I validated my domain names using the AWS Certificate Manager (ACM) managed renewal process, but the status is still pending validation

Last updated: 2019-05-07

I validated my domain using the AWS Certificate Manager (ACM) managed renewal process, but the status is still "Pending validation." What can I do to resolve this?

Short Description

ACM tries to automatically renew your ACM certificates 60 days before it expires. To confirm if a domain is validated, expand the certificate's details in the AWS Certificate Manager console, or use the describe-certificate command in the AWS Command Line Interface (AWS CLI). If ACM can't automatically validate one or more domain names in the certificate, the renewal status is "Pending validation."

This can happen because:

  • Not all the domains listed in the ACM certificate are validated.
  • The automatic validation failed.
  • The managed renewal process is asynchronous.
  • The original certificate expired.

Resolution

Not all the domains listed in the ACM certificate are validated

If you validate domains manually, each domain included in the ACM certificate must be validated.

If you use email validation, a set of validation emails is sent for each domain, and you must complete the steps included in these emails to validate the domains. Follow the instructions to Use Email to Validate Domain Ownership.

The automatic validation failed

If ACM can't automatically validate a domain, you must validate the domains manually.

If you originally used DNS validation to validate your domain(s), AWS sends an email notification to the email address associated with your account to notify you that ACM was unable to renew your certificate. This might be caused by a missing CNAME record from your DNS configuration. For more information, see Use DNS to Validate Domain Ownership.

The managed renewal process is asynchronous

It may take up to a few hours for ACM to obtain the new certificate. During this time, the status in the ACM console remains "Pending validation".

If the update is delayed, the domain's validation status in the AWS Certificate Manager console is "Success" and the certificate's renewal status is "Pending validation."

The original certificate expired

If the original email-validated ACM certificate expires, the certificate status changes from "Issued" to "Pending validation." You must validate the domain within 72 hours, or the renewal status changes from "Pending validation" to "Failed." If the renewal fails, you must request another certificate for the domains.