How can I validate ACM certificates from Route 53?

Short description

To validate ACM certificates from Route 53, use DNS validation. To prove domain ownership, add the CNAME record provided by ACM to your DNS configuration.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

If Route 53 is your domain's DNS service provider, then you can set up DNS validation in the ACM console to create the CNAME. When you select this option, ACM automatically adds the record to the Route 53 hosted zone of the domain.

However, if either of the following scenarios are true, then you must add CNAME records manually:

• You have multiple hosted zones for the same domain.
• Your hosted zone is in a different AWS account.

Determine the NS record

To determine the name server (NS) record, first find the DNS configuration for the appropriate hosted zone. Run the following command:

Linux and macOS:

$ dig NS example.com

Windows:

$ nslookup -type=ns example.com

Note: Replace example.com with your domain name.

This command provides the NS records of the domain's DNS configuration.

Add the CNAME record to the Route 53 hosted zone that has the same NS record as the NS in your output.

Example output:

$ dig example.com NS; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.2 <<>> example.comNS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56071
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:
;example.com. IN NS

;; ANSWER SECTION:
example.com. 300 IN NS ns-199x.awsdns-xx.co.uk.
example.com. 300 IN NS ns-29x.awsdns-xx.com.
example.com. 300 IN NS ns-54x.awsdns-xx.net.
example.com. 300 IN NS ns-120x.awsdns-xx.org.

Add CNAME records in Route 53

After you use the NS records to identify the hosted zone that you want to use, add your CNAME record to it. Follow these steps:

1. Open the Route 53 console.
2. Navigate to the hosted zone of your domain. This hosted zone must have the same NS record as the NS that you identified in the previous task.
3. Choose Create record.
4. For Name, enter the Record Name of the CNAME that ACM generated, but exclude the domain portion. For more information, see How CNAME records for ACM work.
5. For Value, enter the complete Record Value that ACM provided.
6. For Record type, choose CNAME - Routes traffic to another domain name and to some AWS resources.
7. For Route Policy, choose Simple routing.
8. Choose Create Records.

Confirm resolution of the CNAME record

To confirm that Route 53 added the CNAME record to your DNS configuration, run a command similar to the following:

Linux and macOS:

dig +short _example-cname.example.com

Windows:

nslookup -type=cname _example-cname.example.com

Note: Replace example-cname.example.com with your ACM CNAME record.

If you successfully added and propagated the CNAME record, then the command returns the CNAME record's value in the output.

Subdomain certificate requests with and without separate hosted zone

To request certificates for subdomains with a separate hosted zone, complete the following steps:

1. Follow the steps in the Determine the NS record section to identify the NS record of the subdomain.
2. In the command, replace the domain name with your subdomain name.
3. Review the command output:
   If you receive NS records, then add the CNAME records in the subdomain's hosted zone to match these values.
   If you don't receive NS records, then verify your subdomain delegation.
   For more information, see How do I create a subdomain for my domain that's hosted in Route 53?

To request certificates for subdomains without a separate hosted zone, complete the following steps:

1. Add the CNAME records in the apex domain's hosted zone. For more information, see Solving DNS zone apex challenges with third-party DNS providers using AWS.
2. Follow the steps in the Verify resolution of the CNAME record section to confirm that your CNAME record resolves correctly.

Note: If there's a recent change in the DNS configuration, then you might experience propagation delays based on Time to Live (TTL) values.

Related information

Why is my ACM certificate renewal status still "Pending validation" after I used the ACM managed renewal process for my domain name?

Configure Amazon Route 53 alias record for your target DNS