By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Ongoing SSL Certificate Validation Failure (5+ Days, Route53 + CloudFront + ACM, Multiple Certificates)

0

Hello, I'm seeking expert advice on an extremely persistent SSL certificate validation issue that has dragged on for 5+ days despite following all known best practices. I'd really appreciate if someone familiar with ACM + CloudFront + Route53 integrations can take a close look.

The Situation: Domain: sdaudit.com

Hosted via: CloudFront distribution

DNS managed by: Route 53

Certificate(s): Amazon-issued ACM certificates

Problem: SSL certificate remains stuck in Pending Validation (for www.sdaudit.com), despite CNAME records being correctly entered and resolving publicly.

Key Details: Multiple certificates were requested.

2 certificates are now showing Issued (one covers sdaudit.com, the other sdaudit.com + www.sdaudit.com)

1 certificate remains Pending Validation.

DNS CNAME records for ACM validation were entered EXACTLY as requested by ACM, without any typos or extra periods.

Checked externally using tools like whatsmydns.net — CNAMEs are publicly visible and correctly propagated globally.

Checked via dig/nslookup — results match ACM instructions.

CloudFront distribution points correctly to the issued certificate for sdaudit.com, but cannot yet validate www.sdaudit.com because of the Pending cert.

No other DNS records conflict with the CNAME validation records.

Timeline: Certificate requests made April 20-21, 2025.

DNS records immediately added within minutes.

Certificates for apex domain (sdaudit.com) issued fairly quickly.

www.sdaudit.com certificate stuck Pending for days without flipping to Issued, despite apparent perfect setup.

Attempts to Resolve: Deleted old DNS CNAMEs and re-added them carefully.

Requested new certificates to retry validation.

Re-propagated DNS.

Waited >48 hours after DNS updates.

No changes were made mid-process that could explain a stuck validation.

Followed ACM troubleshooting articles regarding pending validations.

Additional Observations: ACM still shows the validation record needed for www.sdaudit.com even though it is clearly visible externally.

CloudFront is working for the root domain (sdaudit.com) but I need www.sdaudit.com working as well.

Concern: If this never validates, www.sdaudit.com will remain insecure and non-functional.

The Ask: Why is ACM validation stuck even when DNS appears perfect?

What additional troubleshooting steps would you recommend beyond what was already tried?

Is there a deeper ACM bug, or some background AWS behavior (throttling, zone ownership issue, etc.) that could cause this?

I’m happy to provide:

Screenshots of ACM / Route53 configs

DNS queries (dig output)

CloudFront and ACM request IDs if needed

Thank you very much for any insights — I've spent days trying to solve this and would truly appreciate any senior-level guidance!

Topics
ComputeSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
Website ProvisioningSecurity, Identity, & ComplianceAmazon CloudFrontAmazon Route 53AWS Certificate Manager
Language
English
RGinSD
asked 20 days ago72 views
2 Answers
0
Accepted Answer

Based on the detailed information you've provided, it seems you've taken many of the correct steps to troubleshoot this persistent SSL certificate validation issue. However, there are a few additional considerations and steps you might want to explore:

  1. Certificate Request Timeout: ACM certificate requests typically time out after 72 hours if not validated. Since it's been 5+ days, it's possible that the pending certificate request has timed out. In this case, you should delete the pending certificate request and initiate a new one.

  2. DNS Propagation: Although you've checked with external tools and dig/nslookup, sometimes DNS changes can take longer to propagate fully. Ensure that you've waited at least 30 minutes to an hour after adding or modifying DNS records before rechecking.

  3. Hosted Zone Verification: Double-check that the CNAME records are added to the correct hosted zone. Use the 'dig NS' command to verify the nameservers for your domain and ensure they match the nameservers in your Route 53 hosted zone.

  4. CAA Records: Verify that there are no Certification Authority Authorization (CAA) records in your DNS that might be blocking certificate issuance for your domain.

  5. Multiple Certificates: Having multiple certificates for the same domain can sometimes cause issues. Try focusing on a single certificate that covers both the apex domain and the www subdomain.

  6. ACM Console Refresh: Sometimes the ACM console doesn't update immediately. Try refreshing the console or logging out and back in to ensure you're seeing the most up-to-date status.

  7. Route 53 and ACM Account Alignment: Ensure that your Route 53 hosted zone and ACM are in the same AWS account. If they're not, you may need to add the CNAME records manually.

  8. IAM Permissions: Verify that you have the necessary IAM permissions to create records in your Route 53 hosted zone.

If these steps don't resolve the issue, you may want to contact AWS Support for further assistance. They can investigate if there are any underlying issues with the ACM service or your specific account that might be causing this persistent problem.
Sources
SSL Validation keep on pending | AWS re:Post
Unable to request a Certificate in AWS | AWS re:Post
Route 53, CloudFormation, and ACM | AWS re:Post
Forever pending Certificate Validation | AWS re:Post
Certificate Status still pending validation | AWS re:Post

profile picture
re:Post Agent
answered 20 days ago
profile pictureAWS
EXPERT
Jordan Sandri
reviewed 17 days ago
  • RGinSD
    20 days ago

    Thank you for the detailed suggestions.

    I have already verified all the points you mentioned:

    Certificate Request Timeout: The cert is still in Pending Validation status, not Failed or Expired. (Meaning ACM has not timed it out yet.)

    DNS Propagation: Confirmed 100% propagation globally via whatsmydns.net and dig/nslookup from multiple regions. Records resolve correctly.

    Hosted Zone Verification: NS records match exactly between registrar and Route 53 hosted zone.

    CAA Records: No CAA records exist that would block Amazon issuing certificates.

    Multiple Certificates: Focused now on a single certificate covering both sdaudit.com and www.sdaudit.com.

    ACM Console Refresh: Tried clearing cache, refreshing, logging out/in, etc. No change.

    Route53/ACM Account Alignment: Confirmed both are operating under the same AWS account.

    IAM Permissions: Full Route53 and ACM permissions confirmed. No access errors encountered.

    Since all standard causes have been ruled out, it appears this may be an internal ACM validation issue, not a DNS or permissions problem.

    At this point, is there a way to escalate the case or manually trigger re-validation inside ACM? Or is there a known workaround when ACM fails to detect an otherwise-valid CNAME record?

    Thank you again for your help.

0

  1. Manual Revalidation: There is no public button or command to manually "force" ACM to revalidate a certificate once it's pending. ACM’s validation service automatically retries in the background every few hours based on its internal schedule. However, when validations get "stuck," background retries sometimes don't trigger correctly.

  2. Known Workarounds: Re-issue a new certificate request (which you've already tried — good). Delete and re-add the validation CNAME with a low TTL (which can sometimes reset ACM’s backend state — if you haven't already tried this with a 60s TTL, it’s worth one attempt).

  3. Escalation Path: At this point, your best option is to open a support case with AWS under the "ACM Service Limits or Certificate Issue" category.

Manvitha Potluri
answered 19 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content