Resolve AWS Certificate Manager (ACM) Certificate Validation Failures

I requested an ACM certificate for my new domain last Monday. The console showed “PENDING_VALIDATION” status. I thought it would validate automatically. By Wednesday, still pending. By Friday, I needed that certificate for a CloudFront distribution launch, but it was still stuck in validation. It turned out the DNS CNAME wasn’t added to my Route 53 zone—a simple oversight with a big impact. In this post, I’ll walk through exactly what causes this and how to fix it.

The Problem

You requested an AWS Certificate Manager certificate, but it remains stuck in PENDING_VALIDATION status for hours or days. The certificate isn’t available for use in CloudFront distributions, load balancers, or other AWS services. The validation process has stalled.

Status	Meaning
`PENDING_VALIDATION`	Certificate requested but not yet validated; DNS/email records not added
`ISSUED`	Validation successful; certificate ready for use
`FAILED`	Validation failed; check email or DNS records
`INACTIVE`	Certificate requested more than 1 year ago and never validated

Why Does This Happen?

DNS CNAME record not added to Route 53 — For DNS validation (recommended method), ACM generates a CNAME record that must be added to your domain’s DNS. If you don’t add it, ACM can’t validate ownership.
DNS propagation not complete — DNS changes take time to propagate globally. ACM usually validates within 5–30 minutes, but in some cases can take up to 48 hours, especially for external DNS providers.
Route 53 “Add to Route 53” button not clicked — The ACM console shows an “Add to Route 53” button for hosted zones. This button is convenient—clicking it auto-adds the CNAME. If you miss it and try to add manually, mistakes creep in.
CNAME added to wrong domain or hosted zone — You own example.com but the certificate is for www.example.com or a wildcard *.example.com. The CNAME must be added to the correct zone or subdomain.
Email validation selected but email never checked — ACM sends validation emails to the domain’s administrative contacts (derived from WHOIS). If those emails go to spam or the mailbox doesn’t exist, validation fails.
Certificate requested in wrong region — For CloudFront, ACM certificates MUST be in us-east-1, regardless of where your distribution is located. Other AWS services use regional certificates.

The Fix

Step 1: Check Certificate Status and Get Validation Records

# Describe the certificate and retrieve validation details
aws acm describe-certificate \
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc123def456 \
  --region us-east-1 \
  --query 'Certificate.[DomainName,Status,DomainValidationOptions]' \
  --output table

The DomainValidationOptions will show records that need to be added:

{
  "DomainName": "example.com",
  "ValidationDomain": "example.com",
  "ResourceRecord": {
    "Name": "_abcd1234.example.com",
    "Type": "CNAME",
    "Value": "_efgh5678.acm-validations.aws."
  }
}

Step 2: Add the DNS CNAME to Route 53

If you have the hosted zone in Route 53, use the console’s “Add to Route 53” button, or add it via CLI:

# Get your hosted zone ID
HOSTED_ZONE_ID=$(aws route53 list-hosted-zones-by-name --dns-name example.com \
  --query 'HostedZones[0].Id' --output text | awk -F'/' '{print $NF}')

# Create the CNAME record
aws route53 change-resource-record-sets \
  --hosted-zone-id "$HOSTED_ZONE_ID" \
  --change-batch '{
    "Changes": [
      {
        "Action": "CREATE",
        "ResourceRecordSet": {
          "Name": "_abcd1234.example.com",
          "Type": "CNAME",
          "TTL": 300,
          "ResourceRecords": [
            {"Value": "_efgh5678.acm-validations.aws"}
          ]
        }
      }
    ]
  }'

Step 3: Verify DNS Propagation

Check that the CNAME is resolvable globally:

# Verify the CNAME record exists
dig _abcd1234.example.com CNAME +short

# Should return something like:
# _efgh5678.acm-validations.aws.

Step 4: Wait for Validation

ACM polls DNS automatically. Validation typically completes within 5 minutes of the CNAME appearing. Check status:

# Poll for certificate status (validation complete = ISSUED)
watch -n 5 'aws acm describe-certificate \
  --certificate-arn arn:aws:acm:us-east-1:123456789012:certificate/abc123def456 \
  --region us-east-1 \
  --query "Certificate.Status" --output text'

Step 5: For CloudFront Certificates

Remember: CloudFront requires certificates in us-east-1. If you created your certificate in a different region, create a new one in us-east-1:

# Request certificate in us-east-1 for CloudFront
aws acm request-certificate \
  --domain-name example.com \
  --subject-alternative-names www.example.com \
  --validation-method DNS \
  --region us-east-1

Step 6: Email Validation (If Needed)

If you’re using email validation, check your mailbox (and spam folder) for emails from no-reply@validation.acm.aws. Click the approval link in the email.

Is This Safe?

Absolutely. Adding DNS CNAME records for certificate validation is a standard practice and is required for domain ownership verification.

Key Takeaway

ACM certificate validation failures are almost always DNS-related. Ensure the CNAME record is added to Route 53 or your external DNS provider, verify propagation with dig, and remember that CloudFront certificates must be in us-east-1.

Have questions or ran into a different security issue? Connect with me on LinkedIn or X.