Why is email validation not working for Amazon Certificate Manager (ACM) certificates?

Some domain registrars might not populate the contact information in WHOIS ("Who is") data. Your Amazon Certificate Manager (ACM) certificate issue or renewal might be affected if:

  • Your domain registrar doesn't include contact email addresses in WHOIS data.
  • You use custom emails addresses in WHOIS for certificate validation.

Email validation WHOIS lookup is performed on the apex domain and searches email addresses in the domain registrant, technical contact, and administrative contact fields.

If your validation ACM certificate uses the WHOIS provided email addresses, you might be affected by the WHOIS changes. Check if your email addresses are listed using a WHOIS query. For additional information, see Enabling or Disabling Privacy Protection for Contact Information for a Domain.

You might not receive a reply or receive a response similar to the following:

Registrant Contact
Name: Data Protected Data Protected
Organization: Data Protected
Mailing Address: 123 Data Protected, Toronto ON M6K 3M1 CA
Phone: +1.0000000000
Ext:
Fax: +1.0000000000
Fax Ext:
Email:noreply@data-protected.net

ACM can't get additional email addresses from WHOIS except for the five default addresses. If these email addresses aren't monitored, validation and renewal ACM certificates are missed. This impacts issuing new certificates and renewals. For a list of the default email addresses, see MX Record.

Note: ACM isn't compatible with CAPTCHA. If your WHOIS data is configured with a CAPTCHA test, ACM might not locate WHOIS data.

Important: AWS doesn't control WHOIS data and can't prevent WHOIS server throttling. For more information, see WHOIS Throttling.

There are two options available depending on your preference and the effort required to maintain or switch.

Important: You can't convert an ACM certificate validation from email to DNS or from DNS to email. If you switch validation methods, you must issue a new ACM certificate to replace the old one.

Option 1 - use email

You can keep using email for validation. It's a best practice to verify that at least one of the five default email addresses are valid and monitored for your domain. The validation email includes a link that must be selected to complete validation.

Emails are sent to the mail server as indicated in your domain MX records. If you aren't receiving emails for the domain, confirm that the domain has at least one valid MX record by using the following commands:

Linux and macOS

$dig mx example.com

Windows

$nslookup -q=mx example.com

The mail servers indicated in the MX record are sent the validation emails.

;; ANSWER SECTION:
example.com.             599     IN      MX      10 mail1.example.com.
example.com.             599     IN      MX      20 mail2.example.com.

Note: You can use Amazon Simple Email Service (Amazon SES) and Amazon Simple Notification Service (Amazon SNS) to receive an ACM validation email if:

  • You don't have an MX record.
  • Your domain registrar doesn't support email forwarding.

Option 2 - use DNS

To switch to DNS validation, recreate the ACM certificate and select DNS for validation. DNS validation has several advantages over email validation, especially if Amazon Route 53 is the DNS provider for your domain.

  • DNS requires that you create one CNAME record per domain name that is used only for requesting an ACM certificate. Email validation sends up to eight email messages per domain name.
  • You can request additional ACM certificates for your fully qualified domain name (FQDN) if the DNS record is in use.
  • ACM automatically renews certificates that you validated using DNS. ACM renews each certificate before expiration if the certificate and DNS record are both in use.
  • ACM can add the CNAME record for you if you use Route 53 to manage your public DNS records.
  • Automation using the DNS validation process is less complex than using the email validation process.
  • You can switch to DNS validation at no additional cost.

Instances using the old ACM certificate must be updated to use the new certificate. This is because new ACM certificates generate an Amazon Resource Name (ARN). You can't retain the ARN with a new ACM certificate. Only a renewed ACM certificate will have the same ARN. You must use one of the following Services Integrated with AWS Certificate Manager: Elastic Load Balancing, Amazon CloudFront, AWS Elastic Beanstalk, Amazon API Gateway, or AWS CloudFormation.

You can establish the region for an ACM certificate by running the following at the command line:

$aws acm describe-certificate --certificate-arn arn:aws:acm:region:12345678911:certificate/123456-1234-1234-1234-123456789 --output text |grep INUSEBY

For more information and guidance on how to use DNS validation, see Use DNS to Validate Domain Ownership.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2018-10-19