When you use DNS validation to request an ACM certificate, ACM provides a CNAME record that you must add to your DNS configuration. ACM uses the CNAME record to validate ownership of domains. After ACM validates domain ownership, the certificate status updates from Pending validation to Issued.
If Route 53 is your domain's DNS service provider, then you can use a one-click option in the ACM console to create the CNAME. When you select this option, ACM automatically adds the record to the Route 53 hosted zone of the domain.
However, if either of the following cases are true, then you must add CNAME records manually:
You have multiple hosted zones for the same domain.
Your hosted zone is in a different account.
Apex domain certificate requests
Determine the name server (NS) record
1. To find the DNS configuration for the appropriate hosted zone, run the following command:
For Linux and macOS:
$ dig NS example.com
$ nslookup -type=ns example.com
Note: Replace example.com with your domain name.
2. This command provides the name servers that are included in the name server (NS) record of the DNS configuration of the domain. Add the CNAME record to the Route 53 hosted zone that has the same NS record as the name servers in your output.
2. Navigate to the hosted zone of your domain. This hosted zone must have the same NS record as the name servers you identified in the previous task.
3. Choose Create record.
4. For Name, enter the Record Name of the CNAME that ACM generated, excluding the domain portion. For more information, see How CNAME records for ACM work.
5. For Value, enter the complete Record Value that ACM provided.
6. For Record type, choose CNAME - Routes traffic to another domain name and to some AWS resources.
7. For Route Policy, choose Simple routing.
8. Choose Create Records.
Verify the resolution of the CNAME record
To confirm that Route 53 added the CNAME record to your DNS configuration, run a command similar to the following examples:
For Linux and macOS:
dig +short _example-cname.example.com
nslookup -type=cname _example-cname.example.com
Note: Replace example-cname.example.com with your ACM CNAME record.
If you successfully added and propagated the CNAME record, then the command returns the CNAME record's value in the output.
Subdomain certificate requests
You have a separate hosted zone for your subdomain
Follow the previously described steps for apex domain certificate requests, and identify the NS record of the subdomain. To do this, replace the domain's name with the subdomain in the command.
If you receive an output with NS values, then add the CNAME records in the subdomain's hosted zone to match the output's NS values.
If you don't receive NS records after running the command, then verify that you properly configured subdomain delegation between your apex domain and subdomain. To do this, create a resource record with subdomain's NS record in the apex domain's hosted zone. For more information, see How do I create a subdomain for a domain hosted through Route 53?
You don't have a separate hosted zone for your subdomain
If there isn't a separate hosted zone for the subdomain, then add the CNAME records in the apex domain's hosted zone. Then, use the previously described steps for apex domain certificate requests to verify that the CNAME record resolves as expected.
Note: If there's a recent changes in the DNS configuration, you might experience propagation delays based on TTL values.