ACM certificate won't validate for newly registered domain in Route53


I registered a new domain with AWS in route53 3 days ago, I then created an ACM certificate for the domain, with the same name and used the "Create record in Route 53" functionality, 3 days later my certificate is still in "Validation pending" state even though the validation record exists.

Worth noting I can access the CNAME validation record with nslookup, is this just a case of waiting for propagation or something, I expected 3 days or ~60hours to be long enough.

1 Answer


I understand that you have followed all the register domain procedure [1] and you specified all the values needed when registering a domain [2] but your certificate is still in "Validation pending" state even though the validation record exists. Some domain registrars don't populate the contact information in WHOIS ("Who is") data. Your ACM certificate issue or renewal can be affected if:

  1. Your domain registrar doesn't include contact email addresses in WHOIS data.
  2. You use custom emails addresses in WHOIS for certificate validation.

The WHOIS lookup for email validation is performed on the apex domain and searches for email addresses in the domain registrant, technical contact, and administrative contact fields. Verify your listed email addresses using a WHOIS query [3]. For additional information, on Enabling or disabling privacy protection for contact information for a domain [4].

To troubleshoot your problem ,you can choose from the following two options that are available depending on your preference and the effort required for maintaining or switching. You can't convert an ACM certificate's validation method from email to DNS or from DNS to email. To switch validation methods, request a new ACM certificate to replace the previous one.

Use Email To check your certificate for your domain to verify the email addresses.

  1. Open the ACM console, and then choose List certificates.
  2. Choose the certificate that you want to renew.
  3. In Domains, note the Registered owners field. Usually the registered owners include [7] If the five system email addresses aren't listed, confirm that the domain has at least one valid MX record using the following commands:

Linux and macOS: $dig mx

Windows: $nslookup -q=mx

Follow the instructions for resending the validation email using the AWS Management Console or the AWS CLI [5]

For more information, see Troubleshoot email validation problems [6]

Use DNS To switch to DNS validation, recreate the ACM certificate, and then select DNS for validation. DNS validation has several advantages over email validation, especially if Amazon Route 53 is the DNS provider for your domain.

  • DNS requires that you create one CNAME record per domain name used only for requesting an ACM certificate. Email validation sends up to eight email messages per domain name.
  • You can request additional ACM certificates for your fully qualified domain name (FQDN) if the DNS record is in use.
  • ACM automatically renews certificates that you validated using DNS. ACM renews each certificate before expiration if the certificate and DNS record are both in use.
  • ACM can add the CNAME record for you if you use Route 53 to manage your public DNS records.
  • Automation using the DNS validation process is less complex than using the email validation process.
  • You can switch to DNS validation at no additional cost.

References: [1] [2] [3] [4] [5] [6] [7]

I hope the below Information is helpful. Feel free to reach out at anytime.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions