I validated my domain names using the AWS Certificate Manager (ACM) managed renewal process, but the status is still pending validation
Last updated: 2020-12-18
I validated my domain using the AWS Certificate Manager (ACM) managed renewal process, but the status is still "Pending validation." What can I do to resolve this?
ACM tries to automatically renew your ACM certificates 60 days before the certificate expires. To confirm that a domain is validated, expand the certificate's details in the ACM console. Or, use the describe-certificate command in the AWS Command Line Interface (AWS CLI). If ACM can't automatically validate one or more domain names in the certificate, the renewal status is "Pending validation."
This can happen because:
- Not all the domains listed in the ACM certificate are validated.
- The automatic validation failed.
- The managed renewal process is asynchronous.
- The original certificate expired.
Use the following instructions to troubleshoot the ACM renewal status "Pending validation."
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
Not all the domains listed in the ACM certificate are validated
If you validate domains manually, then each domain included in the ACM certificate must be validated.
If you use email validation, then a set of validation emails is sent for each domain. You must complete the steps included in these emails to validate the domains. Follow the instructions for Using email to validate domain ownership.
The automatic validation failed
If ACM can't automatically validate a domain, see Troubleshooting managed certificate renewal.
If you originally used DNS validation to validate your domains, then AWS sends an email notification to the email address associated with your account to notify you that ACM was unable to renew your certificate. This might be caused by a missing CNAME record from your DNS configuration. For more information, see Using DNS to validate domain ownership.
The managed renewal process is asynchronous
It can take up to a few hours for ACM to obtain the new certificate. During this time, the status in the ACM console remains "Pending validation".
If the update is delayed, then the domain's validation status in the ACM console is "Success" and the certificate's renewal status is "Pending validation."
The original certificate expired
If the original email-validated ACM certificate expires, then the certificate status changes from "Issued" to "Pending validation." You must validate the domain within 72 hours, or the renewal status changes from "Pending validation" to "Failed." If the renewal fails, you must request another public certificate for the domains.