Received an email from aws: ACM was unable to automatically renew your certificate

Hi,

My domain is: www.onearth.studio

I received the following email from aws and have no idea about what I shall do, if you could help, it would be great!

Greetings from Amazon Web Services,

You have an AWS Certificate Manager (ACM) SSL/TLS certificate in your AWS account that expires on May 07, 2022 at 23:59:59 UTC. That certificate includes the primary domain onearth.studio and a total of 1 domains.

AWS account ID: 442------208
AWS Region name: us-east-2
Certificate identifier: arn:aws:acm:us-east-2:442------208:certificate/f868bc8f-1cad-476b-8539-4b73dd745ad9

ACM was unable to automatically renew your certificate. The domain validation method for this certificate is email validation. This method requires the domain owner or someone authorized by the domain owner to take one of the following actions before May 07, 2022 at 23:59:59 UTC. If no action is taken, the certificate will expire, which might cause your website or application to become unreachable.

  1. If you can write records into your DNS configuration, you can replace all of your existing email-validated certificates with DNS-validated certificates. After you add a CNAME record to your DNS configuration, ACM can automatically renew your certificate as long as the record remains in place. You can learn more about DNS validation in the ACM User Guide.[1]

  2. If you want to continue using email validation to renew this certificate, the domain owners must use the approval link that was sent in a separate validation request email. The validation email is valid for 3 days. ACM customers can resend the validation email after receiving the first notification or any time up until 3 days after the certificate expires. For more information on how to resend a validation email, refer to the ACM User Guide.[2]

Thank you in advance,
Jan

This means the certificate in question isn't a Let's Encrypt one.

You have a few certificates from Let's Encrypt, and it's not time to renew yet: crt.sh | www.onearth.studio

They are talking about this one, expiring on the 23rd: crt.sh | 4423436464 -- it doesn't look like you are using this certificate.

2 Likes

Hi 9peppe,

Thx for your answer, I not really sure to understand, they are talking about a certificate that I do not use, is it correct? Does it mean that I have nothing to do?

They wrote: "If no action is taken, the certificate will expire, which might cause your website or application to become unreachable." Hope my website will still be reachable!

Best regards,
Jan

1 Like

Only you can know if you're using the certificate. By opening your website just once, it wasn' t using it. But it might use several certificates and whatnot.

1 Like

You created the AWS ACM cert last April 2021. Did you experiment with using AWS CloudFront or an Elastic Load Balancer back then? Those are common ways of getting an AWS ACM cert.

I also see your website server is currently sending out the Let's Encrypt cert so it does not look like you are using the AWS one anymore.

2 Likes

Hi MikeMcQ,

Thanks for helping! I do not remember if I used AWS CloudFront or an Elastic Load Balancer and I don't know where to look in order to know which one I have used.

aws wrote that I have to do an action before May 07, 2022 at 23:59:59 UTC, before tonight (I am in France).

I hope that I am only using Let's Encrypt cert...

Best regards,
Jan

1 Like

Sign on to your AWS Console and go to the AWS Certificate Manager section. You will see more details about the cert there. Any questions are best addressed to AWS though. This is a Let's Encrypt help forum after all :slight_smile:

4 Likes

MikeMcQ,

Sorry about that! I am not familiar at all with cert, I didn't know it was only an aws issue. I will have a look at aws Certificate Manager section and I let you know.

Thx!

Best regards,
Jan

1 Like

MikeMcQ,

It seems to me that I have done something wrong, on aws they say "ACM provides managed renewal for your Amazon-issued SSL/TLS certificates. This means that ACM will either renew your certificates automatically (if you are using DNS validation), or it will send you email notices when expiration is approaching. These services are provided for both public and private ACM certificates." it is strange because I though I was only using Let's Encrypt.

9peppe and you saw that my website server is sending out Let's Encrypt cert, I hope it's the only one needed.

Which hosting provider do you recommend?

Best regards,
Jan

1 Like

Did you go into your AWS Console like I suggested? Because you should see that cert listed in the Certificate Manager section. It has a column for "in use". Is it in use?

More details are shown when you click on the cert in that section. One of those detailed categories is "Associated resources". What AWS service is listed, if any? Are you still using that service? Only you can know whether it is needed.

Mind, this really has nothing to do with Let's Encrypt. I happen to know this because I have an AWS account myself and use those services.

Your best hosting provider is one that you can understand and manage. Let's Encrypt has a list of hosting providers to consider.

3 Likes

MikeMcQ,

Thanks for the list of hosting provider.

Yes I have been to my aws Console, I see in EC2 Dashboard that my instance is running, I can connect to it but I do not find the Certificate Manager section. I've made some research on internet but I can't find it!

When I find it I let you know!

Best regards,
Jan

1 Like

Do you have a "Search for services" entry on the top of the EC2 dashboard? (I do) It is right next to an 9-point menu icon saying Services

If so, just type in certificate manager

3 Likes

Yes I have a search for services entry, I've tried it again and this is what I got:

AWS Certificate Manager

AWS Certificate Manager (ACM) makes it easy to provision, manage, deploy, and renew SSL/TLS certificates.

I can:

• Request a public certificate from Amazon or a private certificate from your organization's certificate authority (CA)
[Request a certificate]

• Import certificates that you obtained outside of AWS
[Import certificate]

• Create private certificate authority (CA) hierarchies for your organization
[Create a private CA]

I am not sure what to do.

Best Regards,
Jan

1 Like

Click the "hamburger" (3-line) menu on the left and choose "List Certificates". Then follow along with what I described earlier

Also maybe try:

2 Likes

Thanks Mike for your support.

On my page there is no hamburger! I will try the Find Answers to AWS Questions

Best Regards,
Jan

1 Like

Also look at ACM page. It has a link to the ACM Console directly

2 Likes

Mike,

Thx for your answer.

AWS drives me crazy! I have to stop for today, hope to find the "List Certifiaces" tomorrow.

Thank you again for all your answers, thanks to 9peppe too.

Best Regards,
Jan

1 Like

Tomorrow you may not have anything to list. The AWS cert expires end of day today.

You don't have a 3-line menu icon like this? (green arrow is mine)
I click that and see List Certs and other options

2 Likes

Hi MikeMcQ,

You and 9peppe were right, it looks like my website is using only Let's Encript cert (which is a great great thing to know), because today I can still access to my website (https://www.onearth.studio) even if I don't have any certificates on AWS.

Thank you a lot for you help yesterday, I finally found the "hamburger" and the list of certificate and I see today:

Certificates (0) ( There are no certificates in your account.).

Unfortunately I saw your answer only this morning and not yesterday evening, I will never understand why I had an AWS cert the first time.

Let's Encrypt forum and mostly people responding to my requests are just amazing: everytime I ask a question, I got a clear and rapid answer, it is extremely usefull, I love it!

I dream of a Let's Encrypt Hosting Service manage by Let's Encrypt team.

I wish you all the best,
Jan

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.