Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Amplify Custom Domain Stuck in AWAITING_APP_CNAME — SSL Certificate Verification Failing Despite Correct DNS

0

App Details:

App ID: d3dc2tzc02262v App Name: kova-care-intelligence Region: ap-southeast-2 Custom domain: kovacare.ai Target subdomain: portal.kovacare.ai DNS Provider: GoDaddy

Problem: Custom domain setup is stuck in AWAITING_APP_CNAME status and certificate verification keeps failing with the error: "Unable to update domain association as certificate verification was not successful." Both DNS records are correctly configured and resolving as confirmed by dig: Portal CNAME — resolving correctly: portal.kovacare.ai → d2e0t3pt8a6dp6.cloudfront.net SSL validation CNAME — resolving correctly: _42e43da9ec96f25e288bb2f412f81b77.kovacare.ai → _f6f62a072aba256c300e1e1b2a94a309.jkddzztszm.acm-validations.aws

Timeline of events:

First added custom domain via Amplify Console — failed during SSL configuration Deleted and re-added domain multiple times via Console — each retry generated a new CloudFront distribution, causing CNAME conflicts Deleted all domain associations via CLI and re-created cleanly using:

bashaws amplify create-domain-association
--app-id d3dc2tzc02262v
--domain-name kovacare.ai
--sub-domain-settings prefix=portal,branchName=main
--region ap-southeast-2

Updated GoDaddy with the new CloudFront value d2e0t3pt8a6dp6.cloudfront.net Both DNS records verified resolving correctly via dig Domain status shows AWAITING_APP_CNAME with verified: false despite CNAME resolving correctly Attempted update-domain-association via CLI — returns certificate verification error

Current domain association status: json{ "status": "AWAITING_APP_CNAME", "subDomains": [ { "prefix": "portal", "branchName": "main", "verified": false, "dnsRecord": "portal CNAME d2e0t3pt8a6dp6.cloudfront.net" } ], "certRecord": "_42e43da9ec96f25e288bb2f412f81b77.kovacare.ai. CNAME _f6f62a072aba256c300e1e1b2a94a309.jkddzztszm.acm-validations.aws." }

What we need:

Please investigate why certificate verification is failing despite both DNS records resolving correctly Please check if there are any orphaned/stale CloudFront distributions still associated with portal.kovacare.ai from previous failed attempts that may be causing conflicts Please manually trigger certificate verification or clear the stuck state so domain activation can complete

Additional context:

The amplifyapp.com domain is working correctly (https://main.d3dc2tzc02262v.amplifyapp.com) All Lambda functions, API Gateway, and backend services are working correctly This is a production app being prepared for a pilot deployment

Topics
Front-End Web & MobileManagement & GovernanceNetworking & Content Delivery
Tags
Amazon CloudFrontAWS Amplify HostingAWS CloudFormation Detect Root Cause
Language
English
asked a month ago63 views
1 Answer
0

Based on your situation, here are the key points to address your stuck custom domain configuration:

Understanding the AWAITING_APP_CNAME Status: When a custom domain shows AWAITING_APP_CNAME status, it means AWS Amplify is waiting for DNS propagation and verification. The verified: false status indicates that Amplify hasn't yet confirmed the DNS records are properly configured, even though your dig queries show they're resolving correctly.

Common Causes and Solutions:

  1. DNS Propagation Delays: Even though dig shows the records resolving, DNS propagation can take time globally. AWS performs verification from multiple locations, and some DNS servers may still be caching old values. This typically resolves within 24-48 hours, though it can sometimes take longer.

  2. Certificate Validation Timing: The ACM certificate validation process is automatic but can experience delays. The certificate must be validated before the domain association can complete. Since you've recently recreated the domain association, the validation CNAME record is new and may still be propagating.

  3. Multiple Recreation Attempts: Your multiple deletion and recreation attempts may have created a backlog in the validation queue. Each time you delete and recreate, a new certificate request is generated, and previous validation attempts may still be in progress.

Recommended Actions:

  • Wait for Propagation: Allow 24-48 hours for full DNS propagation and certificate validation to complete after your most recent clean setup
  • Avoid Further Changes: Don't delete and recreate the domain association again, as this resets the validation process
  • Monitor Status: Use aws amplify get-domain-association to check status periodically rather than attempting updates
  • Verify DNS at Source: Ensure your GoDaddy DNS records have no conflicting entries and that TTL values aren't set too high (recommended: 300-3600 seconds)

Important Considerations:

The certificate verification process is fully automated and cannot be manually triggered. AWS Amplify will continuously retry validation until it succeeds. The process checks both that the DNS records exist and that they resolve correctly from AWS's validation infrastructure.

If the issue persists beyond 48 hours with no status change, you may need to contact AWS Support directly with your App ID, as they can investigate internal validation logs and check for any infrastructure-level issues that might be preventing certificate issuance.

For production deployments, it's recommended to set up custom domains well in advance of launch dates to account for DNS propagation and validation timing.

answered a month ago
EXPERT
reviewed 25 days ago
  • vzhu
    22 days ago

    Thank you for the response. I have waited more than 48 hours since the last clean domain association was created via CLI. The status has now changed from AWAITING_APP_CNAME to FAILED.

    Current domain association status:

    • Domain status: FAILED
    • Subdomain portal.kovacare.ai: verified: true ✅
    • SSL certificate verification: FAILED ❌

    The subdomain CNAME is now verified and resolving correctly:

    • portal.kovacare.ai → d2e0t3pt8a6dp6.cloudfront.net ✅

    The SSL validation CNAME record is also correctly configured in GoDaddy:

    • _42e43da9ec96f25e288bb2f412f81b77.kovacare.ai → _f6f62a072aba256c300e1e1b2a94a309.jkddzztszm.acm-validations.aws ✅

    Both DNS records resolve correctly via dig. Despite this, ACM certificate verification has failed. I have not made any further changes since the clean CLI recreation.

    I would like to request escalation to a human engineer who can:

    1. Investigate why ACM certificate verification failed despite the validation CNAME resolving correctly
    2. Check for any orphaned or stale CloudFront distributions or ACM certificates from previous failed attempts that may be causing conflicts
    3. Manually clear or reset the failed certificate state so a fresh validation can be attempted

    This is a production application being prepared for an aged care pilot deployment in Australia.

    App ID: d3dc2tzc02262v Region: ap-southeast-2 Custom domain: kovacare.ai Target subdomain: portal.kovacare.ai

    Please advise on next steps or escalate to Tier 2 support.

    Thank you, Victor

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content