Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
Why didn't the CNAME record resolve for my ACM issued certificate and the DNS validation status is still "Pending validation"?
I used DNS validation to request a new AWS Certificate Manager (ACM) certificate for my domain. However, the CNAME record didn't resolve and the status is still "Pending validation".
Short description
DNS validation certificate requests might remain in the Pending validation state for the following reasons:
- You didn't add the CNAME record to the correct DNS configuration.
- The CNAME record includes additional characters or is missing characters.
- You added the CNAME record to the correct DNS configuration, but the DNS provider automatically added the bare domain to the end of its DNS records.
- A CNAME record and a TXT record exist for same domain name.
Note: ACM periodically checks for the DNS record. You can't manually check for the DNS record.
For more information, see AWS Certificate Manager DNS validation.
Resolution
Note: Run the Linux and macOS commands in your machine's terminal. Or, run the Windows commands in PowerShell or cmd.
You didn't add the CNAME record to the correct DNS configuration
To check whether you added the CNAME record to the correct DNS configuration, run the following command:
Note: Replace example-cname.example.com with your ACM CNAME record.
Linux and macOS:
dig +short _example-cname.example.com
Windows:
nslookup -type=cname _example-cname.example.com
If you added the CNAME record to the correct DNS configuration and the record propagated, then the command output contains the CNAME record's value.
Note: Some DNS providers can take 24-48 hours to propagate DNS records.
If the preceding command didn't return an output, then add the CNAME record to the correct DNS configuration. To determine the DNS configuration that you must add the CNAME record to, run the following command:
Linux and macOS:
dig NS example.com
Windows:
nslookup -type=ns example.com
The command's output provides the name servers that are included in the NS record of the correct DNS configuration. Confirm that the DNS configuration that you add the CNAME record to includes an NS record with these name servers.
For information about how to add CNAME records to your Amazon Route 53 hosted zone, see Creating records by using the Amazon Route 53 console.
Note: When the CNAME record is in a Route 53 private hosted zone, you can't validate domain ownership. The CNAME record must be in a public hosted zone.
The CNAME record includes additional characters or is missing characters
If the CNAME record contains additional characters, then remove them. If characters are missing in the name or value, then add them.
You added the CNAME record to the correct DNS configuration, but the DNS provider automatically added the bare domain to the end of its DNS records
Some DNS providers might automatically add the bare domain to the end of the name field of all DNS records. The propagated CNAME record is similar to the following:
_example-cname.example.com.example.com
Because the CNAME record name doesn't match the one that ACM provides, the validation isn't successful. The ACM certificate remains in Pending validation until it fails 72 hours after the request.
To determine if your DNS provider automatically added the bare domain to the end of the CNAME record, run the following command:
Linux and macOS:
dig +short _example-cname.example.com.example.com
Windows:
nslookup -type=cname _example-cname.example.com.example.com
If the output returns the value of the CNAME record, then your DNS provider added the bare domain.
To resolve this issue, edit your CNAME record to remove the bare domain from the text that you entered for the name field.
After your DNS provider adds the bare domain, only one bare domain remains.
A CNAME record and a TXT record exist for same domain name
To check whether the CNAME record and TXT record exist for the same domain, run the following commands:
Linux and macOS:
dig +short CNAME cname_record_name
dig TXT cname_record_name
Windows:
nslookup -type=CNAME cname_record_name
nslookup -type=TXT cname_record_name
Compare the CNAME record and TXT record types in the commands' outputs. If they're identical, then a malformed record is keeping the certificate in the Pending validation state. To resolve this issue, delete the TXT record.
For more information, see Troubleshoot DNS validation problems.
Related information
This tells you what to check, but it doesn't say what to do if any of the checks fail. This needs a "here's how you fix this" section.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
If I do a dig +short to the correct entry (without the duplicated bare domain), it shows the correct record. But the acm cert still shows Pending Validation. Is it correct that by 72hrs, it should show the updated status in ACM?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Where should I run those commands ? nslookup and dig ?
In my case, I had already transferred the domain from its previous registrar, but dig was still showing the old NS records even though I had created a hosted zone for the domain. I realized I had forgotten to update the NS records in Route53 itself. I found this under registered domains > mydomain > actions dropdown > "edit nameservers". I updated the NS servers to what the hosted zone for that domain had, and the ACM cleared seconds after.
