Route53, ACM seem not validating certificate
Hi,
We registered a domain using AWS and now we are trying to configure ACM and Route53 in order to use it. The certificate is stuck in "Pending Validation" status even if the validation CNAMEs are present the Route53 hosted zone.
The hosted zone (and other resources) has been created later (not at the moment of the domain registration) with Terraform using the working code from a previous project. It has been created with different name servers than what I see in the console at the domain details page. Do name servers have to be the same?
In order to test the DNS, we added a CNAME record to route test.<domain-name>.com to google.com but it doesn't work. This test works instead with another domain (<domain-name>.live) that is also registered in AWS and managed via Route53.
We also tried to run an nslookup on <domain-name>.com and test.<domain-name>.com but it looks like this domain doesn't exist.
I already had the same issue with the previous domain because it hasn't been confirmed and then suspended, so my supposition is that there's something wrong with the domain registration process, also because this time the domain has been activate without email confirmation. Is it normal?
How can we check if everything is okay with the domain registration, that the domain is active and validate the certificate?
Thank you.
EDIT:
When I run nslookup.io with the root of the *.live domain that is working I can see the name servers:
But when I try with the new one, the name servers don't show up:
- Newest
- Most votes
- Most comments
I will answer your questions point wise:
- The hosted zone (and other resources) has been created later (not at the moment of the domain registration) with Terraform using the working code from a previous project. It has been created with different name servers than what I see in the console at the domain details page. Do name servers have to be the same?
Yes, the name servers have to be same. When you create a hosted zone, Route 53 assigns a set of four name servers to the hosted zone. If you delete a hosted zone and then create a new one, Route 53 assigns another set of four name servers. Typically, none of the name servers for the new hosted zone match any of the name servers for the previous hosted zone. If you don't update the domain configuration to use the name servers for the new hosted zone, the domain will remain unavailable on the internet.
Depending upon which hosted zone you want to use, you would need to update the name servers of the domain under "Registered Domains" section in Route 53 console to the same name servers of the hosted zone you want to use. Please refer to https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-name-servers-glue-records.html for more information on how to add or change name servers for a domain.
- How can we check if everything is okay with the domain registration, that the domain is active and validate the certificate?
To check the status of a domain registered with Route53, please follow the steps at https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-view-status.html.
Once you correct the name server mismatch for your domain and add the ACM generated CNAME records to the relevant hosted zone for your domain, the certificate should pas the domain validation. To learn more about DNS validation, check our public documentation at https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html.
Note: Please note if a domain validation is not successful within 72 hours of a certificate request, the certificate will fail with a status of "Validation_Timed_Out". Refer: https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-timed-out.html.
Relevant content
- asked a year ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
Your solution to step one helped solve my issue! Thank you for sharing with the community!