I requested a new AWS Certificate Manager (ACM) certificate and validated my domain names, but the status is still pending validation. Why is the status pending validation, and how do I resolve this?

There are two ways that you can validate your domain names using ACM:

Depending on the method you choose, the status might be pending validation for different reasons.

Using Email to Validate Domain Ownership

If you Use Email to Validate Domain Ownership to request your ACM certificate, the status is pending validation until all the domains listed in the certificate are successfully validated. If you have multiple domains in your certificate, you must complete the validation steps included in the email for at least one email address for each domain set. For more information, see I didn't receive a validation email for the SSL certificate I requested through AWS Certificate Manager.

You can also configure Amazon SES and Amazon SNS to receive the ACM domain validation email or configure email for your domain if:

  • You don't have access to the email addresses listed for your domains within WHOIS.
  • Your top level domain isn't supported by WHOIS.
  • Your domain is using privacy protection.
  • You haven't configured a mail server for your domain.

For more information, see Troubleshoot Email Problems.

Using DNS to Validate Domain Ownership

If you Use DNS to Validate Domain Ownership, ACM provides a CNAME record that you must type into the DNS configuration for your domain. After you update your DNS configuration, wait for your DNS provider to propagate and for ACM to validate your domains (up to several hours).

Example CNAME record (name and value):

Name: _a0f45be964388dbf29f00bebb89fd2a5.example.com
Value: _37a1fdb34683d98d4390b0a6d28b4e27.acm-validations.aws

If the certificate status is still pending validation, confirm that you correctly typed the CNAME record and that the CNAME record propagated. To confirm that the record propagated, run a command similar to the following:

dig TXT +short +noshort record-name

Note: Replace record-name with the name provided within your CNAME record.

After the CNAME record propagates, the output of the command returns value of the CNAME record as well as the TXT record. If the record didn't propagate, you can lower the record's TTL for faster propagation.

If you Configure Amazon Route 53 as Your DNS Service, ACM provides the option to automatically write the CNAME record to your hosted zone. If AWS isn't your domain registrar, the name servers for your domain can be different from the name servers associated with the hosted zone where the CNAME record was created. If the name server is different, or if you use a third-party DNS provider that is different from your registrar, update your domain's authoritative name servers to match the hosted zone, or create the CNAME record in the appropriate DNS configuration. If you use a third-party DNS provider, contact your provider to confirm that there are no additional steps required to update, and then propagate your domain records.

For both email validation and DNS validation, verify that all the domains are successfully validated:

  1. Open the AWS Certificate Manager console.
  2. Choose the certificate to expand the Details pane.
  3. Next to the Domain, review the Validation status.

Note: It can tale several hours for ACM to validate the domain name and issue the certificate. During this time, ACM shows the validation status as Pending validation.

You can also use the AWS Command Line Interface (AWS CLI) to view the validation status:

 aws acm describe-certificate --certificate-arn full-arn

Note: Replace full-arn with the ARN of the certificate.

If the email and DNS validation CLI output indicates "ValidationStatus": "SUCCESS", the certificates have successfully validated.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-05-29

Updated: 2019-03-25