AWS Certificate Manager (ACM) certificate request fail (verification)


Hi! I've got a domain I have r53 configured to route it into AWS S3 bucket (static website) and it works under HTTP. I want to issue SSL certificate to get it working under HTTPS with AWS CloudFront. When I'm using ACM cert request with DNS validation it instantly fails with the following message: "Additional verification required to request certificates for one or more domain names in this request." The "Learn more" button suggested opening a new thread here (as my support plan is basic).

asked 4 months ago205 views
2 Answers

Hi Igor,

The certificates issued by AWS Certificate Manager are provided by Certification Authorities (CAs) controlled by Amazon Trust Services (ATS). At the same time, a Subordinate CA of ATS is operated by DigiCert.

DigiCert comply U.S.-imposed sanctions, DigiCert is legally prohibited or restricted from offering its products and services to specific countries or regions.

Due to this restriction, your certificate with .RU TLD always got a fail message. I suggest you can buy the certificates from other CAs that are not control by US government.

The list of restricted Russia and Belarus TLDs include:
profile picture
answered 4 months ago
profile picture
reviewed 4 months ago

Hi, I have faced this issue in the past. It usually indicates that AWS needs more information to verify your ownership or control of the domain. This step is crucial for the security and integrity of issuing SSL/TLS certificates. You can validate the ownership as follows:

  • DNS Validation: ACM allows you to use DNS validation as a method to prove domain ownership. ACM will provide you with a CNAME record that you need to add to your domain's DNS configuration in Route 53. This method is preferred because it can automatically renew the certificate.
  • Email Validation: Alternatively, ACM can send validation emails to the email addresses associated with the domain registrant, as well as the standard addresses (admin@, administrator@, webmaster@, hostmaster@, and postmaster@ your domain name). Ensure you have access to one of these email addresses.

answered 4 months ago
  • I request using DNS validation. It doesn't provide me with any DNS challenge, it just fails right after I press "request" button

  • Please verify below: Domain Name - Double-check the domain name for typos and ensure you control its DNS settings. Service Limits - Verify you haven't exceeded AWS Certificate Manager's limits for certificate requests. IAM Permissions - Make sure your IAM user or role has the necessary permissions for requesting certificates and managing DNS settings. DNS Service Compatibility - If using a DNS provider outside AWS, ensure you can add the required CNAME record for DNS validation.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions