Learning from the LoL (League of Legends) certificate expiration issue: How AWS ACM automatic renewal works
This page has been translated by machine translation. View original
Introduction
On January 4, 2026, the MOBA game League of Legends (LoL) experienced a major outage due to an expired SSL certificate.
In this article, I will summarize the incident and introduce the automatic certificate renewal mechanism using AWS Certificate Manager (ACM).
Incident Timeline
On January 4, 2026, the SSL certificate used by the LoL game client expired, preventing players worldwide from connecting to game servers.
In fact, a similar incident had occurred in 2016, and the certificate issued at that time expired exactly 10 years later.
Incident Confirmation Links
Certificate Details
| Field | Value |
|---|---|
| Common Name (CN) | rclient |
| Issued By | LoL Game Engineering Certificate Authority |
| Issued On | Thursday, January 7, 2016 at 9:03:33 PM |
| Expires On | Sunday, January 4, 2026 at 9:03:33 PM |
| Valid Period | About 10 years |
Why Everyone Lost Connection
In SSL/TLS communication, the client side checks the certificate's validity period.
An expired certificate is deemed "untrustworthy," and the connection is rejected.
Client-side verification flow:
1. Receive certificate from server
2. Check expiration date → If expired, fail
3. Reject connection (no exceptions)
While browsers might offer a "Continue anyway" option, game clients don't have such bypasses.
How Certificates Are Managed in AWS ACM
AWS Certificate Manager (ACM) is a managed service for issuing, managing, and automatically renewing SSL/TLS certificates.
Official documentation: Managed certificate renewal in AWS Certificate Manager
Automatic Renewal Conditions
For ACM to automatically renew certificates, the following conditions must be met:
| Condition | Description |
|---|---|
| Use DNS validation | Issue certificates using DNS validation, not email validation |
| Validation record exists | CNAME records remain in Route 53 or other DNS |
| Attached to AWS services | In use with ELB, CloudFront, API Gateway, etc. |
If these conditions are met, ACM automatically initiates the renewal process 60 days before expiration.
Comparison with Manual Management
| Item | Manual Management (Riot's case) | ACM Automatic Renewal |
|---|---|---|
| Renewal trigger | Human must remember | Automatic (starts 60 days before expiration) |
| Human error risk | High | Nearly zero |
| Certificate deployment | Manual server placement | Automatic reflection to AWS services |
| Cost | Paid CA + labor costs | ACM public certificates are free |
Let's Actually Test It Manually
New certificates have a validity period of about 13 months, so we can't reproduce an expiration, but we can confirm the flow from certificate issuance to becoming eligible for automatic renewal in ACM.
Prerequisites
- A test domain in Route 53
- API Gateway (REST API) already created (steps omitted)
Step 1: Request a Certificate in ACM
- Open Certificate Manager in the AWS console
- Click Request a certificate
- Select Request a public certificate
- Enter domain name (e.g.,
example.com,*.example.com) - Select DNS validation as the validation method
- Click Request
Step 2: Complete DNS Validation
On the certificate details screen, clicking Create records in Route 53 will automatically add CNAME validation records to Route 53.
After a short wait, the Status will change to Success.
Step 3: Check Certificate Renewal Status
At this point, the certificate is not yet linked to any AWS service, so it's not eligible for automatic renewal.
Renewal eligibility: Ineligible
Step 4: Link Certificate to API Gateway
Open Custom domain names in the API Gateway console and press the Add domain name button.
In the detailed settings screen, select ACM certificate.
Step 5: Confirm Automatic Renewal Eligibility
After linking to API Gateway, check the certificate in the ACM console and note the status change.
Renewal eligibility: Eligible
Now, ACM will automatically renew the certificate starting 60 days before its expiration date.
Conclusion
With AWS ACM, maintaining DNS validation records is all you need for automatic certificate renewal. By automating certificate management, you can significantly reduce the risk of outages due to human error.
