Why can't my third-party SSL provider verify my Route 53 domain ownership?

2 minute read
1

I host my domain on Amazon Route 53. However, a third-party SSL provider can't verify my domain ownership and therefore can't issue an SSL certificate.

Resolution

Third-party SSL providers require domain owners to create a DNS record to verify domain ownership. To create a DNS record, complete the following steps.

Note: If you have an SSL from AWS Certificate Manager, then use DNS to validate your domain ownership. If you don't have permission to modify DNS records, then use email to validate your domain ownership.

  1. Open the Route 53 console.
  2. Choose Hosted zones.
  3. Select your domain name and choose Go to Record Sets.
  4. Choose Create Record Set.
  5. For Record name, enter the unique DNS name of the validation record from your SSL provider.
    Note: If your SSL provider requires that you create the record at the root of your domain (example.com), then leave the Record name field blank. However, you can't leave this field black for CNAME validation records.
  6. For Type, choose the record type required for validation by your SSL provider. Typically, the type is TXT or CNAME.
  7. Enter the value that you received from your SSL provider in the Value field.
  8. Choose Create.

After you create the record, check if your CNAME resolves correctly. To check your record, use any DNS record lookup tool, such as dig or nslookup:

$ dig CNAME _test.example.com
$ nslookup _test.example.com -type=CNAME

If the DNS lookup returns the correct value of your validation record, then Route 53 successfully propagated your CNAME record. Your SSL provider can resolve the validation record and issue your SSL certificate for the domain.

The time frame to receive a certificate after the record resolves depends on your SSL provider systems. For some third-party providers, it can take up to 72 hours to receive an SSL certificate.

Related information

DNS validation

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago