Certificate verification is still pending

When you request a certificate from AWS Certificate Manager (ACM), it needs to be validated before it can be issued. The validation process confirms that you own or control the domain names specified in your certificate request. There are two main methods for validation: DNS validation and email validation.

If your certificate is still pending validation after 3 days, it's likely that you need to take some action to complete the validation process. Here are some key points to consider:

1. Certificate requests typically time out if they are not validated within 72 hours (3 days). Since you're at this point, you may need to start the process over.

2. If you chose email validation when requesting the certificate, you or an authorized representative should have received validation emails at common email addresses for the requested domain (such as admin@yourdomain.com, administrator@yourdomain.com, etc.). Check these inboxes, including spam folders, for the validation email.

3. If you chose DNS validation, you need to add a CNAME record to your DNS configuration. ACM should have provided you with the necessary CNAME information when you requested the certificate.

4. It's recommended to use DNS validation over email validation when possible, as it's generally more reliable and easier to automate.

5. If you're not sure which validation method you chose or what action to take, you can check the ACM console for more information about your certificate request.

6. If you're still having trouble, you may want to delete the pending certificate request and start over. In the ACM console, you can select the certificate, choose "Actions," and then "Delete." After that, you can request a new certificate and pay close attention to the validation instructions provided.

7. Make sure your domain's DNS is properly configured, especially if you purchased the domain through AWS. Ensure that the nameservers are correctly set up in Route 53 if you're using AWS's DNS service.

If you continue to have issues, you may want to consult AWS documentation or reach out to AWS support for further assistance.

Sources
Certificate Manger is pending validation after 48 hours | AWS re:Post
AWS Certificate Manager email validation - AWS Certificate Manager
Troubleshoot certificate validation - AWS Certificate Manager
Troubleshoot certificate requests - AWS Certificate Manager
Requested certificates for my domain pending approval for long time. | AWS re:Post

Could you please add more information, which validation method was used while creating certificate? Which is your DNS Provider?

If it is DNS validation, ACM provides you with one or more CNAME records. These records contain a unique key-value pair that serves as proof that you control the domain.

(Assumption, you are using Route 53 as DNS Provider) Validate with Route 53. In the Domains section, complete one of the following two procedures: Choose the Create records in Route 53 button, then choose Create records. The Certificate status page should open with a status banner reporting Successfully created DNS records. Your new certificate might continue to display a status of Pending validation for up to 30 minutes.

https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html

Email Validation: https://docs.aws.amazon.com/acm/latest/userguide/email-automation.html

Make sure you hosted domain can be found when you search for it by clicking Create CNAME on the certificate page. Once found create the CNAME to match what the cert expects. I had misspelled it on the hosted zone.

I asked Amazon Q and my name servers were not correct:

I understand you're having trouble with your DNS resolution in Route 53. This can be frustrating, but there are several potential reasons and solutions we can explore:

DNS Propagation: If you've recently made changes to your DNS settings, it can take up to 48 hours for these changes to propagate globally. This is a normal part of the DNS system and not specific to Route 53.

Name Server Configuration: Ensure that you've correctly updated the name servers with your domain registrar to point to Route 53's name servers. If this step is missed, your DNS won't resolve correctly.

TTL (Time to Live) Settings: DNS resolvers cache information for a period specified by the TTL. If you've made recent changes, some resolvers might still be using old cached information. You can check the TTL value for your records in the Route 53 console.

Multiple Hosted Zones: If you have multiple hosted zones with the same name, Route 53 will use the name servers associated with the domain registration. Make sure you're updating the correct hosted zone.

Local DNS Cache: Your desktop's local DNS cache might be holding onto old information. Try flushing your DNS cache to ensure you're getting the most up-to-date information.

Firewall or Security Software: Sometimes, security software or firewalls can interfere with DNS resolution. Temporarily disabling these (if safe to do so) can help isolate the issue.

Route 53 Resolver DNS Firewall: If you're using Route 53 Resolver DNS Firewall, ensure that your rules aren't inadvertently blocking the resolution of your domain.

To troubleshoot further:

Use DNS checking tools like DNSChecker or IntoDNS to verify your DNS configuration from multiple global locations.

Check your Route 53 hosted zone configuration to ensure all records are set up correctly.

Verify that your domain's name servers are correctly set to Route 53's name servers in your domain registrar's settings.

Try using a public DNS resolver like Google's (8.8.8.8) to test if the issue is specific to your local network.

If you continue to experience issues after trying these steps, I recommend reviewing the AWS Route 53 troubleshooting documentation or reaching out to AWS Support for more personalized assistance. They can provide deeper insights into your specific configuration and help resolve any complex issues.