By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Certificate Status still pending validation

0

Hello! Background:

  • I use Route 53 as my hosting service
  • I have complete the steps from establishing a certificate from ACM Issues
  • Issue #1: My Certificate never came out of "Pending Validation" status even though I can access my page, which is set behind Cloudfront and seems to be working fine.
  • Issue #2: I am receiving an email from AWS "Action Required - Your certificate renewal."
  • Issue #3: I followed the video Why is my AWS Certificate Manager certificate DNS validation status still pending validation?, and I was able to perform the "Create a new record in Route 53" and run the "dig" successfully after requesting the new record.
Lab-Desktop-00:~$ dig _9x2f07SomethingSomethingSomething1c.discipleship28go.com. +short
_4fdzd991876cefSomethingSomethingSomething.xzraasdfaslb.acm-validations.aws.

and

Lab-Desktop-00:~$ dig NS discipleship28go.com +short
ns-1401Something.org.
ns-198.Something.co.uk.
ns-50.Something.com.

Servers

However, the status is still pending validation. Any thoughts as to why?

1 Answer
0
Accepted Answer

Based on the information provided, there are a few potential reasons why your certificate is still showing a "Pending Validation" status despite your efforts:

  1. Time delay: After creating the DNS records, it can take up to 30 minutes for the certificate status to update. If you've recently added the CNAME record, you may need to wait a bit longer for the validation to complete.

  2. CAA records: Check if there are any Certification Authority Authorization (CAA) records that might be blocking the certificate issuance. These records can prevent ACM from issuing the certificate even if the DNS validation appears correct.

  3. DNS propagation: Although you've successfully added the CNAME record and can see it with the 'dig' command, it's possible that the DNS changes haven't fully propagated across all DNS servers. This can cause a delay in the validation process.

  4. Multiple domains: If your certificate covers multiple domain names, ensure that you've added the correct CNAME records for all of them. The certificate won't be issued until all domains are validated.

  5. Renewal vs. New certificate: Since you're receiving a renewal email, it's possible that you're looking at a new certificate request instead of the renewal of the existing one. Double-check that you're reviewing the correct certificate in the ACM console.

To address these issues:

  1. Wait for at least 30 minutes to an hour after adding the DNS records before checking again.
  2. Verify that there are no CAA records blocking ACM from issuing the certificate.
  3. Check the CNAME records for all domains covered by the certificate.
  4. Ensure you're looking at the correct certificate in the ACM console (renewal vs. new request).

If the problem persists after checking these points, you may need to contact AWS support for further assistance, as there could be an underlying issue with the ACM service or your specific account.
Sources
Troubleshoot certificate validation - AWS Certificate Manager
Troubleshoot DNS validation problems - AWS Certificate Manager
AWS Certificate Manager DNS validation - AWS Certificate Manager
CertificateDetail - AWS Certificate Manager

profile picture
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Yes, that was the issue. The status has now changed to "Success."

    Thank you.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions