Issue ACM certificate for domain in private route53 zone


Hello, I have:

a route53 domain "" a public hosted zone "" for "<public hosts>" a private hosted zone "" for "<private hosts>" a NS record in my public hosted zone that points to my private hosted zone

I want:

an ACM certificate for an internal load balancer.

the LB is in its aws zone the record is in the private zone: "" and resolves to the LB the certificate validation CNAME record is in the public zone

If I now issue a certificate for "" in the public hosted zone the certificate stays in pending forever.

What am I missing here?

If this approach is not working, what other options do I have to add a SSL cert to my internal LB?


3 Answers

It's not possible to validate an ACM public certificate using a domain record in a Route 53 private hosted zone by design.

When you request an ACM public certificate using DNS validation, ACM provides a CNAME record that you must add to your DNS configuration to validate your ownership of the domain. Because anyone can create a private DNS zone and put records on it under any domain name, being able to make a change in a private DNS zone doesn't prove public ownership of the domain.

profile picture
answered 7 months ago
  • Hi, thanks a lot for your answer. I think I read almost the same answer on a similar question, but I don't fully understand it. I can put whatever I like in my public hosted zone and point a record to it. How is this different from my private zone, except for the reason that it can not be queried by anyone, but only from resources within the zone?

    I mean the private zone is just a subset of the public zone and the certificate is just for a certain domain.

    Apart from that, how could I circumvent this issue and generate a certificate for this internal LB?

    Thanks :)


To issue an ACM managed SSL certificate using a private FQDN, add the DNS validation record to the public zone.

The key here is that ACM validates using SOA records following TLD NS path.

answered 7 months ago
  • Hi ,thanks for the response. I think this is what I have tried:

    Public Hosted Zone: SOA: NS: ->

    CNAME: A: -> alias to LB

    Private Hosted Zone: SOA: NS:

    Am I missing something here? This was still pending for more than 1 hour. Usually the changes take for 3-5 minutes until everything is validated...


It is possible to create 2 route53 zones (private/public) with the same names and resolve your certificate by public one.

But you need to take into account routing peculiarities: if you have private and public hosted zones that have overlapping namespaces, such as and, Resolver routes traffic based on the most specific match. When users are logged into an EC2 instance in an Amazon VPC that you have associated with the private hosted zone, here's how Route 53 Resolver handles DNS queries:

  1. Resolver evaluates whether the name of the private hosted zone matches the domain name in the request, such as A match is defined as either of the following:
  • An identical match

  • The name of the private hosted zone is a parent of the domain name in the request. For example, suppose the domain name in the request is the following:

The following hosted zones match because they're parents of

  1. If there's no matching private hosted zone, then Resolver forwards the request to a public DNS resolver, and your request is resolved as a regular DNS query.

It also can cause issues when you use external-dns for EKS (e.g.)

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions