AWS ACM Pending Certificates: Why Your SSL Certificate Won't Validate
Stuck with a pending AWS Certificate Manager certificate? Learn the most common causes and how to fix nameserver mismatches and DNSSEC conflicts that prevent certificate validation.
You've requested an SSL certificate through AWS Certificate Manager (ACM), added the validation CNAME records to your hosted zone, but the certificate status remains stuck on "Pending validation". Hours pass, nothing happens. Sound familiar?
After deploying dozens of sites to AWS, I've encountered this issue more times than I'd like to admit. Here's what's actually going wrong and how to fix it.
Understanding ACM Validation
When you request a certificate in ACM, AWS needs to verify you control the domain. They do this by asking you to add specific CNAME records to your DNS. ACM then queries these records to confirm they exist.
The process should be straightforward, but when certificates stay pending, it's almost always a DNS configuration issue.
Problem 1: Nameserver Mismatch
This is the most common culprit. Your Route 53 hosted zone has nameservers, but your registered domain is pointing somewhere else entirely.
What's Happening
When you create a Route 53 hosted zone, AWS assigns it four nameservers (something like ns-123.awsdns-45.com). However, your domain registration still points to the old nameservers from your previous DNS provider or registrar.
You add the ACM validation CNAME to Route 53, but ACM can't see it because the domain isn't actually using Route 53's nameservers yet. The records exist, they're just on a DNS server nobody is querying.
The Fix
Check your domain's actual nameservers and compare them to your hosted zone.
On macOS/Linux:
dig NS yourdomain.com +short
On Windows (PowerShell):
nslookup -type=NS yourdomain.com
This shows which nameservers the domain is actually using in production. Now compare these to your Route 53 hosted zone's nameservers (found in the Route 53 console under the hosted zone details).
If they don't match, you need to update your domain registration to use Route 53's nameservers. This is done through your domain registrar's control panel (GoDaddy, Namecheap, AWS Route 53 domain registration, etc.).
After updating nameservers, DNS propagation takes time. Check propagation status:
dig NS yourdomain.com @8.8.8.8 dig NS yourdomain.com @1.1.1.1
Query different DNS servers to see if the change has propagated globally. This can take anywhere from minutes to 48 hours, though it's usually quick.
Problem 2: DNSSEC Conflicts
This one is sneaky and common when transferring domains from providers like TransIP, Gandi, or other registrars that enable DNSSEC by default.
What's Happening
DNSSEC adds cryptographic signatures to DNS records for security. When you change nameservers but forget to remove or update DNSSEC settings, the signatures become invalid.
DNS resolvers see the DNSSEC signatures don't match the new nameservers and refuse to return any DNS records for your domain. From ACM's perspective, your validation CNAMEs simply don't exist.
The Fix
Check if DNSSEC is enabled on your domain:
On macOS/Linux:
dig DNSKEY yourdomain.com +short
On Windows (PowerShell):
Resolve-DnsName -Name yourdomain.com -Type DNSKEY
If you see DNSKEY records returned, DNSSEC is active.
You have two options:
- Disable DNSSEC at your domain registrar (simplest solution)
- Configure DNSSEC properly for Route 53 by adding DS records to your registrar
For most use cases, disabling DNSSEC is fine. Go to your domain registrar's control panel and turn off DNSSEC. After disabling, you may need to wait for DNS caches to clear (up to a few hours).
If you need DNSSEC enabled, you'll need to configure it properly with Route 53, which involves creating a KSK (Key Signing Key) and adding DS records to your registrar. AWS has documentation for this process.
Verifying the Fix
Once you've fixed the nameserver mismatch or DNSSEC issue, verify ACM can see your validation records:
On macOS/Linux:
dig _a1b2c3d4e5f6g7h8.yourdomain.com CNAME +short
On Windows (PowerShell):
nslookup -type=CNAME _a1b2c3d4e5f6g7h8.yourdomain.com
Replace _a1b2c3d4e5f6g7h8.yourdomain.com with the actual validation CNAME record ACM gave you.
If you get a response showing the CNAME target (something ending in .acm-validations.aws), the record is publicly visible and ACM should validate it within minutes.
If you get no response or NXDOMAIN, the DNS issue isn't fully resolved yet.
Other Common Issues
Wrong Hosted Zone
If you have multiple Route 53 hosted zones for the same domain (maybe from failed deployment attempts), you might be adding records to the wrong one. Delete duplicate hosted zones to avoid confusion.
Propagation Time
Sometimes you just need to wait. DNS changes take time to propagate globally. ACM may be querying a DNS server that hasn't updated yet. Give it 30 minutes to an hour after making changes.
Record Already Exists
If you've requested the certificate multiple times, you might have duplicate or conflicting validation records. Delete old validation CNAMEs and add only the current one.
Prevention Tips
To avoid these issues on future deployments:
- Update nameservers first - Before requesting ACM certificates, ensure your domain is pointing to Route 53
- Disable DNSSEC before transferring domains, then re-enable after DNS is stable
- Use infrastructure-as-code - Tools like SST or Terraform handle ACM validation automatically
- Check DNS before deploying - Verify nameservers match your hosted zone
When to Get Help
If you've checked nameservers, disabled DNSSEC, waited for propagation, and the certificate is still pending after 24 hours, you may have a more complex issue. Common scenarios include:
- Corporate domains with external DNS management
- Domains with CAA records blocking AWS
- Email-based validation when DNS validation isn't working
These situations require deeper troubleshooting or professional assistance.
Conclusion
A pending ACM certificate is frustrating, but the solution is usually straightforward. Check your nameservers, disable DNSSEC if active, and verify the validation records are publicly visible. In most cases, that's all it takes.
DNS issues are the hidden complexity of modern web deployment. Understanding how nameservers and DNSSEC work saves hours of debugging and makes deployments smoother.
The next time you see that dreaded "Pending validation" status, you'll know exactly what to check.