I used AWS Certificate Manager (ACM) to renew a certificate, and I want to resend the validation email. However, the option is unavailable, or I receive an error message.
Short description
If you use email to validate domain ownership, then ACM sends emails to the three contact addresses that are listed in WHOIS. ACM also sends emails to the five common system addresses for the domains that are specified in the certificate request. If the certificate's renewal status is pending validation, then you can request a domain validation email for certificate renewal.
You can't resend the validation email in the following situations:
- The certificate renewal status isn't pending validation.
- The certificate renewal status is pending validation, and the subject alternative name (SAN) doesn't have the domain validation status as pending validation.
- You used DNS to validate the domain.
Resolution
The certificate renewal status isn't pending validation
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Check the certificate's renewal status. If the certificate renewal status isn't pending validation, then the option to resend the validation email is unavailable, or you receive this error message:
"Certificate arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com."
If the certificate's renewal status is pending validation, then resend the validation email. If the certificate's renewal status is failed, then you can't request to resend the validation email. Instead, you must request a public certificate.
The certificate renewal status is pending validation, and the SAN doesn't have the domain validation status as pending validation
If one of your domains is automatically validated and you try to resend validation emails for the same domains, then you receive this error:
"Certificate arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com."
To confirm which domains you must validate, run the describe-certificate AWS CLI command. You can use the AWS CLI to specify the base validation domain for the email that isn't validated. For more information, see resend-validation-email.
Note: You can resend validation emails only for domains that have the renewal status as pending validation.
You used DNS to validate the domain
If you use DNS to validate domain ownership, the you can't send the validation email again. The option to resend the validation is unavailable in the ACM console.
If you used the AWS CLI, then you might receive this error message:
"An error occurred (InvalidStateException) when calling the ResendValidationEmail operation: Certificate arn:aws:acm:us-arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com."
Related information
Why am I not receiving validation emails when using ACM to issue or renew a certificate?
Troubleshoot email validation problems