How can I validate ACM certificates from Route 53?

Short description

There are two ways to validate domain ownership for an ACM certificate:

1.    DNS validation

2.    Email validation

When you request an ACM certificate using DNS validation, ACM provides a CNAME record that you must add to your DNS configuration. ACM uses the CNAME record to validate ownership of domains. After the domain ownership is validated, the certificate status updates from Pending validation to Issued.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

If you are using Route 53 as your DNS service provider for the domains requested in the ACM certificate, you can use a one-click option available in the ACM console to create the CNAME. When you select this option, the record is automatically added to the Route 53 hosted zone of the domain.

However, you must add CNAME records manually if either of the following is true:

• You have multiple hosted zones for the same domain
• Your hosted zone is in a different account

Apex domain certificate requests

Determine the name server (NS) record

1.    Run the following command to find the DNS configuration for the appropriate hosted zone.

For Linux and macOS:

$ dig NS example.com

For Windows:

$ nslookup -type=ns example.com

Note: Replace "example.com" with your domain name.

2.    The previous command provides the name servers included in the name server (NS) record of the DNS configuration of the domain. Add the CNAME record to the Route 53 hosted zone that has an NS record same as the name servers in your output.

Example output:

$ dig example.com NS
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.2 <<>> example.com
NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56071
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:
;example.com. IN NS

;; ANSWER SECTION:
example.com. 300 IN NS ns-1992.awsdns-57.co.uk.
example.com. 300 IN NS ns-290.awsdns-36.com.
example.com. 300 IN NS ns-547.awsdns-04.net.
example.com. 300 IN NS ns-1200.awsdns-22.org.

Add CNAME records in Route 53

After you identify the appropriate hosted zone using the NS values, add your CNAME record to it:

1.    Open the Route 53 console.

2.    Navigate to the hosted zone of your domain. This hosted zone must have the same NS record as the name servers you identified in the previous task.

3.    Choose Create record.

4.    For Name, enter the Record Name of the CNAME that ACM generated, excluding the domain portion. For more information, see How CNAME records for ACM work.

5.    For Value, enter the complete Record Value that ACM provided.

6.    For Record type, choose CNAME - Routes traffic to another domain name and to some AWS resources.

7.    For Route Policy, choose Simple routing.

8.    Choose Create Records.

Verify the resolution of the CNAME record

To confirm that the CNAME record was added correctly to your DNS configuration, run a command similar to the following, based on your use case.

For Linux and macOS:

dig +short _example-cname.example.com

For Windows:

nslookup -type=cname _example-cname.example.com

Note: Be sure to replace "example-cname.example.com" with your ACM CNAME record.

If the CNAME record was added to the correct DNS configuration and propagated successfully, then the command returns the CNAME record’s value in the output.

Subdomain certificate requests

If you have a separate hosted zone for your subdomain:

Follow the previously described steps for apex domain certificate requests and identify the NS record of the subdomain by replacing the domain’s name with the subdomain in the command.

If you receive an output with NS values, add the CNAME records in the subdomain’s hosted zone that matches the output’s NS values.

If you don't receive NS records after running the command, be sure that there's proper subdomain delegation configured between your apex domain and subdomain. To do this, create a resource record with subdomain’s NS record in the apex domain’s hosted zone. For more information, see How do I create a subdomain for a domain hosted through Route 53?

If you don't have a separate hosted zone for your subdomain:

If there isn't a separate hosted zone for the subdomain, add the CNAME records in the apex domain’s hosted zone. Then, verify that the CNAME record resolves as expected using previously described steps for apex domain certificate requests.

Note: If there were recent changes in the DNS configuration, you might experience propagation delays based on TTL values.