Why did my ACM certificate fail automatic renewal?

Last updated: 2019-08-07

I used the automatic domain validation process, but my AWS Certificate Manager (ACM) certificate failed to renew. Why didn't my ACM certificate renew?

Short Description

Approximately 60 days before the certificate's expiration, ACM begins the process for Managed Renewal for ACM's Amazon-Issued Certificates. ACM tries to validate each domain name included in the certificate, and after all the domain names associated are validated, the ACM certificate is renewed. For more information, see How Domain Validation Works.

The automatic validation process can fail for email- and DNS-validated certificates if:

  • The certificate was imported into ACM. Imported certificates aren't renewed automatically.
  • The ACM certificate that's being renewed is not in use—the ACM certificate isn't associated with any of the Services Integrated with AWS Certificate Manager.

The automatic validation process can fail for email-validated certificates if:

  • ACM can't establish an HTTPS connection with all the domain names included in the ACM certificate.
  • For each HTTPS connection that's established with your domain names, the public certificate that's returned in the response doesn't match the certificate that ACM is renewing.

The automatic validation process can fail for DNS validated certificates if ACM was unable to find the appropriate CNAME record in the DNS database.

Resolution

Email and DNS validated certificates

Be sure that the ACM certificate is in use with one of the Services Integrated with AWS Certificate Manager.

Email validated certificates

DNS validated certificates

Update your DNS configuration to include the CNAME records provided by ACM.

During the managed renewal process, ACM tries to establish HTTPS connections with the domain names included in the certificate, up to the 45th day before the certificate expires. ACM looks for the CNAME record in the DNS configuration for the domain names included in the DNS-validated certificates. During this process, the renewal status of your ACM certificate is "Pending automatic renewal." For more information, see Check a Certificate's Renewal Status.

If the certificate is automatically validated and no further action is required, then the renewal status changes to "Success." If the managed renewal process fails, you can manually validate your domain using Email to Validate Domain Ownership or DNS to Validate Domain Ownership. For more information, see When Automatic Validation Fails.

After the certificate is renewed, the Amazon Resource Name (ARN) of the renewed ACM certificate remains the same. Renewed ACM certificates are automatically updated to the integrated, in-use AWS resources.