Why can't I resend the validation email from ACM to renew a certificate?

3 minute read

I used AWS Certificate Manager (ACM) to renew a certificate, and I want to resend the validation email. However, the option is unavailable, or I receive an error message.

Short description

To renew an ACM certificate, you can use either email-validated renewals or DNS-validated renewals.

Important: In 2024, ACM will discontinue WHOIS lookup for email-validated certificates. It's a best practice to use DNS validation instead of email validation.

If you use email to validate domain ownership, then ACM sends emails to the five common system addresses for the specified domains in the request. ACM also sends emails to the three contact addresses that are listed in the WHOIS database for the domains. If the certificate's renewal status is pending validation, then you can request a domain validation email for certificate renewal.

You can't resend the validation email in the following scenarios:

The certificate renewal status isn't pending validation.
The certificate renewal status is pending validation, and the subject alternative name (SAN) doesn't have the domain validation status as pending validation.
You used DNS to validate the certificate's domain.

Resolution

Follow the troubleshooting steps for your use case.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

The certificate renewal status isn't pending validation

Check the certificate's renewal status. If the certificate renewal status isn't pending validation, then the option to resend the validation email is unavailable, or you receive the following error:

"Certificate arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com."

If the certificate's renewal status is pending validation, then resend the validation email. If the certificate's renewal status is failed, then you can't request to resend the validation email. Instead, you must request a new public certificate.

The certificate renewal status is pending validation, and the SAN doesn't have the domain validation status as pending validation

If one of your domains is automatically validated and you try to resend validation emails for the same domains, then you receive the following error:

"Certificate arn:aws:acm:region:123456789012:certificate/97b4deb6-8983-4e39-918e-ef1378924e1e is not using EMAIL validation for domain example.com."

To confirm domains that you must validate, run the describe-certificate. Replace your-certificate-arn with your certificate's ARN:

aws acm describe-certificate --certificate-arn your_certificate_arn --query Certificate.RenewalSummary.DomainValidationOptions

Example output:

[
  {
    "DomainName": "example.com",
    "ValidationEmails": [
      "hostmaster@example.com",
      "postmaster@example.com",
      "admin@example.com",
      "webmaster@example.com",
      "administrator@example.com"
    ],
    "ValidationDomain": "example.com",
    "ValidationStatus": "SUCCESS",
    "ResourceRecord": null,
    "ValidationMethod": "EMAIL"
  },
  {
    "DomainName": "example.net",
    "ValidationEmails": [
      "hostmaster@example.net",
      "postmaster@example.net",
      "admin@example.net",
      "webmaster@example.net",
      "administrator@example.net"
    ],
    "ValidationDomain": "example.net",
    "ValidationStatus": "PENDING_VALIDATION",
    "ResourceRecord": null,
    "ValidationMethod": "EMAIL"
  }
]

In the preceding example, the domain names example.com and example.net are included in the certificate. The validation status for example.com is SUCCESS because the validation is completed. The validation status for example.net is PENDING VALIDATION because the domain validation didn't complete.

Use either the ACM console or the AWS CLI to resend the validation email.

Note: You can resend validation emails for only domains that have the renewal status as pending validation.

You used DNS to validate the domain

If you used DNS to validate domain ownership, then you don't receive a validation email. If you created a certificate with email validation, then you can't use DNS to validate the certificate. The option to resend the validation is unavailable in the ACM console.

For more information, see Why didn't I receive the validation email to issue or renew ACM certificates?

Related information

Troubleshoot email validation problems

Topics

Security, Identity, & Compliance

Relevant content

ACM certificate renewal
Accepted Answer
Shajan Thomas
asked 6 months ago
need to resend validation email but AWS Certificate Manager console looks blank and doesn't show Certificate ID to resend the validation email to renew
Accepted Answer
AWS-User-9326599
asked a year ago
ACM was unable to renew the certificate automatically using DNS validation
DrFriendless
asked 5 years ago
ACM Certificate not getting renewed
virenderdubey88
asked 2 years ago
Certificate Renewal
rePost-User-9074180
asked 2 years ago
Why is my ACM certificate renewal status still "Pending validation" after I used the ACM managed renewal process for my domain name?
AWS OFFICIALUpdated 2 months ago
How does the ACM managed renewal process work with email-validated certificates?
AWS OFFICIALUpdated 11 days ago
Why didn't I receive the validation email to issue or renew ACM certificates?
AWS OFFICIALUpdated a month ago
Why did my publicly trusted ACM certificate fail managed renewal?
AWS OFFICIALUpdated 21 days ago
Announcement: RDS/Aurora SSL/TLS Certificates are expiring between May and October 2024
EXPERT
randyyoung
published 4 months ago