We have a certificate generating warnings about its validation status (three common names, three CNAME records required for validation).
The problem is those exact CNAME records were existing all this time (I have re-created the same records, using shorter TTL, but ACM still generates same warning).
How can I handle this without deleting the certificate (which will render related services unusable) and re-creating it anew?
Update of December 25. I had to replace the certificate instead of wasting more time on attempts to understand why ACM fails to conclude the validation (all the CNAME records were valid and in place for weeks, yet ACM refused to conclude the validation).
Honestly, I am very disappointed. ACM could provide the exact problem, so I could look into it, instead of giving vague pieces of advice (of the type "something is wrong").
Thanks for the prompt response.
The above is unlikely. I have tested every created CNAME record with a command like
$ dig _4490328cbd8989384cf7fcf77df2f2f2a02.example.com CNAME
(the CNAME record above is changed to exclude the actual domain name)
and the response was exactly matching what ACM expects in domain details.
Some DNS providers can take 24–48 hours to propagate DNS records. Did you also check for trailing period added by DNS provider?