ACM Certificate Validation Failure

This plugin subsides a task of great importance that includes detecting domains from AWS ACM service for which validation has failed. 

Risk Level: Low

Description: 

This plugin subsides a task of great importance that includes detecting domains from AWS ACM service for which validation has failed. 

PingSafe stresses the importance of configuring ACM-managed certificates to be DNS validated.

About the Service :

AWS Certificate Manager or ACM is an invaluable service that is aimed at simplifying and automating many of the conventional activities connected with SSL/TLS certification like creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect AWS websites and applications. This service is designed for companies who require a secure web presence using TLS.

Impact : 

If validation of ACM Certificates fails, the certificates will become invalid and we will have to request new SSL/TLS certificates. This will undoubtedly cause interference with services and applications. We won’t be able to provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services. Moreover, secure network communications cannot be established in the absence of the same.

Steps to reproduce :

  1. Login to your AWS console.
  2. Navigate to the AWS ACM dashboard.
  3. In this tab, we can view the status of the Certificates by clicking on Show/Hide Details button.
  4. In the status tab, we can monitor the status of a certificate, whether it’s validated, invalid or its validation is pending.
  5. We can clearly see the status of our certificate shows pending validation. Similarly, it may show that the validation failed. 

Steps for remediation :

  1. Login to your AWS console.
  2. Navigate to the AWS ACM dashboard.
  3. The next step is to select the SSL/TLS certificate whose validation failed.
  4. One of the possible solutions is to resend the validation email which can be done by clicking on the Action button from the dashboard top menu and when we try to select the Resend validation email option from the dropdown menu we can observe that it is not possible because the certificate does not have DNS validation options.
  5. Hence, we can delete the invalidated certificate to resolve the issue.

PingSafe hence strongly recommends ensuring that the DNS validation is in place.

 

References: