Why is the CNAME record not resolving for my ACM issued certificate and the DNS validation status is still pending validation?

5 minute read
2

I requested a new AWS Certificate Manager (ACM) certificate using DNS validation. However, the CNAME record isn't resolving and the status is still pending validation.

Short description

When you request an ACM certificate using DNS validation, ACM gives you a CNAME record for each domain name specified in the certificate's domain scope. You must add the CNAME record to your DNS configuration. ACM uses the CNAME records to validate ownership of domains. After all domains are validated, the certificate status updates from Pending validation to Success.

Certificate requests using DNS validation might remain in Pending validation if:

  • The CNAME record isn’t added to the correct DNS configuration.
  • The CNAME record has additional characters or is missing characters.
  • The CNAME record added to the correct DNS configuration, but the DNS provider automatically adds the bare domain to the end of its DNS records.
  • A CNAME record and a TXT record exist for same domain name.

Note: ACM periodically checks for the DNS record. This process can't be manually checked.

For more information, see DNS validation.

Resolution

The CNAME record isn’t added to the correct DNS configuration

To confirm that the CNAME record was added correctly to your DNS configuration, run a command similar to the following:

Note: Replace example-cname.example.com with your ACM CNAME record.

Linux and macOS:

dig +short _example-cname.example.com

Windows:

nslookup -type=cname _example-cname.example.com

The command returns the CNAME record’s value in the output if the CNAME record was added to the correct DNS configuration and then propagated successfully.

Note: Some DNS providers can take 24–48 hours to propagate DNS records.

If your certificate is in the Pending validation state, then confirm that the CNAME record provided by ACM was added to the correct DNS configuration. To determine the DNS configuration to add the CNAME record, run a command similar to the following:

Linux and macOS:

dig NS example.com

Windows:

nslookup -type=ns example.com

The command provides the name servers included in the NS record of the correct DNS configuration. Be sure that the DNS configuration where the CNAME record is added includes an NS record with the name servers provided in the command's output.

For information on adding CNAME records to your Amazon Route 53 Hosted Zone, see Creating records by using the Route 53 console.

Note: It isn't possible to validate ownership of a domain when the corresponding CNAME record is in a Route 53 private hosted zone. The CNAME record must be in a publicly hosted zone.

The CNAME record has additional characters or is missing characters

Be sure that the CNAME record added to your DNS configuration contains no additional characters or has no missing characters in the name or value.

The CNAME record is added to the correct DNS configuration, but the DNS provider automatically adds the bare domain to the end of its DNS records

Some DNS providers might automatically add the bare domain to the end of the name field of all DNS records. In this scenario, the propagated CNAME record added to your DNS configuration is similar to the following:

_example-cname.example.com.example.com

Because the CNAME record name doesn't match the one provided by ACM, the validation isn't successful. The ACM certificate remains in Pending validation until it eventually fails after 72 hours from requesting the certificate.

To determine if your DNS provider automatically added the bare domain to the end of the CNAME record, run a command similar to the following:

Linux and macOS:

dig +short _example-cname.example.com.example.com

Windows:

nslookup -type=cname _example-cname.example.com.example.com

If the output returns the value of the CNAME record, then your DNS provider added the bare domain. The bare domain was added to the end of the name field of your DNS records.

To resolve this issue, edit your CNAME record to remove the bare domain from the text that you entered for the name field.

After your DNS provider adds the bare domain, there will be only one bare domain present.

A CNAME record and a TXT record exist for same domain name

To confirm if the CNAME record and TXT record exist for the same domain, run a command similar to the following:

Linux and macOS:

dig +short CNAME <cname_record_name>
dig TXT <cname_record_name>

Windows:

nslookup -type=CNAME <cname_record_name>
nslookup -type=TXT <cname_record_name>

Compare the output of the dig command for the CNAME record and TXT record types. If they're identical, then a malformed record is keeping the certificate in the pending validation state, as noted in the external document RFC 1034. To resolve this, you can delete the TXT record.

For more information, see Troubleshoot DNS validation problems.


Related information

Troubleshooting managed certificate renewal

Why is my certificate renewal still pending after I validated my domain names using the ACM managed renewal process?

Setting up DNS validation

AWS OFFICIAL
AWS OFFICIALUpdated a year ago
4 Comments

This tells you what to check, but it doesn't say what to do if any of the checks fail. This needs a "here's how you fix this" section.

derricw
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

If I do a dig +short to the correct entry (without the duplicated bare domain), it shows the correct record. But the acm cert still shows Pending Validation. Is it correct that by 72hrs, it should show the updated status in ACM?

replied 10 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 10 months ago