- Newest
- Most votes
- Most comments
If you are maintaining the DNS records with a third-party (3p), do not create any DNS records in Lightsail (unless you're delegating a sub-domain to Lightsail; you could create an NS record at 3p that delegates to blog.<mydomain>.com and managed all the records for that sub-domain in Lightsail).
Assuming all your records are hosted with a third-party, you'd also add the CNAME record from Lightsail back at the third-party provider.
- First, go to the distribution page and check if the certificate is still trying to validate, it will fail validation after 72 hours.
- Delete the certificate if validation has failed
- Create a new certificate
- Copy the entire content of the record to a new CNAME record with your third-party provider
- During the first few hours, the validation system checks frequently and should resolve your record as soon as it's available (you can always confirm the record is being found through DNS using the dig command recommended above with the target from your certificate)
Related articles
- https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-create-a-distribution-certificate.html
- https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-validating-a-distribution-certificate.html (where it tells you to create the records in a Lightsail domain, use your third-party provider to create a new CNAME instead)
When setting up a custom domain with an AWS Lightsail distribution, certificate validation issues can occur for several reasons. Based on your situation, here are the likely causes and solutions:
-
Certificate Validation Status: First, check the actual status of your certificate in the Lightsail console. The certificate might still be in "Attempting to validate your certificate" status or may have failed with "Validation timed out" after 72 hours.
-
CNAME Record Verification: Ensure you've correctly added the CNAME records to your Namecheap DNS configuration. You can verify if the CNAME records are properly configured by using the
digcommand:
dig CNAME <CNAME from Certificate>.yourdomain.tld +short
This should return the validation value provided by AWS.
-
CAA Records Issue: If you're using Cloudflare or another service that automatically adds CAA (Certification Authority Authorization) records, these might be preventing AWS from issuing certificates for your domain. Check if there are any CAA records in your DNS configuration that could be blocking AWS certificate issuance.
-
Certificate Region: Make sure you created the certificate in the same AWS region as your distribution. Certificates are region-specific.
-
Failed Certificate Request: If a previous certificate request failed, you may need to delete it and create a new one. In the Lightsail console, find the failed certificate, delete it, and then request a new one.
Steps to resolve:
- Check your certificate's validation status in the Lightsail console
- If it shows "Validation timed out," delete the certificate and create a new one
- Carefully copy the new CNAME record name and value to your Namecheap DNS settings
- If using Cloudflare or similar services, check for and modify any CAA records to allow AWS to issue certificates
- Wait for DNS propagation (typically minutes to a few hours, though it can take up to 72 hours in some cases)
If the issue persists after these steps, you might need to check if there are any specific DNS configuration issues with Namecheap or consider temporarily moving your DNS management to Route 53 to simplify the certificate validation process.
Sources
Validate SSL/TLS certificates for Lightsail distributions - Amazon Lightsail
Unable to request a Certificate in AWS | AWS re:Post
Verify SSL/TLS certificate domains with CNAME records in Lightsail - Amazon Lightsail
Pending SSL Certificate request | AWS re:Post
Lightsail Certificates: Certificate validation always fails with external DNS managed by Cloudflare | AWS re:Post
Relevant content
- asked 6 months ago
