Fixing issues with obtaining and renewing Let's Encrypt certificates
Issue description
-
When trying to issue a new or renew an existing Let's Encrypt certificate in the Certificate Manager interface, the domain ownership verification fails.
-
When trying to issue a new or renew an existing Let's Encrypt certificate in the Certificate Manager interface, the certificate switches to one of the following statuses:
INVALIDRENEWAL_FAILED
-
The certificate remains
VALIDATINGfor a long time (from a few hours up to a few days). -
Certificate Manager does not perform automatic renewal of previously created certificates.
Solution
Domain ownership verification for a new certificate may be completed within 24 hours of its creation. The service periodically checks for the relevant cname or txt DNS records, or for files with a certain name and contents on your domain's web server.
If repeated verification attempts fail over a week, the status will change to INVALID for new certificates or RENEWAL_FAILED for those being renewed.
In this case, you need to create a new certificate request.
Alert
Make sure your DNS registrar settings include only one resource record type, cname or txt. Trying to use both record types will result in domain validation conflict.