Unable to renew cerificate on AWS - CNAME problem?

AWS Certificate Manager was unable to renew the certificate automatically using DNS validation.

I do not know what I am doing wrong. full message form amazon below:

You have an SSL/TLS certificate from AWS Certificate Manager in your AWS account that expires on Nov 11, 2021 at 12:00:00 UTC. This certificate includes the primary domain agencysalesmachine.com and a total of 1 domains.

AWS account ID: xxxxx
AWS Region name: us-east-1
Certificate identifier: arn:aws:acm:us-east-1:6640xxxxxxx:certificate/d18b1108-d01c-4729-9f96-576e879bfaec

AWS Certificate Manager (ACM) was unable to renew the certificate automatically using DNS validation. You must take action to ensure that the renewal can be completed. If the certificate is not renewed and the current certificate expires, your website or application may become unreachable.

To renew this certificate, you must ensure that the proper CNAME records are present in your DNS configuration for each domain listed below. You can find the CNAME records for your domains by expanding your certificate and its domain entries in the ACM console. You can also use the DescribeCertificate command in the ACM API[1] or the describe-certificate operation in the ACM CLI[2] to find a certificate’s CNAME records. For more information, see Automatic Domain Validation Failure in the ACM troubleshooting guide[3].
The following 1 domains require validation:

If you have questions about this process, you can contact the Support Center[4]. If you don’t have an AWS support plan, you can post a new thread in the AWS Certificate Manager discussion forum[5].

[3] Troubleshooting managed certificate renewal - AWS Certificate Manager

Did you create the correct validation CNAME?
Can you share the CNAME they asked you to create?

1 Like

Thanks for trying to help!

The following 1 domains require validation: agencysalesmachine.com

CNAME record -
name= agencysalesmachine.com
Content= dcxgnh9bt3o8l.cloudfront.net
TTL= Auto
Proxy status DNS only

AWS Certificate Manager needs to verify that they are authorised to issue a certificate. From the message you pasted, they are looking for a particular CNAME record that you will find on the AWS Console. This will look like this:

Domain Name Record Name Record Type Record Value
example.com _a79865eb4cd1a6ab990a45779b4e0b96.agencysalesmachine.com. CNAME _424c7224e9b0146f9a8808af955727d0.hkmpvcwbzw.acm-validations.aws.

You need to create that record on the Cloudflare DNS dashboard to enable AWS to issue a certificate.


1 Like

Thanks! if I did it right - It should get validated soon!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.