is associated with load balancer A.
  • The domain name on certificate 2 is *.example.com, and the certificate is associated with load balancer B.

Although the domain names on each certificate are different, the periodic HTTPS connection requests are sent to www.example.com and example.com. If any HTTPS connection request is successful, the domain is validated. ACM renews certificate 1 associated with load balancer A: www.example.com. The renewal for certificate 2 fails, and certificate 2 must be manually renewed. For more information, see When Automatic Certificate Renewal Fails.

Scenario three

  • The domain test.example.com is deployed on two load balancers: load balancer A: test.example.com, and load balancer B: test.example.com.
  • The domain name on certificate 1 is *.example.com, and the certificate is associated with load balancer A.
  • The domain name on certificate 2 is *.example.com, and the certificate is associated with load balancer B.

ACM sends periodic HTTPS requests to example.com and www.example.com, which is different than the domain hosted behind these load balancers (load balancer A: test.example.com and load balancer B: test.example.com). Automatic domain validation is unsuccessful, and both certificates aren't renewed. Both domains must be validated manually to renew the certificates.