Troubleshooting managed certificate renewal - AWS Certificate Manager

Troubleshooting managed certificate renewal

ACM tries to automatically renew your ACM certificates before they expire so that no action is required from you. Consult the following topics if you have trouble with Managed renewal for ACM certificates.

Preparing for automatic domain validation

Before ACM can renew your certificates automatically, the following must be true:

  • Your certificate must be associated with an AWS service that is integrated with ACM. For information about the resources that ACM supports, see Services integrated with AWS Certificate Manager.

  • For email-validated certificates, ACM must be able to reach you at an administrator email address for each domain listed in your certificate. The email addresses that will be tried are listed in Email validation.

  • For DNS-validated certificates, make sure that your DNS configuration contains the correct CNAME records as described in DNS validation.

Handling failures in managed certificate renewal

As the certificate nears expiration (60 days for DNS, 45 for EMAIL and 60 days for Private), ACM attempts to renew the certificate if it meets the eligibility criteria. You might have to take actions for the renewal to succeed. For more information, see Managed renewal for ACM certificates.

Managed certificate renewal for email-validated certificates

ACM certificates are valid for 13 months (395 days). To be renewed, email-validated certificates require an action by the domain owner. ACM begins sending renewal notices 45 days before expiration, using the domain's WHOIS mailbox addresses and to five common administrator addresses. The notifications contain a link that the domain owner can click for easy renewal. Once all listed domains are validated, ACM issues a renewed certificate with the same ARN.

See Validate with Email for instructions on identifying which domains are in the PENDING_VALIDATION state and repeating the validation process for those domains.

Managed certificate renewal for DNS-validated certificates

ACM does not attempt TLS validation for DNS-validated certificates. If ACM fails to renew a certificate you validated with DNS validation, it is most likely due to missing or inaccurate CNAME records in your DNS configuration. If this occurs, ACM notifies you that the certificate could not be renewed automatically.

Important

You must insert the correct CNAME records into your DNS database. Consult your domain registrar about how to do this.

You can find the CNAME records for your domains by expanding your certificate and its domain entries in the ACM console. Refer to the figures below for details. You can also retrieve CNAME records by using the DescribeCertificate operation in the ACM API or the describe-certificate command in the ACM CLI. For more information, see DNS validation.

Select the target certificate from the console.

Choose the target certificate from the console.

Expand the certificate window to find the certificate's CNAME information.

Expand the certificate window to find the certificate's CNAME information.

If the problem persists, contact the Support Center.

Understanding renewal timing

Managed renewal for ACM certificates is an asynchronous process. This means that the steps don't occur in immediate succession. After all domain names in an ACM certificate have been validated, there might be a delay before ACM obtains the new certificate. An additional delay can occur between the time when ACM obtains the renewed certificate and the time when that certificate is deployed to the AWS resources that use it. Therefore, changes to the certificate status can take up to several hours to appear in the console.