AWS Certificate Manager (ACM) is a service that simplifies the process of managing SSL/TLS certificates for your AWS resources. It provides an easy way to deploy, manage, and renew certificates for use with AWS services.

    In this guide, we'll provide comprehensive instructions for identifying potential issues that could emerge with ACM, pinpointing common sources of issues, and presenting practical advice for resolving them efficiently.


    How Monitoring Works

    ACM automates the process of provisioning, deploying, and managing SSL/TLS certificates for AWS services such as Elastic Load Balancers, CloudFront distributions, and API Gateways. It handles Amazon-issued certificate issuance, renewal, and integration with AWS resources, simplifying the management of secure connections within your infrastructure.

    It's important to recognize the distinction between two categories of ACM Certificates: Amazon-issued certificates and imported certificates. BlueMatador offers alerts for discrepancies detected in both categories, ensuring comprehensive monitoring and notification coverage for all types of certificates within your AWS environment.


    Certificate Not Renewed

    Despite configuring automatic renewal for ACM certificates, there may still be instances where certificate expiration occurs unexpectedly. This could be due to various factors such as insufficient IAM permissions for ACM to perform the renewal process effectively, issues with DNS resolution preventing domain validation required for renewal, or even transient network issues causing disruptions in the renewal process.

    Possible Causes

    • IAM permissions are insufficient for ACM to renew certificates.
      • Verify domain ownership through email validation or DNS record validation.
    • DNS resolution failure for domain validation.
      • Ensure that the domain specified in the certificate request matches the domain's DNS records.


    Import Failure

    One potential cause could be an inconsistency in the certificate format, where the certificate being imported does not adhere to the expected PEM or DER format supported by ACM. Additionally, insufficient permissions or misconfigurations within IAM policies may restrict the ability to import certificates into ACM. Discrepancies in the certificate chain or incomplete certificate bundles could also lead to import failures.

    Possible Causes

    • Incorrect certificate format.
      • Verify that the certificate is in the correct format (PEM or DER).
    • Insufficient permissions to import certificates.
      • Ensure IAM permissions include acm:ImportCertificate action.