Why did my ACM certificate fail automatic renewal?
Last updated: 2020-12-16
I used the automatic domain validation process, but my AWS Certificate Manager (ACM) certificate failed to renew. Why didn't my ACM certificate renew?
Approximately 60 days before the certificate's expiration, ACM begins the process for managed renewal for ACM certificates. ACM tries to validate each domain name included in the certificate, and after all the domain names associated are validated, the ACM certificate is renewed. For more information, see Troubleshooting managed certificate renewal.
The automatic validation process can fail for email- and DNS-validated certificates if:
- The certificate was imported into ACM. Imported certificates aren't renewed automatically.
- The ACM certificate that's being renewed is not in use—the ACM certificate isn't associated with any of the services integrated with ACM.
The automatic validation process can fail for email-validated certificates if:
- ACM can't establish an HTTPS connection with all the domain names included in the ACM certificate.
- For each HTTPS connection that's established with your domain names, the public certificate that's returned in the response doesn't match the certificate that ACM is renewing.
The automatic validation process can fail for DNS validated certificates if ACM was unable to find the appropriate CNAME record in the DNS database.
Email and DNS validated certificates
Be sure that the ACM certificate is in use with one of the services integrated with ACM.
Email validated certificates
- Configure your AWS resources that use the ACM certificate to accept HTTPS requests from the internet. For more information, see Why can't I find my imported certificate for my load balancer or CloudFront distribution?
- Configure your DNS records to route requests for your domain name to the corresponding AWS resource to which the ACM certificate is attached.
DNS validated certificates
Update your DNS configuration to include the CNAME records provided by ACM.
During the managed renewal process, ACM tries to establish HTTPS connections with the domain names included in the certificate, up to the 45th day before the certificate expires. ACM looks for the CNAME record in the DNS configuration for the domain names included in the DNS-validated certificates. During this process, the renewal status of your ACM certificate is "Pending automatic renewal." For more information, see Check a certificate's renewal status.
If the certificate is automatically validated and no further action is required, then the renewal status changes to "Success." If the managed renewal process fails, then you can manually validate your domain using email to validate domain ownership or DNS to validate domain ownership. For more information, see Troubleshooting certificate validation.
After the certificate is renewed, the Amazon Resource Name (ARN) of the renewed ACM certificate remains the same. Renewed ACM certificates are automatically updated to the integrated, in-use AWS resources.