By using AWS re:Post, you agree to the Terms of Use

[obsolete] CNAME records already present, but ACM still marks the certificate as "Pending validation"


We have a certificate generating warnings about its validation status (three common names, three CNAME records required for validation).

The problem is those exact CNAME records were existing all this time (I have re-created the same records, using shorter TTL, but ACM still generates same warning).

How can I handle this without deleting the certificate (which will render related services unusable) and re-creating it anew?

Update of December 25. I had to replace the certificate instead of wasting more time on attempts to understand why ACM fails to conclude the validation (all the CNAME records were valid and in place for weeks, yet ACM refused to conclude the validation).

Honestly, I am very disappointed. ACM could provide the exact problem, so I could look into it, instead of giving vague pieces of advice (of the type "something is wrong").

1 Answer

Could be the third case from

"The CNAME record is added to the correct DNS configuration, but the DNS provider automatically adds the bare domain to the end of its DNS records"

answered 10 months ago
  • Thanks for the prompt response.

    The above is unlikely. I have tested every created CNAME record with a command like

    $ dig CNAME

    (the CNAME record above is changed to exclude the actual domain name)

    and the response was exactly matching what ACM expects in domain details.

  • Some DNS providers can take 24–48 hours to propagate DNS records. Did you also check for trailing period added by DNS provider?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions