Reputation: 6080
My domain is pending validation in AWS Certificate Manager
Configured *.mydomain.com using AWS Certificate Manager and is shown in Pending Validation for more than a day, even though CNAME records was published to AWS Route53 under the domain name. Everything seems appropriate but its not clear, why the domain is not getting validated
Note: Domain was created using AWS Route53 as well
dig mydomain.com
; <<>> DiG 9.10.6 <<>> mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27432
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mydomain.com. IN A
;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1619360121 1800 900 604800 86400
;; Query time: 457 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Apr 25 19:45:39 IST 2021
;; MSG SIZE rcvd: 112
dig mydomain.com ANY
; <<>> DiG 9.10.6 <<>> mydomain.com ANY
;; global options: +cmd
;; connection timed out; no servers could be reached
dig mydomain.com +trace
dig mydomain.com +trace
; <<>> DiG 9.10.6 <<>> mydomain.com +trace
;; global options: +cmd
. 359116 IN NS e.root-servers.net.
. 359116 IN NS k.root-servers.net.
. 359116 IN NS d.root-servers.net.
. 359116 IN NS f.root-servers.net.
. 359116 IN NS a.root-servers.net.
. 359116 IN NS g.root-servers.net.
. 359116 IN NS c.root-servers.net.
. 359116 IN NS b.root-servers.net.
. 359116 IN NS i.root-servers.net.
. 359116 IN NS h.root-servers.net.
. 359116 IN NS l.root-servers.net.
. 359116 IN NS m.root-servers.net.
. 359116 IN NS j.root-servers.net.
. 359116 IN RRSIG NS 8 0 518400 20210508050000 20210425040000 14631 . VRowJ98FAdfO9wGKjJRrm1llMgqsIy2i9NQ9teQyO4J71s5S2NdD/GG7 x4ssMnkmZ1BSVE8jWQjP2uPuzYxK++ILDLM5pjCdbpbcJlOQSqWgAF0a zCjHmGuh14r29m0C8jm+mqRZ83ioEtcYgzmiEMLzREx7OCYZM14XnP2o l5aSe1Cx495WGCGvy8E1ugUn5ZAUygdduDVGHBeNWApfAAKqmTttnO0m YBCzVTgvzPJecHcdiuTZrpDTtfzgCb9tMAd5+QUdfPMTsb4cKisAvd8a m7lGdrgV1dQiwzwL2urSJpToA3N2pVpuPuFtcpt5O8vvUjEcOihgOfaT VudmBg==
;; Received 1097 bytes from 192.168.1.1#53(192.168.1.1) in 96 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20210508050000 20210425040000 14631 . e6RPEnTOftwvUJRAoWl+M9MUnuPcjH/CT22pTiVkKPiA4j5NBqMvL+G7 Q3TA04bXcvOruMRLCTSZ6wm9o0bdpJVT8JAK7pOHqZDlwbTAyL+BhWhK 76FHauQ0gQYbGwEKl6C/k4mA3TNE8bZZt1utYWoa62cCx/jn72nzxLG7 zAehrItZg3Jk9vX7Ds5W6vfLOkxmNjrVGyQBQVK8D5CQdicspu+z6gGR Rz3p8Kez5J4QYsmDwb1HyT5dxsvFH4G8I1ptMHt6c+UH84XbdAFWDVEa PpEPm5zbDz8hhDl34nmJAt7loGuJ5fWE4HDmFudXD3n2+8a/RosFyZvH M63uTQ==
;; Received 1170 bytes from 199.7.83.42#53(l.root-servers.net) in 43 ms
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1619363571 1800 900 604800 86400
com. 900 IN RRSIG SOA 8 1 900 20210502151251 20210425140251 54714 com. nQPgPFyQO4PgrERge1QkjjplpXpAyPJdE8y5jV1VXXi41cZpQfkzcDTb 6xSsybGovaexSzfV8m9aEeL7baojsrYWqFVfocaL8pMe2Ezjp+OjaQiP fA93ZvnJ3kkjE+abtHhOThZneXYsxHLUgTC8JG11/H4I3w6D6Gj0pRd8 p6DHtUs9Fd4k+5xfpuiRFxxtQM8Q4TZvc/hjidFVtC3SwQ==
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20210430042342 20210423031342 54714 com. poBoT+3Fv6vILgKS4kwHwRFFaBMpT1dqP0FhmDhYFMN8bE/F+fkBHHUQ zfGrx/FswlhMG+6tS6DXsB09X1P/CKlE4cvRvgkv5tM66HeQ7GtcvMLQ M7PpwtWv8jBZ2OPMxFrORXLFpYvFI7I9YGS36WL6JsKm7d54i/gdP5ny +EWX1oj4Nfrho4lOT6zQmCCYm9c4vM4T3O3OKKF0/Bcf9w==
