ACM Certificate request with DNS validation fails immediately


As soon as I request a certificate for my domain or any subdomains, validation fails with an error requesting additional information. My domain is certainly nowhere close to Alexa's top 1000. The "Domains" section does not show me any CNAME records that I could enter in my DNS provider (Cloudflare). As instructed by the help center, I am creating a thread here. How can I get my domain ownership validated?

asked 8 months ago314 views
1 Answer

You didn't mention your domain but wild guess is this might be because Cloudflare has CAA records setup for your domain that prevent AWS from issuing the cert.


CAA records, also knows as Certification Authority Authorization records, are used to restrict which Certificate Authorities are allowed to issue certificates for your domain. In this instance it seems CloudFlare’s Universal SSL automatically created CAA records for the providers they use, including Let’s Encrypt, DigiCert, and others. When AWS Amplify attempts to issue you with a certificate their system will check your domain’s CAA records. If AWS isn’t listed then it will return an error.

You can verify this with your favorite DNS tool or using online services like

profile picture
answered 8 months ago
  • Thanks for the suggestion. There weren't any CAA records on my domain. I tried to explicitly create the necessary CAA records, as per the article on, but that did not help. If it helps, the domain is

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions