Why did my ACM certificate request fail?

Last updated: 2022-06-21

I requested a public certificate AWS Certificate Manager (ACM) but the request failed. How can I troubleshoot this?

Short description

To troubleshoot failed ACM certificate requests, check the following:

  • Available contacts
  • Unsafe domains
  • Additional verification required
  • Public domains that aren't valid
  • Amazon-owned domains

Resolution

Available contacts

If you used email validation to request the certificate, then make sure that:

  • You have a working email address that is registered in WHOIS and that the address is visible with a WHOIS lookup.
  • Your domain is configured to receive email. Your domain's name server must have a mail exchanger record (MX record) so ACM's email servers know where to send the domain validation email.

For more information, see Error message: No Available Contacts.

Unsafe domains

If the requested certificate contains at least one domain in its domain scope that was reported as unsafe by VirusTotal, the certificate request fails. To correct the issue, do the following:

  • Search for your domain name on the VirusTotal website to see if it's reported as suspicious.
  • If you believe that the result is a false positive, then notify the organization that is reporting the domain. VirusTotal is an aggregate of several antivirus and URL scanners and can't remove your domain for you.

After you correct the problem and the VirusTotal registry is updated, request a new public certificate.

For more information, see Error message: Domain Not Allowed.

Additional verification required

This occurs as a fraud-protection measure if your domain ranks within the Alexa top 1000 websites.

Use the AWS Support Center to contact AWS Support. AWS Support will assist you with adding your domains to an allow list. For more information, see Error message: Additional Verification Required.

Public domains that aren't valid

If the requested certificate includes a public domain that isn't valid, then the certificate fails with the following error:

"One or more domain names is not a valid public domain."

Request a new certificate, and then make sure that the top-level domains of all domains specified in the certificate’s domain scope are valid.

Amazon-owned domains

If the requested certificate includes an Amazon-owned domain, such as those ending in amazonaws.com, then the certificate request will fail with the following error:

"Additional verification required to request certificates for one or more domain names in this request."

Request a new certificate with a domain name that isn't owned by Amazon. For more information, see Error message: Additional Verification Required.