Troubleshoot DNS validation problems - Amazon Certificate Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshoot DNS validation problems

Consult the following guidance if you are having trouble validating a certificate with DNS.

The first step in DNS troubleshooting is to check the current status of your domain with tools such as the following:

Underscores prohibited by DNS provider

If your DNS provider prohibits leading underscores in CNAME values, you can remove the underscore from the ACM-provided value and validate your domain without it. For example, the CNAME value _x2.acm-validations.aws can be changed to x2.acm-validations.aws for validation purposes. However, the CNAME name parameter must always begin with a leading underscore.

You can use either of the values on the right side of the table below to validate a domain.

Name

Type

Value

_<random value>.example.com.

CNAME

_<random value>.acm-validations.aws.

_<random value>.example.com.

CNAME

<random value>.acm-validations.aws.

Default trailing period added by DNS provider

Some DNS providers add by default a trailing period to the CNAME value that you provide. As a result, adding the period yourself causes an error. For example, "<random_value>.acm-validations.aws." is rejected while "<random_value>.acm-validations.aws" is accepted.

DNS validation on GoDaddy fails

DNS validation for domains registered with Godaddy and other registries may fail unless you modify the CNAME values provided by ACM. Taking example.com as the domain name, the issued CNAME record has the following form:

NAME: _ho9hv39800vb3examplew3vnewoib3u.example.com. VALUE: _cjhwou20vhu2exampleuw20vuyb2ovb9.j9s73ucn9vy.acm-validations.aws.

You can create a CNAME record compatible with GoDaddy by truncating the apex domain (including the period) at the end of the NAME field, as follows:

NAME: _ho9hv39800vb3examplew3vnewoib3u VALUE: _cjhwou20vhu2exampleuw20vuyb2ovb9.j9s73ucn9vy.acm-validations.aws.

ACM Console does not display "Create records in Route 53" button

If you select Amazon Route 53 as your DNS provider, Amazon Certificate Manager can interact directly with it to validate your domain ownership. Under some circumstances, the console's Create records in Route 53 button may not be available when you expect it. If this happens, check for the following possible causes.

  • You are not using Route 53 as your DNS provider.

  • You are logged into ACM and Route 53 through different accounts.

  • You lack IAM permissions to create records in a zone hosted by Route 53.

  • You or someone else has already validated the domain.

  • The domain is not publicly addressable.

Route 53 validation fails on private (untrusted) domains

During DNS validation, ACM searches for a CNAME in a publicly hosted zone. When it doesn't find one, it times out after 72 hours with a status of Validation timed out. You cannot use it to host DNS records for private domains, including resources in an Amazon VPC private hosted zone, untrusted domains in your private PKI, and self-signed certificates.

Amazon does provide support for publicly untrusted domains through the Amazon Private CA service.

Validation is successful but issuance or renewal fails

If certificate issuance fails with "Pending validation" even though DNS is correct, check that issuance is not being blocked by a Certification Authority Authorization (CAA) record. For more information, see (Optional) Configure a CAA record.

Validation fails for DNS server on a VPN

If you locate a DNS server on a VPN and ACM fails to validate a certificate against it, check if the server is publicly accessible. Public certificate issuance using ACM DNS validation requires that the domain records be resolvable over the public internet.