Certificate in Pending state in AWS Certificate Manager

Question

Our project is deployed on Elastic Beanstalk and I want to run this on HTTPs. I created my certificate on AWS Certificate Manager and choose DNS verification option. I added provided data in my Godaddy DNS records. Below is my sample data

Domain Name | Record Name | Record Type | Record Value 

example.com | _8046ecb910c52234234234234232ecae.example.com. | CNAME | _81b05686qweerttcxsaxasdadas5a566.tljzshvwok.acm-validations.aws. 

*.example.com | _8046ecb910c52234234234234232ecae.example.com. | CNAME |  _81b05686qweerttcxsaxasdadas5a566.tljzshvwok.acm-validations.aws.

AWS has given my two records for example.com and *.example.com but both records are same. So I added one CNAME record in Godaddy DNS entries. I waited for three days and my certificate was still in pending state which in the end expired. I created a new one and I have been waiting for 24 hours and it is still in pending state. I cannot use Email verification method as I am not owner of this domain.

Answer 1

An apparently common error is to paste the entire hostname into a box that does not expect an FQDN, thus creating a record that actually looks like this in DNS (though you may not observe it this way on the screen):

_8046ecb910c52234234234234232ecae.example.com.example.com

For the "hostname," just use _8046ecb910c52234234234234232ecae when creating the record.

After creating it, use dig or nslookup to verify that it resolves as expected.

Answer 2

I had similar issue with AWS certificate in 'Pending validation' state for quite some time. After few tries I finally got it to get in 'Success' state. It might vary by domain registrar , in my case it was NameCheap.

Refer the screenshots from AWS ACM and NameCheap to follow the step that got it working for me:

Answer 3

I also had this issue and waited a day but still Pending Validation. I followed answers here but still got confused and Pending Validation so I decided to share the step by step of what worked for me in NameCheap.

In AWS:

1. Export the DNS configuration file. It will have something like this.

    Domain Name,Record Name,Record Type,Record Value
    mysite.io,_beocc4be975f27599f5d77f87af84321.mysite.io.,CNAME,_6ae531c5dad6c5ceeefd65a73d532881.dumrqilasr.acm-validations.aws.

In NameCheap:

2. Choose "Domain" tab > NameServers - Choose NameCheap Basic DNS
3. Choose "Advanced DNS" tab > Host Records
4. Under Type, choose "CNAME record"
5. Under Host, use the value in "Record Name". Do not include the domain name.

    _beocc4be975f27599f5d77f87af84321.

6. Under Value, use the value in "Record Value". Copy everything.

    _6ae531c5dad6c5ceeefd65a73d532881.dumrqilasr.acm-validations.aws.

7. Under TTL, choose "Automatic"
8. Save the settings by clicking the check icon right beside TTL.

In AWS:

9. Refresh the AWS Certificate Manager after 2-5 minutes. It should only take a few minutes for Amazon status to change from Pending Validation to Issued.

Answer 4

I have the same pending-forever issue with the domain which I registered at Freenom because I forgot to set the name servers from AWS Route 53 to Freenom.

Name servers from AWS Route 53:

*(ns means name server)

Set the name servers above to Freenom:

Then, it was validated from pending. However, even if I set name servers to Freenom, it sometimes takes a forever time to be validated. In this case, I delete the request and make a new request a few hours later again, then, it is validated properly.

Optionally saying, we registered the domains at the domain providers like GoDaddy, Namecheap, Freenow and so on, then, we need to set the name servers from AWS Route 53 to GoDaddy, Namecheap, Freenow and so on. Finally, our domains will be validated from AWS Certificate Manager.

Answer 5

I needed the same solution as @Kai - had to add the NS records to the primary domain. But my situation was a little bit different:

• I'm using AWS Route53 for my domains
• with the root domain (example.com.au) in a different AWS account
• and a subdomain (subdomain.example.com.au) in the account where I'm creating the certificate
• Because it's all within AWS I could just click the "create record in Route 53" button to get the verification record automatically added... but the certificate would not resolve
• THE PROBLEM : the subdomain was not resolving through to the root domain
• HOW I FOUND IT : dig +trace subdomain.example.com.au
• • that SHOULD return a string of responses from . then au. then com.au. then example.com.au. and finally subdomain.example.com.au.
• • it did not return the subdomain record, which was the clue that the link between the subdomain and the root domain was not correct.
• adding the NS records from the subdomain as a CNAME record on the root domain (similar to Kai's answer) caused the validation to complete almost immediately.

Answer 6

That is my api gw with cloudflare! It works already.