1HCL83RC3R55GBBV9M3IA223NK6FOIUG.com. 86400 IN NSEC3 1 1 0 - 1HCLGQG6AEFSU0MRECIMQGFMFS45LSML NS DS RRSIG
1HCL83RC3R55GBBV9M3IA223NK6FOIUG.com. 86400 IN RRSIG NSEC3 8 2 86400 20210429042839 20210422031839 54714 com. thxq1AK7k2voLzaaz97SX2dnmDurTFjk6zIDgf6oGpKGvTVIQrPbm88y /vMnJQOjoUpoV3rTzCQoiYCJ+wN3xwOHyXkdpVr2CNS4xSPUzcfnKzmx cqeE/x/gIwy18VB4abQ0Rs7EQQZIakoWvVwK2m63yqZ2zc2uH+qDzxZQ ul5P7DqPzy1vrh2Als3RccLj+zAZQOt21jAhS1D4ARBXAw==
3RL2Q58205687C8I9KC9MV46DGHCNS45.com. 86400 IN NSEC3 1 1 0 - 3RL2U7B4F3S5BAQOQ0GAV1UULJB098HP NS DS RRSIG
3RL2Q58205687C8I9KC9MV46DGHCNS45.com. 86400 IN RRSIG NSEC3 8 2 86400 20210429043013 20210422032013 54714 com. CY/QVw+zdsll1gAk8WWMPb1xTkz0iDehfJmoN7ZriaFuBpZetuInVEP7 qdCZodmE/9VUuHUyWD3/iBRDvMIIzF4bckpu6fWYI8caNMRucS6gMAkV C0Om54P/5gjJpxGAu6ilRjKrDunO4z9s7bfHdxmICmZLg89SER5Nw15m 1rVZG+BBrl6eBXJVLO/oMkPHwKjtJvgentLi7V0iCZAGYQ==
;; Received 1130 bytes from 192.42.93.30#53(g.gtld-servers.net) in 228 ms
dig mydomain.com NS
; <<>> DiG 9.10.6 <<>> mydomain.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34077
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mydomain.com. IN NS
;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1619365916 1800 900 604800 86400
;; Query time: 423 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Apr 25 21:22:21 IST 2021
;; MSG SIZE rcvd: 112
dig @8.8.8.8 mydomain.com ns
; <<>> DiG 9.10.6 <<>> @8.8.8.8 mydomain.com ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60289
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;mydomain.com. IN NS
;; AUTHORITY SECTION:
com. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1619370481 1800 900 604800 86400
;; Query time: 42 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Apr 25 22:38:22 IST 2021
;; MSG SIZE rcvd: 112
dig @ns-1563.awsdns-03.co.uk mydomain.com
; <<>> DiG 9.10.6 <<>> @ns-1563.awsdns-03.co.uk mydomain.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29591
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mydomain.com. IN A
;; AUTHORITY SECTION:
mydomain.com. 900 IN SOA ns-1563.awsdns-03.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; Query time: 8 msec
;; SERVER: 205.251.198.27#53(205.251.198.27)
;; WHEN: Sun Apr 25 22:40:28 IST 2021
;; MSG SIZE rcvd: 123
dig @ns-547.awsdns-04.net mydomain.com
; <<>> DiG 9.10.6 <<>> @ns-547.awsdns-04.net mydomain.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5437
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mydomain.com. IN A
;; AUTHORITY SECTION:
mydomain.com. 900 IN SOA ns-1563.awsdns-03.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; Query time: 46 msec
;; SERVER: 205.251.194.35#53(205.251.194.35)
;; WHEN: Sun Apr 25 22:42:22 IST 2021
;; MSG SIZE rcvd: 123
Upvotes: 3
Views: 3816
Answers (1)
Reputation: 34416
When you register the new domain, Route 53 will automatically create a hosted zone with the correct NS records. You should be able to open the hosted zone in the console and see 4 NS records that point to AWS DNS servers. For example,
ns-1502.awsdns-59.org.
