Why is my certificate renewal still pending after I validated my domain names using the ACM managed renewal process?

3 minute read

I validated my domain using the AWS Certificate Manager (ACM) managed renewal process, but the status is still "Pending validation." How can I resolve this?

Short description

The renewal process differs for email-validated certificates and DNS-validated certificates.

ACM tries to automatically renew your ACM certificates 60 days before the certificate expires for DNS-validated certificates. To confirm that a domain is validated, expand the certificate's details in the ACM console. Or, use the describe-certificate command in the AWS Command Line Interface (AWS CLI). If ACM can't automatically validate one or more domain names in the certificate, then the renewal status is "Pending validation."

This can happen because:

Not all the domains listed in the ACM certificate are validated.
The automatic validation failed.
The managed renewal process is asynchronous.
The original certificate expired.

Note: For email-validated certificates renewals, ACM begins sending renewal notices 45 days before expirations that require action by the domain owner.

Resolution

Use the following instructions to troubleshoot the ACM renewal status "Pending validation."

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Not all the domains listed in the ACM certificate are validated

If you validate domains manually, then each domain included in the ACM certificate must be validated.

If you use email validation, then a set of validation emails is sent for each domain. You must complete the steps included in these emails to validate the domains. For more information, see Email validation.

The automatic validation failed

If ACM can't automatically validate a domain, see Handling failures in managed certificate renewal.

The managed renewal process is asynchronous

It can take up to a few hours for ACM to obtain the new certificate. During this time, the status in the ACM console remains Pending validation.

If the update is delayed, then the domain's validation status in the ACM console is Success and the certificate's renewal status is Pending validation.

The original certificate expired

If the original email-validated ACM certificate expires, then the certificate status changes from Issued to Pending validation. You must validate the domain within 72 hours, or the renewal status changes from Pending validation to Failed. If the renewal fails, you must request another public certificate for the domains.

Related information

Managed renewal for ACM certificates

Check a certificate's renewal status

Why did my publicly trusted ACM certificate fail managed renewal?

Topics

Security, Identity, & Compliance

Relevant content

ACM: Renewal Status is pending validation even after correct DNS Configuration
Zain Abbas
asked 7 months ago
ACM certificate renewal
Accepted Answer
Shajan Thomas
asked 3 months ago
Certificate Manager: renewal with domain validation fails to renew, expecting CAA records
minimal-dot-app
asked 2 years ago
Certificate renewal status is "Pending auto-renewal" but domain renewal status is "Success"
BBS
asked 6 months ago
Certificate renewal status is "Pending auto-renewal" but domain renewal status is "Success"
Will
asked 15 days ago
Why is my ACM certificate marked as ineligible for renewal?
AWS OFFICIALUpdated 9 months ago
How does the ACM managed renewal process work with email-validated certificates?
AWS OFFICIALUpdated 2 years ago
Why did my publicly trusted ACM certificate fail managed renewal?
AWS OFFICIALUpdated 2 years ago
Why can't I resend the validation email from ACM to renew a certificate?
AWS OFFICIALUpdated 5 months ago
A Guide to Understanding and Streamlining the DMCA Process
EXPERT
Ben Lee
published 4 months ago