I Use Email to Validate Domain Ownership, and I have AWS Certificate Manager (ACM) certificates that use wildcards and subdomains. How does ACM managed renewal work with certificates that use wildcards and subdomains?

If ACM-issued wildcard certificates are due for renewal and are associated with Services Integrated with AWS Certificate Manager, ACM attempts to renew the certificates automatically. To illustrate the renewal process for ACM-issued certificates that are associated with more than one AWS resource, consider the following scenarios. These scenarios assume that:

  • Your domains are deployed to two Elastic Load Balancing (ELB) load balancers: Load balancer A and Load balancer B
  • You configured Route53 Active-Passive Failover between the two load balancers.
  • You configured Load balancer A as the primary resource and Load balancer B as the secondary resource, which is on standby in case the primary resource becomes unavailable.
  • You associated ACM certificates (Certificate 1 and Certificate 2) to each load balancer, and the certificates are 60 days from expiration.

Note: These scenarios do not apply if you Use DNS to Validate Domain Ownership.

Scenario one

  • The domain test.example.com is deployed to both load balancers: - Load balancer A: test.example.com - Load balance B: test.example.com
  • The domain name on Certificate 1 is test.example.com, and the certificate is associated with Load balancer A
  • The domain name on Certificate 2 is test.example.com, and the certificate is associated with Load balancer B

Before the ACM certificate expires, ACM tries to validate the domain name in each certificate. To validate domain test.example.com, ACM sends periodic HTTPS requests to www.test.example.com and test.example.com. For more information, see How Automatic Domain Validation Works. If ACM makes a successful HTTPS connection with either domain, and if Certificate 1 is returned in the response, then the domain, test.example.com, is validated. The domain, test.example.com, is validated and the certificate is renewed. Certificate 1 is always returned in response to ACM's HTTPS requests to validate the domain, because Load balancer A is the active one, and therefore the automatic validation for Certificate 2 fails. On the 45th day from expiration for Certificate 2, ACM tries to validate Certificate 2 by sending:

Scenario two

  • The domain www.example.com is deployed on two load balancers: - Load balancer A: www.example.com - Load balancer B: www.example.com
  • The domain name on Certificate 1 is www.example.com, and the certificate is associated with Load balancer A.
  • The domain name on Certificate 2 is *.example.com, and the certificate is associated with Load balancer B.

Although the domain names on each certificate are different, the periodic HTTPS connection requests are sent to www.example.com and example.com. If any HTTPS connection request is successful, the domain is validated. ACM renews Certificate 1 which is associated with Load balancer A: www.example.com. The renewal for Certificate 2 fails, and Certificate 2 must be manually renewed. For more information, see When Automatic Validation Fails.

Scenario three

  • The domain test.example.com is deployed on two load balancers: Load balancer A: test.example.com, and Load balancer B: test.example.com.
  • The domain name on Certificate 1 is *.example.com, and the certificate is associated with Load balancer A.
  • The domain name on Certificate 2 is *.example.com, and the certificate is associated with Load balancer B.

ACM sends periodic HTTPS requests to example.com and www.example.com, which is different than the domain hosted behind these load balancers (Load balancer A: test.example.com and Load balancer B: test.example.com). Automatic domain validation is unsuccessful and both certificates are not renewed. Both domains must be validated manually to renew the certificates. For more information, see When Automatic Validation Fails.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2018-05-17