ns-1757.awsdns-27.co.uk.
ns-319.awsdns-39.com.
ns-621.awsdns-13.net.
You can try looking your newly registered domain against the name servers using the dig command. For example:
$ dig @ns-1502.awsdns-59.org mydomain.com
...
;; ANSWER SECTION:
mydomain.com. 21599 IN NS ns-1502.awsdns-59.org.
mydomain.com. 21599 IN NS ns-1757.awsdns-27.co.uk.
mydomain.com. 21599 IN NS ns-319.awsdns-39.com.
mydomain.com. 21599 IN NS ns-621.awsdns-13.net.
This will confirm that AWS DNS is resolving your domain correctly. You can also check another non-AWS DNS server. For example, you can check against any public DNS server, such as Google's public DNS server at 8.8.8.8:
$ dig @8.8.8.8 mydomain.com ns
...
;; ANSWER SECTION:
mydomain.com. 21599 IN NS ns-1502.awsdns-59.org.
mydomain.com. 21599 IN NS ns-1757.awsdns-27.co.uk.
mydomain.com. 21599 IN NS ns-319.awsdns-39.com.
mydomain.com. 21599 IN NS ns-621.awsdns-13.net.
...
You should also see status: NOERROR in the output. If you instead see status: NXDOMAIN, it means that the domain really does not exist. In that case, you should review the AWS documentation on registering domain names, and in particular the troubleshooting docs. Make sure that you have clicked the confirmation link that was sent to your email when you registered the domain.
If your domain is registered correctly, you should be able to use DNS validation. Once you've requested the certificate with DNS validation and added the CNAME to the domain, you can check that it exists:
$ dig <your validation record>.mydomain.com
;; ANSWER SECTION:
<your validation record>.mydomain.com. 299 IN CNAME <some random value>.<some random value>.acm-validations.aws.
If you can resolve this using any public name server, then the validation record is set up correctly and you'll just have to wait. When it works, it's usually quite fast, but it can take up to 30 minutes.
With that said, I have occasionally seen the validation never complete, and the ACM certificate would remain in the pending state indefinitely. In that case, the only way to resolve it is to delete the certificate, request a new one, and try again. Note that if you do try again, the Route 53 validation CNAME record that they will ask you to create will always be the same.
Upvotes: 4
Related Questions
- Certificate with DNS Validation is stuck in Pending Validation
- How to validade a AWS Certificate with Hostinger domain?
- AWS certificate renewal failed, problem trying to update CNAME records
- Certificate in Pending state in AWS Certificate Manager
- AWS Certificate Request Validation Timeout
- ACM won't validate the SSL certificate for my Route53 domain
- AWS Certificate pending validation for S3 site
- AWS ACM Stuck in Pending Validation Unless NS Changed in Domain
- Setting CNAMEs to CloudFront
- AWS certificate manager https configuration for domain