Why did my email-validated AWS Certificate Manager (ACM) certificate fail to renew during the automatic domain validation process?
Last updated: 2019-06-10
I used the automatic domain validation process, but my AWS Certificate Manager (ACM) certificate failed to renew. Why didn't my ACM certificate renew?
Approximately 60 days before the certificate's expiration, ACM begins the process for Managed Renewal for ACM's Amazon-Issued Certificates. ACM tries to validate each domain name included in the certificate, and after all the domain names associated are validated, the ACM certificate is renewed. For more information, see How Domain Validation Works.
The automatic validation process can fail if:
- The ACM certificate that's being renewed is not in use—the ACM certificate isn't associated with any of the Services Integrated with AWS Certificate Manager.
- ACM can't establish an HTTPS connection with the domain names included in the ACM certificate.
- For each HTTPS connection that's established with your domain names, the public certificate that's returned in the response doesn't match the certificate that ACM is renewing.
- The certificate was imported into ACM. Imported certificates aren't renewed automatically.
- Be sure that the ACM certificate is in use with one of the Services Integrated with AWS Certificate Manager.
- Configure your AWS resources that use the ACM certificate to accept HTTPS requests from the internet. For more information, see How do I use an SSL/TLS certificate with a load balancer that is configured to support HTTPS?
- Configure your DNS records to route requests for your domain name to the corresponding AWS resource to which the ACM certificate is attached.
During the managed renewal process, ACM tries to establish HTTPS connections with the domain names included in the certificate up to the 45th day before the certificate expires. During this process, the renewal status of your ACM certificate is "Pending automatic renewal." For more information, see Check a Certificate's Renewal Status.
If the certificate is automatically validated and no further action is required, then the renewal status changes to "Success." If the managed renewal process fails, you can Use Email to Validate Domain Ownership to manually validate your domain. For more information, see When Automatic Validation Fails.
After the certificate is renewed, the Amazon Resource Name (ARN) of the renewed ACM certificate remains the same. Renewed ACM certificates are automatically updated to the integrated, in-use AWS resources.