I validated my domain using the AWS Certificate Manager (ACM) managed renewal process, but the status is still "Pending validation." Why is the status pending validation, and what can I do to resolve this?

ACM tries to automatically renew your ACM Certificates before they expire. If ACM can't automatically validate one or more domain names in the certificate, the renewal status changes to "Pending validation."

This can happen if:

  • The automatic validation failed.
  • Not all the domains listed in the ACM certificate are validated.
  • The update to the renewal status is delayed because the managed renewal process is asynchronous.
  • The original certificate expired.

The automatic validation failed

If the automatic validation fails, the domains must be validated manually. For more information, see When Automatic Validation Fails.

If you originally used DNS validation to validate your domain(s), AWS sends an email notification to the email address associated with your account to notify you that ACM was unable to renew your certificate. This might be caused by a missing CNAME record from your DNS configuration. For more information, see Use DNS to Validate Domain Ownership.

Not all the domains listed in the ACM certificate are validated

If you validate manually, each domain included in the ACM certificate must be validated. If you use email validation, a set of validation emails issent for each domain, and you must complete the steps included in these emails to validate the domains. To confirm if a domain is validated, expand the certificate's details the AWS Certificate Manager console or use the describe-certificate command in the AWS Command Line Interface (AWS CLI). If not all domains are validated, the renewal status is "Pending validation." For more information about validating domains manually, see When Automatic Validation Fails.

The update to the renewal status is delayed because the managed renewal process is asynchronous

If you recently validated all the domains listed in your ACM certificate for renewal, there might be a delay between the time when the certificate is renewed and when ACM obtains the new certificate. This delay occurs because certificate renewal is an asynchronous process. You can verify the certificate's status in the AWS Certificate Manager console or by using the describe-certificate command in the AWS CLI. If the update is delayed, the domain's validation status is "Success" and the certificate's renewal status is "Pending validation." The certificate status can take several hours to update in the AWS Certificate Manager console, and during this time the status remains "Pending validation."  

The original certificate expired

If the original email-validated ACM certificate expires, the certificate status changes from "Issued" to "Pending validation." After the certificate status is "Pending validation," there is a 72-hour period during which the domain can be validated via email. If this period is passed and the domains are not validated, the renewal status changes from "Pending validation" to "Failed." If the renewal fails, Request an ACM Certificate for the domains.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2018-05-02