0

Resolved! - Ended up just needing to contact Amazon Support to push it through.

I'm attempting to renew a certificate created in AWS Certificate Manager (ACM), but I'm stuck in the dreadful PENDING_VALIDATION status; this is a DNS validated certificate where I validated using the CNAME record.

enter image description here

Under domains I can see the domain validation has a status of Success and Renewal Status of Success

enter image description here

If I run aws acm describe-certificate --certificate-arn "examplearn", I get a return showing DomainValidationOptions with the ValidationStatus being success for the CNAME validation.

Replaced with "example" for sensitive values

{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:us-east-1:example:certificate/certid",
        "DomainName": "*.example.com",
        "SubjectAlternativeNames": [
            "*.example.com"
        ],
        "DomainValidationOptions": [
            {
                "DomainName": "*.example.com",
                "ValidationDomain": "*.example.com",
                "ValidationStatus": "SUCCESS",
                "ResourceRecord": {
                    "Name": "examplename",
                    "Type": "CNAME",
                    "Value": "examplevalue"
                },
                "ValidationMethod": "DNS"
            }
        ],
        "Serial": "",
        "Subject": "CN=*.example.com",
        "Issuer": "Amazon",
        "CreatedAt": "2019-01-17T12:53:01-08:00",
        "IssuedAt": "2021-10-22T21:21:50.177000-07:00",
        "Status": "ISSUED",
        "NotBefore": "2021-10-22T17:00:00-07:00",
        "NotAfter": "2022-11-23T15:59:59-08:00",
        "KeyAlgorithm": "RSA-2048",
        "SignatureAlgorithm": "SHA256WITHRSA",
        "InUseBy": [
            "example",
            "example",
            "example",
            "example"
        ],
        "Type": "AMAZON_ISSUED",
        "RenewalSummary": {
            "RenewalStatus": "PENDING_VALIDATION",
            "DomainValidationOptions": [
                {
                    "DomainName": "*.example.com",
                    "ValidationDomain": "*.example.com",
                    "ValidationStatus": "SUCCESS",
                    "ResourceRecord": {
                        "Name": "examplename",
                        "Type": "CNAME",
                        "Value": "examplevalue"
                    },
                    "ValidationMethod": "DNS"
                }
            ],
            "UpdatedAt": "2022-09-21T23:39:15.161000-07:00"
        },
        "KeyUsages": [
            {
                "Name": "DIGITAL_SIGNATURE"
            },
            {
                "Name": "KEY_ENCIPHERMENT"
            }
        ],
        "ExtendedKeyUsages": [
            {
                "Name": "TLS_WEB_SERVER_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.1"
            },
            {
                "Name": "TLS_WEB_CLIENT_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.2"
            }
        ],
        "RenewalEligibility": "ELIGIBLE",
        "Options": {
            "CertificateTransparencyLoggingPreference": "ENABLED"
        }
    }
}

Followed instructions successfully in https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-pending-validation/ (checking cname response exactly matches what is in acm CNAME values when copy pasting)

The site domain registration is in Route 53 with NS pointing to cloudflare, where DNS is managed.

Is there something obvious that pops out to you? Thank you!

user3587083
  • 51
  • 2
  • Make sure to use "DNS only" mode instead of "Proxied" in CloudFlare – OARP Nov 19 '22 at 03:55
  • 1
    Thank you! DNS had been set to DNS only. Ended up just needing to contact Amazon Support to push it along. Annoying I had to pay extra, but glad it's resolved – user3587083 Nov 19 '22 at 04:30

0 Answers0