ACM Certificate is pending all the time

Question

Hi,

I've tried to verify SSL certificate by create CN record for different regions and unfortunately have same negative result.

Steps:
1. Create domain
2. Create certificate in ACM
3. Create hosted zone
4. Create record by ACM for hosted zone

Pending even after 10 hours.

This is weird because earlier I didn't have similar problem. I had verification after 5 minutes.

This is my first post, so sorry when I will do something wrong.

Songo · Accepted Answer

I've solved the problem by adjusting **Name Servers**

Reference:
https://repost.aws/questions/QU-ai068evRmm0qbaOUtP8kQ/acm-certificate-pending-validation#COofOqKvGIRt-GuIjhISuoJA

Songo · Answer

Hi, thank you for answer.

I am using windows so I have checked by nslookup.
Here I am sending the results:

```
nslookup -type=ns domain
```
Server:  UnKnown
Address:  ...

UnKnown can't find (domain): Server failed

```
nslookup -type=TXT domain
```
Server:  UnKnown
Address:  ...

UnKnown can't find (domain): Server failed

```
nslookup -type=CNAME cname_record
```
Server:  UnKnown
Address:  ...

UnKnown can't find (cname_record): Server failed

Riku_Kobayashi · Answer

Hello.

Have you checked the troubleshooting tips in the following documentation?  
First, please check whether you can use the hosted zone you created normally.  
As mentioned in the answer for re:Post Agent, start by checking whether the NS record can be resolved normally.  
https://repost.aws/knowledge-center/acm-certificate-pending-validation

re:Post Agent · Answer

It's not uncommon for ACM certificate validation to take some time, but 10 hours is indeed longer than usual. Here are some steps you can take to troubleshoot and potentially resolve the issue:

1. Verify DNS propagation: Even though you've created the CNAME record, it may take time to propagate across all DNS servers. Use the 'dig' command to check if the CNAME record is visible:

dig CNAME +short

This should return the CNAME value provided by ACM.

2. Check nameservers: Ensure that your domain is using the correct nameservers. You can verify this with:

dig +trace

Make sure the nameservers match those of your hosted zone in Route 53.

3. Verify CNAME record: Double-check that the CNAME record in your hosted zone exactly matches the one provided by ACM, including any trailing dots.

4. CAA Records: Check if there are any Certification Authority Authorization (CAA) records that might be blocking ACM from issuing the certificate.

5. Multiple domains: If your certificate covers multiple domain names, ensure you've added the correct CNAME records for all of them.

6. Wait longer: Although unusual, sometimes the validation process can take up to 72 hours. If you've verified all the above points, you may need to wait a bit longer.

7. Region consideration: Ensure you're requesting the certificate in the correct AWS region for your use case.

If the issue persists after checking these points, you may need to delete the current certificate request and start a new one. If problems continue, contacting AWS support might be necessary as there could be an underlying issue with the ACM service or your specific account.

Remember, once successfully validated, ACM certificates are valid for 13 months and are automatically renewed if the DNS records remain in place, so you shouldn't need to repeat this process frequently.
      
**Sources**  
[ACM cert verification keep Pending or failed (.de domain) | AWS re:Post](https://repost.aws/questions/QUUm-qJlVnTxOyxdo0wLOtGg/acm-cert-verification-keep-pending-or-failed-de-domain)  
[Certificate Status still pending validation | AWS re:Post](https://repost.aws/questions/QU_7JpVqliR62hdYY6lMoogA/certificate-status-still-pending-validation)  
[Forever pending Certificate Validation | AWS re:Post](https://repost.aws/questions/QU2ajXGKzxSwm8hYM7PN-mVg/forever-pending-certificate-validation)

ACM Certificate is pending all the time

Relevant content