Fix AWS Certificate Validation Failed - ACM Troubleshooting Guide

# AWS Certificate Validation Failed

Common Error Patterns

Certificate validation failures typically show:

bash

Certificate validation failed. The certificate is not validated.

bash

Domain validation status: PENDING_VALIDATION

bash

Failed to verify domain ownership

bash

CNAME record not found for _acme-challenge

Root Causes and Solutions

1. Missing DNS Validation Records

CNAME records for validation not created.

Solution:

Get the validation records:

bash

aws acm describe-certificate \
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc123 \
  --query 'Certificate.DomainValidationOptions'

Create the required CNAME records in your DNS provider:

bash

# Example for Route 53
aws route53 change-resource-record-sets \
  --hosted-zone-id Z1234567890ABC \
  --change-batch '{
    "Changes": [
      {
        "Action": "CREATE",
        "ResourceRecordSet": {
          "Name": "_a1b2c3d4e5f6.example.com.",
          "Type": "CNAME",
          "TTL": 300,
          "ResourceRecords": [
            {"Value": "_a1b2c3d4e5f6.acm-validations.aws."}
          ]
        }
      }
    ]
  }'

2. Incorrect DNS Record Values

Validation records have wrong values.

Solution:

Verify the exact values from ACM:

bash

aws acm describe-certificate \
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc123 \
  --query 'Certificate.DomainValidationOptions[*].ResourceRecord'

Check DNS propagation:

```bash # Linux/Mac dig _a1b2c3d4e5f6.example.com CNAME

# Windows nslookup -type=CNAME _a1b2c3d4e5f6.example.com

# Using AWS CLI aws route53 test-dns-answer \ --hosted-zone-id Z1234567890ABC \ --record-name _a1b2c3d4e5f6.example.com. \ --record-type CNAME ```

3. Using Wrong Validation Method

Mismatch between requested and configured validation.

Solution:

Check validation method:

bash

aws acm describe-certificate \
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc123 \
  --query 'Certificate.ValidationMethod'

For DNS validation, ensure: - CNAME records are created correctly - Records point to the exact ACM validation endpoint

For email validation: - Check email inbox for domain registrant - Check spam folder - Resend validation email if needed:

bash

aws acm resend-validation-email \
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc123 \
  --domain example.com \
  --validation-domain admin@example.com

4. Wildcard Certificate Issues

Problems with wildcard domain validation.

Solution:

For wildcard certificates (*.example.com):

1.Both the wildcard and base domain need validation:
2.- *.example.com
3.- example.com
4.Each domain gets separate CNAME records:

bash

# Get validation records for all domains
aws acm describe-certificate \
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc123 \
  --query 'Certificate.DomainValidationOptions[*]'

5. DNS Propagation Delay

Records created but not yet propagated.

Solution:

Wait for DNS propagation (typically 5-30 minutes). ACM checks periodically.

Force revalidation (ACM automatically retries):

bash

# No direct retry command - ACM retries automatically
# Check status periodically
aws acm describe-certificate \
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc123 \
  --query 'Certificate.Status'

6. Certificate in Wrong Region

Certificate not in the same region as the service.

Solution:

For CloudFront, certificates must be in us-east-1:

```bash # List certificates in us-east-1 aws acm list-certificates --region us-east-1

# Request new certificate in correct region aws acm request-certificate \ --domain-name example.com \ --subject-alternative-names "*.example.com" \ --validation-method DNS \ --region us-east-1 ```

For ALB/App Runner, certificate must be in the same region as the service.

7. Multiple Hosted Zones

Multiple hosted zones for the same domain.

Solution:

Identify the correct hosted zone:

bash

aws route53 list-hosted-zones-by-name \
  --dns-name example.com

Look for: - The hosted zone with the domain name - Check if using public or private hosted zone - Ensure records are in the correct zone

8. CNAME Conflicts

Existing records conflict with validation CNAME.

