I am renewing a certificate using AWS Certificate Manager (ACM), and I want to resend the validation email, but the option is unavailable, or I receive an error message. How do I resolve this issue?

If you Use Email to Validate Domain Ownership, ACM sends emails to the three contact addresses listed in WHOIS and to the five common system addresses for the domains specified in the certificate request. If the certificate's status is "Pending validation," you can Request a Domain Validation Email for Certificate Renewal.

You can't resend the validation email if:

  • The certificate status is not "Pending validation."
  • The certificate has a subject alternative name (SAN) that is not pending validation.
  • The domain was validated using DNS.

The certificate status is not "Pending validation"

If the certificate status is not "Pending validation, the option to resend the validation email is unavailable (grayed out), or you receive the following error message:

An error occurred (InvalidStateException) when calling the ResendValidationEmail operation: Certificate arn:aws:acm:us-arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not in pending validation state.

Confirm that the certificate's status is "Pending validation", and then resend the validation email. To resend the validation email, the certificate's status must be "Pending validation." For more information, see Manage ACM Certificates.

If the certificate's status is "Expired," you can't request to resend the validation email, and you must Request a Public Certificate.

The certificate has a subject alternative name (SAN) that is not pending validation

During the renewal process, if one or more of your domains is automatically validated and you attempt to resend validation emails for the same domains, you'll receive the following error:  

Certificate arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com.

To confirm which domains still must be validated, see describe-certificate. You can use the AWS Command Line Interface (AWS CLI) to specify the base validation domain for the email that isn't validated. For more information, see resend-validation-email.

The domain was validated using DNS

If you Used DNS to Validate Domain Ownership, the validation email can't be resent, and the option to resend the validation isn't available (grayed out) in the AWS Certificate Manager console. If you're using the AWS CLI, you might receive the following error message:  

An error occurred (InvalidStateException) when calling the ResendValidationEmail operation: Certificate arn:aws:acm:us-arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com.

Note: Be sure to confirm that the certificate you're requesting to resend the validation email to is in the correct region. If there is more than one certificate for the same domain in different regions, the validation email request might be sent to a certificate in a different region that has a status other than "Pending validation."


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-05-09