Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
ACM certificate stuck in “Pending validation” status despite correct DNS CNAME record in Route 53
Hi there,
I am requesting an ACM certificate for my domain (inkstream.cloud, and *.inkstream.cloud) in the us-east-1 region, for use with CloudFront.
I chose DNS validation and used the “Create records in Route 53” button to automatically add the CNAME validation record. I have manually verified in the Route 53 hosted zone that the required CNAME record exists and matches exactly what is shown in the ACM console. My domain is registered with Route 53, and nameservers are correctly set.
I also verified with the following dig command, and it shows the CNAME record as expected:
dig +short _1dd0e936db167a725adde184826073ad.inkstream.cloud. CNAME _8bf2a5f205143738d1fcb8e79d0aac9b.xlfgrmvvlj.acm-validations.aws.
However, my ACM certificate status remains “Pending validation” after more than an hour.
Steps I’ve taken:
- Used the ACM-provided "Create records in Route 53" button for DNS validation.
- Double-checked the CNAME record name and value
- Confirmed with dig - that the CNAME is visible globally.
My domain and DNS are both with Route 53.
Questions:
Is there anything else I should check or try to trigger validation?
Are there known delays or issues with ACM validation at this time?
Any insights or suggestions would be appreciated, thanks!
- Newest
- Most votes
- Most comments
Looking up your domain name on the public internet, a different set of Route 53 name servers is returned:
ns-417.awsdns-52.com
ns-586.awsdns-09.net
ns-1529.awsdns-63.org
ns-1979.awsdns-55.co.uk
In practice, that means that the zone in your screenshot is not the one to which the top-level .cloud domain has delegated your domain. That's why the CNAME records you added in the zone you're looking at doesn't have any effect on what clients, including AWS, see.
You should update the name servers with your domain name registrar to point to the name servers shown in the upper right-hand corner of the screenshot of your hosted zone view. It may take many hours for the change to propagate across all servers on the internet, but once that's happened, the ACM certificate validation will succeed.
When an ACM certificate is stuck in "Pending validation" status despite having the correct CNAME records in Route 53, there are several things to consider.
First, it's important to know that while validation often completes quickly (within minutes), the process can take up to 72 hours before timing out. Since it's only been about an hour in your case, you may simply need to wait longer.
However, there are a few things you can check:
-
Verify there are no Certification Authority Authorization (CAA) records that might be blocking certificate issuance for your domain.
-
Ensure that all domains in your certificate request (both inkstream.cloud and *.inkstream.cloud) have their respective CNAME validation records properly set up.
-
Check if there are any NS record conflicts. One common issue that can cause validation problems is having both NS records and other records (like CNAME records) for the same name. This can create conflicts in DNS resolution.
-
Make sure your Route 53 hosted zone is properly configured with the correct nameservers for your domain.
-
Confirm that the certificate is being requested in the correct region (us-east-1) for CloudFront usage.
Since you've already verified that the CNAME record is visible globally using dig, and you've used the "Create records in Route 53" button (which typically works seamlessly), it's possible that you just need to wait longer for the validation process to complete.
If the certificate remains in "Pending validation" status for more than 72 hours, it will time out, and you'll need to delete the failed request and create a new one. In that case, you might want to try manually adding the CNAME records instead of using the automatic button, just to rule out any potential issues with the automatic process.
Sources
Troubleshoot certificate validation - AWS Certificate Manager
AWS Certificate Manager DNS validation - AWS Certificate Manager
Certificate Renewal Still Pending After Updating DNS Records | AWS re:Post
ACM Certificate Validation Pending indefinitely | AWS re:Post
Relevant content
- asked 6 months ago
- AWS OFFICIALUpdated 10 months ago
Yup that was it. I was juggling between the hosted zone created with the domain (with the right NS records) and a different one in another account, and I mistakenly copied the NS records from the second one to the first. Should have just used the NS records of the domain name itself to avoid any confusion. Thanks!