How can I validate ACM certificates from Route 53?

5 minute read
1

I want to validate AWS Certificate Manager (ACM) certificates from Amazon Route 53.

Short description

To validate domain ownership for an ACM certificate, you can use either DNS validation or email validation.

Note: It's a best practice to use DNS validation instead of email validation.

When you use DNS validation to request an ACM certificate, ACM provides a CNAME record that you must then add to your DNS configuration. ACM uses the CNAME record to validate ownership of domains. After ACM validates domain ownership, the certificate status updates from "Pending validation" to "Issued".

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

If Route 53 is your domain's DNS service provider, then you can set up DNS validation in the ACM console to create the CNAME. When you select this option, ACM automatically adds the record to the Route 53 hosted zone of the domain.

However, if either of the following scenarios are true, then you must add CNAME records manually:

  • You have multiple hosted zones for the same domain.
  • Your hosted zone is in a different AWS account.

Apex domain certificate requests

Determine the NS record

  1. To find the DNS configuration for the appropriate hosted zone, run the following command:

    Linux and macOS:

    $ dig NS example.com

    Windows:

    $ nslookup -type=ns example.com

    Note: Replace example.com with your domain name.

  2. This command provides the name servers that are included in the name server (NS) record of the DNS configuration of the domain. Add the CNAME record to the Route 53 hosted zone that has the same NS record as the name servers in your output.

    Example output:

    $ dig example.com NS; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.amzn2.0.2 <<>> example.com
    NS
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56071
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    
    ;; QUESTION SECTION:
    ;example.com. IN NS
    
    ;; ANSWER SECTION:
    example.com. 300 IN NS ns-199x.awsdns-xx.co.uk.
    example.com. 300 IN NS ns-29x.awsdns-xx.com.
    example.com. 300 IN NS ns-54x.awsdns-xx.net.
    example.com. 300 IN NS ns-120x.awsdns-xx.org.

Add CNAME records in Route 53

After you use the NS values to identify the hosted zone that you want to use, add your CNAME record to it:

  1. Open the Route 53 console.
  2. Navigate to the hosted zone of your domain. This hosted zone must have the same NS record as the name servers that you identified in the previous task.
  3. Choose Create record.
  4. For Name, enter the Record Name of the CNAME that ACM generated, but exclude the domain portion. For more information, see How CNAME records for ACM work.
  5. For Value, enter the complete Record Value that ACM provided.
  6. For Record type, choose CNAME - Routes traffic to another domain name and to some AWS resources.
  7. For Route Policy, choose Simple routing.
  8. Choose Create Records.

Verify the resolution of the CNAME record

To confirm that Route 53 added the CNAME record to your DNS configuration, run a command similar to the following:

Linux and macOS:

dig +short _example-cname.example.com

Windows:

nslookup -type=cname _example-cname.example.com

Note: Replace example-cname.example.com with your ACM CNAME record.

If you successfully added and propagated the CNAME record, then the command returns the CNAME record's value in the output.

Subdomain certificate requests

You have a separate hosted zone for your subdomain

Follow the previous steps for apex domain certificate requests to identify the NS record of the subdomain. To do this, replace the domain's name with the subdomain in the command.

If you receive an output with NS values, then add the CNAME records in the subdomain's hosted zone to match the output's NS values.

If you don't receive NS records after you run the command, then verify that you properly configured subdomain delegation between your apex domain and subdomain. To do this, create a resource record with the subdomain's NS record in the apex domain's hosted zone. For more information, see How do I create a subdomain for a domain hosted through Route 53?

You don't have a separate hosted zone for your subdomain

If you don't have a separate hosted zone for the subdomain, then add the CNAME records in the apex domain's hosted zone. Then, use the previous steps for apex domain certificate requests to verify that the CNAME record resolves as expected.

Note: If there's a recent change in the DNS configuration, then you might experience propagation delays based on TTL values.

Related information

Why is my ACM certificate renewal status still "Pending validation" after I used the ACM managed renewal process for my domain name?

AWS OFFICIAL
AWS OFFICIALUpdated 8 months ago