Certificate in Pending state in AWS Certificate Manager

Asked 6/11, 2018 at 5:54 Answered 10/8, 2022 at 2:21

Solved amazon-web-services dns amazon-elastic-beanstalk cname aws-certificate-manager

Our project is deployed on Elastic Beanstalk and I want to run this on HTTPs. I created my certificate on AWS Certificate Manager and choose DNS verification option. I added provided data in my Godaddy DNS records. Below is my sample data

Domain Name | Record Name | Record Type | Record Value 

example.com | _8046ecb910c52234234234234232ecae.example.com. | CNAME | _81b05686qweerttcxsaxasdadas5a566.tljzshvwok.acm-validations.aws. 

*.example.com | _8046ecb910c52234234234234232ecae.example.com. | CNAME |  _81b05686qweerttcxsaxasdadas5a566.tljzshvwok.acm-validations.aws.

AWS has given my two records for example.com and *.example.com but both records are same. So I added one CNAME record in Godaddy DNS entries. I waited for three days and my certificate was still in pending state which in the end expired. I created a new one and I have been waiting for 24 hours and it is still in pending state. I cannot use Email verification method as I am not owner of this domain.

Microvolt answered 6/11, 2018 at 5:54 Comment(0)

An apparently common error is to paste the entire hostname into a box that does not expect an FQDN, thus creating a record that actually looks like this in DNS (though you may not observe it this way on the screen):

_8046ecb910c52234234234234232ecae.example.com.example.com

For the "hostname," just use _8046ecb910c52234234234234232ecae when creating the record.

After creating it, use dig or nslookup to verify that it resolves as expected.

Iridize answered 6/11, 2018 at 10:54 Comment(3)

I put . in the end after my server address. Does that make any difference.? Or I should remove server address? – Microvolt 6/11, 2018 at 11:16

The correct answer is highly dependent on the UI of the DNS host. Did you try querying your record with dig? Either you get the right result, get the wrong result, or get no result, and how to proceed depends on what you have now. Without knowing the actual domain you are using, it's difficult to troubleshoot. – Iridize 6/11, 2018 at 11:26

Sorry for my ignorance. How to use dig for this purpose? – Microvolt 6/11, 2018 at 11:27

I had similar issue with AWS certificate in 'Pending validation' state for quite some time. After few tries I finally got it to get in 'Success' state. It might vary by domain registrar , in my case it was NameCheap.

Refer the screenshots from AWS ACM and NameCheap to follow the step that got it working for me:

Rebutter answered 4/7, 2019 at 15:8 Comment(0)

I also had this issue and waited a day but still Pending Validation. I followed answers here but still got confused and Pending Validation so I decided to share the step by step of what worked for me in NameCheap.

In AWS:

Export the DNS configuration file. It will have something like this.

    Domain Name,Record Name,Record Type,Record Value
    mysite.io,_beocc4be975f27599f5d77f87af84321.mysite.io.,CNAME,_6ae531c5dad6c5ceeefd65a73d532881.dumrqilasr.acm-validations.aws.

In NameCheap:

Choose "Domain" tab > NameServers - Choose NameCheap Basic DNS
Choose "Advanced DNS" tab > Host Records
Under Type, choose "CNAME record"
Under Host, use the value in "Record Name". Do not include the domain name.

    _beocc4be975f27599f5d77f87af84321.

Under Value, use the value in "Record Value". Copy everything.

    _6ae531c5dad6c5ceeefd65a73d532881.dumrqilasr.acm-validations.aws.

Under TTL, choose "Automatic"
Save the settings by clicking the check icon right beside TTL.

In AWS:

Refresh the AWS Certificate Manager after 2-5 minutes. It should only take a few minutes for Amazon status to change from Pending Validation to Issued.

Mehetabel answered 15/8, 2019 at 1:59 Comment(2)

It should only take a few minutes, but occasionally it can take as long as an hour or two. I just waited 70 minutes for my certificate to be approved. – Lazy 31/7, 2020 at 20:57

In pt 5 above, do we need the last period '.' in CNAME Record name? Asking since all the members have mentioned the Record Name without the last period. So should it be '_beocc4be975f27599f5d77f87af84321.' OR '_beocc4be975f27599f5d77f87af84321' is the question – Giffy 25/4 at 22:22

I have the same pending-forever issue with the domain which I registered at Freenom because I forgot to set the name servers from AWS Route 53 to Freenom.

Name servers from AWS Route 53:

*(ns means name server)

Set the name servers above to Freenom:

Then, it was validated from pending. However, even if I set name servers to Freenom, it sometimes takes a forever time to be validated. In this case, I delete the request and make a new request a few hours later again, then, it is validated properly.

Optionally saying, we registered the domains at the domain providers like GoDaddy, Namecheap, Freenow and so on, then, we need to set the name servers from AWS Route 53 to GoDaddy, Namecheap, Freenow and so on. Finally, our domains will be validated from AWS Certificate Manager.

Washbasin answered 24/5, 2021 at 8:9 Comment(0)

I needed the same solution as @Kai - had to add the NS records to the primary domain. But my situation was a little bit different:

I'm using AWS Route53 for my domains
with the root domain (example.com.au) in a different AWS account
and a subdomain (subdomain.example.com.au) in the account where I'm creating the certificate
Because it's all within AWS I could just click the "create record in Route 53" button to get the verification record automatically added... but the certificate would not resolve
THE PROBLEM : the subdomain was not resolving through to the root domain
HOW I FOUND IT : dig +trace subdomain.example.com.au
- that SHOULD return a string of responses from . then au. then com.au. then example.com.au. and finally subdomain.example.com.au.
- it did not return the subdomain record, which was the clue that the link between the subdomain and the root domain was not correct.
adding the NS records from the subdomain as a CNAME record on the root domain (similar to Kai's answer) caused the validation to complete almost immediately.

Teratism answered 11/6, 2021 at 1:31 Comment(0)

That is my api gw with cloudflare! It works already.

Microscopic answered 10/8, 2022 at 2:21 Comment(1)

This does not provide an answer to the question. Once you have sufficient reputation you will be able to comment on any post; instead, provide answers that don't require clarification from the asker. - From Review – Signally 16/8, 2022 at 20:23

Recommended topics

Hot tags