ACM Certificate Pending Validation
Overview
There is an SSL/TLS certificate present that is in renewal state "Pending Validation." This condition arises when the ACM service has not yet been able to validate one or more domain names in the certificate. AWS Certificate Manager (ACM) can create, store, and renew public and private SSL/TLS certificates for your AWS websites and applications. X.509 TLS certificates bind the identity of your website and the details of your organization to the public key that is contained in the certificate so that browsers can validate that they are connecting to the intended website.
It is important for TLS certificates to remain valid, otherwise users' browsers will have no way to verify that their browser is connecting to the intended web server, and they will receive a security warning. Additionally, expired and revoked certificates continue to count towards your AWS account ACM certificate quota.
ACM certificates are valid for 13 months (395 days). ACM provides managed renewal for Amazon-issued SSL/TLS certificates, either renewing them automatically (if you are using DNS validation), or it will send you email notices when expiration is approaching.
If ACM cannot automatically validate a domain name, it notifies the domain owner that manual action is needed to validate the domain and complete certificate renewal. These notifications are sent multiple times prior to expiration. The most common reason for automatic validation to fail is that the required CNAME has been inadvertently changed or removed. You can use the AWS Certificate Manager console, the ACM API, the AWS CLI, or the AWS Personal Health Dashboard to check the renewal status of an ACM certificate.
Unless the status has changed since this check was run, you will see the renewal status for this certificate reported as Pending Validation (from possible statuses Pending automatic renewal, Pending validation, Success, or Failed).
Remediation details:
If the certificate relies on Emailed validation, you should confirm that the email address used on the certificate was correct, and that someone will respond to that email. If the certificate relies on DNS validation, you should confirm that the CNAME and DNS configuration of the certificate are still valid and working.
If your certificate is still in a state of Pending Validation, you probably do not need to delete or request a new certificate. However, if additional time passes, ACM's subsequent attempts to renew the certificate fail, and the certificate becomes expired, then you will need to attain a new certificate. If you have certificates for the same domain name in multiple AWS Regions, each of these certificates must be renewed independently.
Vendor
AWS
Cloud Service
ACM
References
https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html, https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html, https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html, https://docs.aws.amazon.com/acm/latest/userguide/check-certificate-renewal-status.html, https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html, https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-DNS-validation.html, https://docs.aws.amazon.com/acm/latest/userguide/email-validation.html, https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-email-validation.html, https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-list.html, https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-describe.html, https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-renewal.html
Severity
2
Item Types
AWS::CertificateManager::Certificate