Solution:

Check for existing records:

bash

aws route53 list-resource-record-sets \
  --hosted-zone-id Z1234567890ABC \
  --start-record-name "_a1b2c3d4e5f6.example.com." \
  --start-record-type CNAME \
  --max-items 1

If conflict exists, delete the conflicting record:

bash

aws route53 change-resource-record-sets \
  --hosted-zone-id Z1234567890ABC \
  --change-batch '{
    "Changes": [
      {
        "Action": "DELETE",
        "ResourceRecordSet": {
          "Name": "_a1b2c3d4e5f6.example.com.",
          "Type": "CNAME",
          "TTL": 300,
          "ResourceRecords": [{"Value": "old-value.example.com."}]
        }
      }
    ]
  }'

Certificate Lifecycle Management

Request New Certificate

bash

aws acm request-certificate \
  --domain-name example.com \
  --subject-alternative-names "*.example.com" \
  --validation-method DNS \
  --idempotency-token 1234 \
  --options CertificateTransparencyLoggingPreference=ENABLED

Validate with Route 53 (Automated)

```bash # Get certificate details CERT_ARN=$(aws acm request-certificate \ --domain-name example.com \ --validation-method DNS \ --query 'CertificateArn' \ --output text)

# Wait for validation records sleep 5

# Get validation CNAME VALIDATION=$(aws acm describe-certificate \ --certificate-arn $CERT_ARN \ --query 'Certificate.DomainValidationOptions[0].ResourceRecord')

# Create Route 53 record aws route53 change-resource-record-sets \ --hosted-zone-id Z1234567890ABC \ --change-batch "{ \"Changes\": [{ \"Action\": \"CREATE\", \"ResourceRecordSet\": { \"Name\": $(echo $VALIDATION | jq -r '.Name'), \"Type\": $(echo $VALIDATION | jq -r '.Type'), \"TTL\": 300, \"ResourceRecords\": [{\"Value\": $(echo $VALIDATION | jq -r '.Value')}] } }] }" ```

Delete Certificate

bash

aws acm delete-certificate \
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc123

Troubleshooting Commands

```bash # List all certificates aws acm list-certificates

# Check certificate status aws acm describe-certificate \ --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc123

# Check DNS resolution dig _validation.example.com CNAME +short

# View certificate details aws acm describe-certificate \ --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc123 \ --output json ```

Common Status Values

Status	Meaning	Action
PENDING_VALIDATION	Awaiting DNS/email validation	Add DNS records
ISSUED	Certificate is valid and usable	None needed
VALIDATION_TIMED_OUT	Validation expired	Request new certificate
FAILED	Validation failed	Check error, retry
INACTIVE	Certificate not in use	None needed
EXPIRED	Certificate expired	Renew certificate

Prevention Tips

1.Use DNS validation for automation
2.Set up certificate monitoring and alerts
3.Use CloudFormation/Terraform for certificate management
4.Enable certificate transparency logging
5.Plan for renewal before expiration

[AWS S3 Access Denied](#)
[AWS CloudFormation Stack Failed](#)
[AWS API Rate Limit Exceeded](#)

AWS Certificate Validation Failed

Common Error Patterns

Root Causes and Solutions

1. Missing DNS Validation Records

2. Incorrect DNS Record Values

3. Using Wrong Validation Method

4. Wildcard Certificate Issues

5. DNS Propagation Delay

6. Certificate in Wrong Region

7. Multiple Hosted Zones

8. CNAME Conflicts

Certificate Lifecycle Management

Request New Certificate

Validate with Route 53 (Automated)

Delete Certificate

Troubleshooting Commands

Common Status Values

Prevention Tips

Related Articles

Share this guide

More AWS Troubleshooting Guides

AWS DynamoDB Contributor Insights Not Showing

AWS DynamoDB DAX Cache Miss

AWS DynamoDB Global Table Replication Lag

AWS Step Functions Workflow Stuck Waiting

AWS Step Functions Execution Throttled

AWS EventBridge Pipe Source Error