The Problem
You’ve requested a new SSL/TLS certificate via AWS Certificate Manager (ACM). You chose DNS validation because it’s usually faster than waiting for an admin email. However, hours pass and the status remains stubbornly stuck on Pending validation. Eventually, you see this error:
Validation timed out. The status of this certificate request is Pending validation.
ACM gives you a 72-hour window to get your DNS records right. If AWS can't find the specific CNAME record it’s looking for within that timeframe, the request fails. Most of the time, the fix is a simple adjustment to your DNS configuration.
Common Root Causes
- Ghost Records: You added the CNAME record to the wrong DNS provider. This often happens if your domain is registered at GoDaddy but your Name Servers (NS) point to Route 53.
- The Subdomain Trap: Many DNS providers automatically append your domain name. If you paste
_x.example.cominto the 'Host' field, it might resolve to_x.example.com.example.com, which ACM won't recognize. - CAA Blockers: A Certificate Authority Authorization (CAA) record exists in your DNS but doesn't list Amazon as an authorized issuer.
- Cloudflare Proxying: The 'Orange Cloud' is active on the validation record, masking the CNAME target ACM needs to see.
Solution 1: The 'Two-Click' Fix for Route 53
If Route 53 manages your DNS, don't type anything manually. AWS can handle the plumbing for you. This is the most reliable method because it eliminates copy-paste errors.
- Navigate to the ACM Console and open your pending certificate.
- Find the Domains section and click Create records in Route 53.
- Confirm the hosted zone and hit Create records.
AWS will inject the _x.yourdomain.com CNAME into your zone immediately. Validation typically flips to 'Issued' within 5 to 15 minutes.
Solution 2: Handling External Providers (GoDaddy, Cloudflare, etc.)
When using an external DNS manager, you have to be precise. Most providers only want the subdomain part of the CNAME name.
- The "Host" Field: If ACM provides
_a1b2c3d4.example.com, try entering only_a1b2c3d4into your provider's 'Name' or 'Host' box. - Cloudflare Settings: Ensure the record is set to DNS Only (Grey cloud). ACM validation will fail if Cloudflare tries to proxy the validation traffic.
- TTL: Set your TTL to 300 seconds (5 minutes) during setup. This ensures that if you make a mistake, you won't have to wait an hour for the cache to clear.
Solution 3: Resolving CAA Record Conflicts
CAA records act like a security guard for your domain, telling the world which CAs are allowed to issue your certificates. If a CAA record exists but doesn't include Amazon, ACM cannot issue the cert. Check your records using the dig tool:
dig example.com CAA
If you see records for Let's Encrypt or DigiCert but none for Amazon, you must add one. Insert this record into your DNS zone:
example.com. IN CAA 0 issue "amazon.com"
Solution 4: Verify with 'dig' Before You Wait
Don't wait 72 hours to see if it worked. You can verify the record is live right now from your terminal. Replace the value below with the CNAME name ACM gave you:
dig CNAME _xxxxxxxxxxxx.yourdomain.com +short
If the command returns a value ending in .acm-validations.aws., you're golden. If it returns nothing, your DNS hasn't updated, or the record name is misspelled.
Verification
Once the records are live and the CAA records are clear, ACM will detect the change automatically. You don't need to refresh or resubmit the request. To check the status via the CLI, run:
aws acm describe-certificate --certificate-arn your_cert_arn --query 'Certificate.Status'
You are looking for a simple, one-word output:
"ISSUED"
Pro-Tip: Automate with Terraform
Manually clicking buttons in the console is prone to error. Use Infrastructure as Code to link ACM and Route 53. This Terraform snippet creates the cert, sets up the DNS record, and waits for validation to finish before marking the resource as complete.
resource "aws_acm_certificate" "cert" {
domain_name = "example.com"
validation_method = "DNS"
}
resource "aws_route53_record" "validation" {
for_each = {
for dvo in aws_acm_certificate.cert.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
allow_overwrite = true
name = each.value.name
records = [each.value.record]
ttl = 60
type = each.value.type
zone_id = data.aws_route53_zone.main.zone_id
}