Why is my AWS Certificate Manager (ACM) certificate DNS validation status still pending validation?

Last updated: 2019-08-27

I requested a new AWS Certificate Manager (ACM) certificate using DNS validation, but the status is still pending validation.

Short Description

When you request an ACM certificate using DNS validation, ACM gives you a CNAME record that you must add to your DNS configuration. ACM uses the CNAME record to validate ownership of domains. After domains are successfully validated, the certificate status updates from Pending validation to Issued. Certificate requests using DNS validation might remain in Pending validation if:

  • The CNAME record wasn’t added to the correct DNS configuration.
  • The CNAME record has additional characters or is missing characters.
  • The CNAME record was added to the correct DNS configuration, but the DNS provider automatically added the bare domain to the end of its DNS records.

For more information on DNS validation, see Use DNS to Validate Domain Ownership.

Resolution

The CNAME record wasn’t added to the correct DNS configuration

To confirm if the CNAME record has been added to correctly to your DNS configuration, run a command similar to the following:

Note: Replace example-cname.example.com with your ACM CNAME record.

dig +short _example-cname.example.com

The dig command returns the CNAME record’s value in the output if the CNAME record has been added to the correct DNS configuration and propagated successfully.

Note: Some DNS providers can take 24–48 hours to propagate DNS records.

If your certificate is in the Pending validation state, you must confirm if the CNAME record provided by ACM was added to the correct DNS configuration. To determine which DNS configuration to add the CNAME record to, run a command similar to the following:

dig NS example.com

The dig command provides the name servers included in the NS record of the correct DNS configuration. Be sure that the CNAME record added to your DNS configuration includes an NS record with the name servers provided in the output of the command.

For information on adding CNAME records to your Route 53 Hosted Zone, see Create Records by Using the Amazon Route 53 Console.

The CNAME record has additional characters or is missing characters

Be sure the CNAME record added to your DNS configuration contains no additional or missing characters in the name or value.

The CNAME record has been added to the correct DNS configuration, but the DNS provider automatically added the bare domain to the end of its DNS records

DNS providers might automatically add the bare domain to the end of the name field of all DNS records. In this scenario, the propagated CNAME record added to your DNS configuration is similar to the following:

_example-cname.example.com.example.com

The certificate request will remain in Pending validation until it eventually fails.

To determine if your DNS provider automatically added the bare domain to the end of the CNAME record, run a command similar to the following:

dig +short _example-cname.example.com.example.com

If the output returns the value of the CNAME record, then your DNS provider added the bare domain to the end of the name field of your DNS records.

To resolve this, edit your CNAME record and remove the bare domain from the text that you entered for the name field similar to the following:  

_example-cname

After your DNS provider adds the bare domain, there will only be one bare domain present.