Certificates managed by ACM should be validated

Description

All Secure Socket Layer/Transport Layer Security (SSL/TLS) certificates in Amazon Certificate Manager (ACM) should be validated.

Rationale

Requests for ACM certificates time out if they are not validated within 72 hours. ACM provides managed renewal for your Amazon-issued SSL/TLS certificates that are used with other AWS resources.

ACM either renews your certificates automatically (if you are using DNS validation), or it sends you email notices when expiration is approaching. These services are provided for both public and private ACM certificates. However, renewal for other certificates must be done manually. If a certificate is not validated, it can interrupt an application or service.

Remediation

From the console

Follow the Setting Up DNS Validation or Resending Validation Email docs to validate a certificate in the AWS Console or by email.

From the command line

  1. Run resend-validation-email using the ARN of the invalid certificate with your domain and validation-domain.

    aws acm resend-validation-email
      --certificate-arn arn:aws:acm:us-east-1:1234567890:certificate/a1b2345c-d678-9123-4567-89ab12c2345d
      --domain www.example.com
      --validation-domain example.com
    
  2. Click the link in the generated email to navigate to the Amazon Certificates Approvals page, and click the I Approve button.