Certificate with DNS Validation is stuck in Pending Validation

Asked 24/6, 2019 at 10:6 Answered 15/5 at 7:36

amazon-web-services dns ssl-certificate amazon-route53

I have transferred my domain to Route53 and I want Amazon Certificate Manager to issue a certificate for this domain. I followed the steps in the console to issue the certificate, the "Create record in Route53" button does show up. I do press it. It says "Success". I do see the CNAME entry created in Route53. The certificate status says "Pending Validation", "Validation is not complete, further action is needed to validate and approve the certificate". It's been that way overnight, I've tried before and left it for a few days and it times out at 72 hours.

What do I need to do?

Chablis answered 24/6, 2019 at 10:6 Comment(3)

Have you verified that Route53 is the authority for your domain? Try nslookup -type=soa yourdomain.com this should match the soa record in your Route53 zone, same for -type=NS – Baltazar 24/6, 2019 at 10:16

For -type=NS I have authoritative answer from ns3.afternic.com which appears to be amazon. For -type=soa I do not have an authoritative answer, it says Authoritative answers can be found from: and then blank. It does not appear to be the same as what's in the SOA and NS record in Route53 – Chablis 25/6, 2019 at 1:8

It seems like the dns zone is not setup properly then. You should login in to your dns registrar, where you bought the domain and find the NS record setting, edit these values to be the 4 ns- records that amazon provide by default when you create a hosted zone. This will leave the ownership of the domain with your registrar but give route53 control of the dns records. – Baltazar 25/6, 2019 at 12:54

A lot of times reason related to "Pending Validation" issue is not clicking Create record in Route 53 button on the validation page, when creating the certificate.
It could be hidden on the Validation page click the down-arrow next to your domain name.
See image bellow: enter image description here

https://docs.aws.amazon.com/acm/latest/userguide/troubleshooting-DNS-validation.html#troubleshooting-route53-1

Prefix answered 24/5, 2021 at 7:18 Comment(0)

I ran

dig NS gaytodo.com +trace

in my terminal and it showed that my nameservers were still associated with my old provider.

I wasn't able to update them with my old provider as I had already transferred out the domain.

I already had new AWS name servers on Route 53 hosted zone but I needed to update them manually on my Route 53.

I followed these steps to do that:

In the AWS Management Console, navigate to Route 53

Click on "Registered Domains" in the left navigation.

Click on the domain name you're having issues with.

Click on "actions" and then "edit name servers".

Replace the existing nameservers with the ones from Route 53 hosted zone (without the trailing dot).

Click on "Update".

Ventura answered 15/5 at 7:36 Comment(0)

Recommended topics

Hot tags