amazon-web-servicesamazon-route53aws-certificate-manager

ACM certificate pending validation


I purchased a domain through route53 yesterday and am now trying to set up an ACM TLS certificate - I am following this CDK tutorial https://github.com/aws-samples/aws-cdk-examples/tree/master/typescript/static-site. After I purchased the domain through route53 I verified it via my email address. In the route53 console, I can see that the domain is verified. In the ACM console, I have requested a new certificate, put in the fully qualified domain name i.e. www.mynewdomain.com, I selected "DNS validation" as the validation method, and then requested the certificate. This worked successfully but the certificate in the ACM console then said "pending validation". To address this, I opened the new certificate in the ACM console, and selected "create records in route 53". My understanding is that this CNAME creation would automatically then validate my new certificate. However, it has now been over 24hrs and my cerficiate is stil "pending validation". Is there some other step I need to take?

I have created the hosted zone manually and am using this CDK code:

        const domainName = "mynewdomain.com"
        const siteSubDomain = "www"
        const siteDomain = siteSubDomain + '.' + domainName;
        const zone = route53.HostedZone.fromHostedZoneAttributes(
            this,
            "hosted zone id lookup",
            {
                hostedZoneId: "0198237490218374XXX", // ID from AWS console 
                zoneName: "mynewdomain.com" // name from AWS console 
            }
        );
        console.log(`route 53 hosted zone ${zone} : ${zone.zoneName} : ${zone.hostedZoneId} :  ${zone.hostedZoneArn}`)
        new CfnOutput(this, 'Site', {value: 'Created route 53 hosted zone https://' + siteDomain});

        // TLS certificate
        const certificate = new acm.Certificate(this, 'SiteCertificate', {
            domainName: siteDomain,
            certificateName: `${domainName} TLS certificate`,
            validation: acm.CertificateValidation.fromDns(zone),
        });

        // Cloud front access identity
        const cloudfrontOAI = new cloudfront.OriginAccessIdentity(this, 'cloudfront-OAI', {
            comment: `OAI (origin access identity) for ${domainName}`
        });

I've also gone through these steps manually.


Solution

  • I found the answer to this on this related question: AWS Certificate Request Validation Timeout with the answer by @Saurabh

    I needed to update the name servers in my domain to be the same as those in my hosted zone. Once I made this change, I re-created the ACM certificate and it was approved in ~15 minutes.