I requested a new AWS Certificate Manager (ACM) certificate and validated my domain names, but the status is still pending validation. Why is the status pending validation, and how do I resolve this?

There are two ways that you can validate your domain names using ACM:

Depending on the method you choose, the status might be pending for different reasons.

Use Email to Validate Domain Ownership

If you Use Email to Validate Domain Ownership when requesting your ACM certificate, the status is pending validation until all domains listed in the certificate are successfully validated. If you have multiple domains in your certificate, you must complete the validation steps included in the email for at least one email address for each domain set. For more information, see I didn't receive a validation email for the SSL certificate I requested through AWS Certificate Manager.

If you don't have access to the email addresses listed for your domains within WHOIS, your TLD isn't supported by WHOIS, your domain is using privacy protection, or you haven't configured a mail server for your domain, you can configure Amazon SES and Amazon SNS to receive the AWS Certificate Manager domain validation email or Configure Email for Your Domain. For more information, see Troubleshoot Email Problems.

Use DNS to Validate Domain Ownership

If you Use DNS to Validate Domain Ownership, ACM provides CNAME record that you must type into the DNS configuration for your domain. After you update your DNS configuration, you might need to wait up to several hours for your DNS provider to propagate and for ACM to validate your domains.

Example CNAME record (name and value):

Name: _a0f45be964388dbf29f00bebb89fd2a5.example.com
Value: _37a1fdb34683d98d4390b0a6d28b4e27.acm-validations.aws

If the certificate status is still pending validation, confirm that you correctly typed the CNAME record and that the CNAME record propagated. To confirm that the record propagated, run a command similar to the following:

     dig TXT +short +noshort record-name

Note: Replace record-name with the name provided within your CNAME record.

After the CNAME record propagates, the output of the command returns the CNAME record's value and the TXT record. If the record didn't propagate, you can lower the record's TTL for faster propagation.

If you Configured Amazon Route 53 as Your DNS Service, ACM provides the option to automatically write the CNAME record to your hosted zone. If AWS isn't your domain registrar, the authoritative name servers for your domain might be different than the name servers associated with the hosted zone where the CNAME record was created. If the name server is different, or if you use a third-party DNS provider that is different than your registrar, update your domain's authoritative name servers to match the hosted zone, or create the CNAME record in the appropriate DNS configuration. If you use a third-party DNS provider, contact your provider to confirm that there are no additional steps required to update, and then propagate your domain records.

Verify that all the domains are successfully validated

For both email validation and DNS validation, verify that all the domains are successfully validated:

  1. Open the AWS Certificate Manager console.
  2. Choose the certificate to expand the Details pane.
  3. Next to the Domain, review the Validation status.

You can also use the AWS Command Line Interface (AWS CLI) to view the validation status:

  aws acm describe-certificate --certificate-arn full-arn

Note: Replace full-arn with the ARN of the certificate.

Example email validation output:

"DomainValidationOptions": [
     {
        "ValidationEmails": [
            "hostmaster@example.com",
            "postmaster@example.com",
            "admin@example.com ",
            "administrator@example.com",
            "webmaster@example.com"
            ],
            "ValidationStatus": "SUCCESS",
            "ValidationDomain":"example.com",
            "DomainName": "example.com"
       }

Example DNS validation output:

 "DomainValidationOptions": [          
    {
        "ValidationStatus": "SUCCESS",
        "DomainName": "example.com"
     }

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-05-29