Menu
AWS Certificate Manager
User Guide (Version 1.0)

Troubleshooting

Consult the following information if you encounter problems using AWS Certificate Manager.

Not Receiving Validation Email

When you request a certificate from ACM, domain validation email is sent to three contact addresses specified in WHOIS and to five common administrative addresses. For more information, see Validate Domain Ownership. If you are experiencing problems receiving validation email, review the suggestions that follow.

Where to look for email

Validation email is sent to contact addresses listed in WHOIS and to common administrative addresses for the domain. Email is not sent to the AWS account owner unless the owner is also listed as a domain contact in WHOIS. Review the list of email addresses that are displayed in the ACM console (or returned from the CLI or API) to determine where you should be looking for validation email. To see the list, click the icon next to the domain name in the box labeled Validation not complete.

The email is marked as spam

Check your spam folder for the validation email.

GMail automatically sorts your email

If you are using GMail, the validation email may have been automatically sorted into the Updates or Promotions tabs.

The domain registrar does not display contact information or privacy protection is enabled

In some cases, the domain registrant, technical, and administrative contacts in WHOIS may not be publicly available, and AWS therefore cannot reach these contacts. At your discretion, you can choose to configure your registrar to list your email address in WHOIS, although not all registrars support this option. You may be required to make a change directly at your domain's registry. In other cases, the domain contact information may be using a privacy address, such as those provided through WhoisGuard or PrivacyGuard. For domains purchased from Amazon Route 53, privacy protection is enabled by default and your email address is mapped to a whoisprivacyservice.org or contact.gandi.net email address. Ensure that your registrant email address on file with your domain registrar is up to date so that the email sent to these obscured email addresses can be forwarded to an email address that you control.

If email contact information for your domain is not available through WHOIS, or if email sent to the contact information does not reach the domain owner or an authorized representative, we recommend that you configure your domain or subdomain to receive email sent to one or more of the common administrative addresses formed by prepending admin@, administrator@, hostmaster@, webmaster@, and postmaster@ to the requested domain name. For more information about configuring email for your domain, see the documentation for your email service provider and follow the instructions at Configure Email for Your Domain. If you are using Amazon WorkMail, see Working with Users in the Amazon WorkMail Administrator Guide.

After making available at least one of the eight email addresses to which AWS sends validation email and confirming that you can receive email for that address, you are ready to request a certificate through ACM. After you make a certificate request, ensure the intended email address appears in the list of email addresses in the AWS Management Console. While the certificate is in the Pending validation state, you can expand the list to view it by clicking the icon next to the domain name in the box labeled Validation not complete. You can also view the list in Step 3: Validate of the ACM Request a Certificate wizard. The listed email addresses are the ones to which email was sent.

Contact the Support Center

If, after reviewing the preceding guidance, you still don't receive domain validation email, please visit the AWS Support Center and create a case. If you don't have a support agreement, post a message to the ACM Support Forum.

Email Sent to Subdomain

If you request a certificate for a subdomain name such as sub.test.example.com, then ACM checks to see if there is an MX record for sub.test.example.com. If not, then the parent domain test.example.com is checked, and so on, up to the base domain example.com. If an MX record is found, the search stops and a validation email is sent to the common administration addresses for the subdomain. So if an MX record is found for test.example.com then an email is sent to admin@test.example.com, administrator@test.example.com, and the other administrative addresses specified in Validate Domain Ownership. If an MX record is not found in any of the subdomains, then no email is sent. To have the email instead sent directly to the apex domain, such as example.com, specify the ValidationDomain option in theRequestCertificate API or the request-certificate AWS CLI command. This functionality is not currently supported in the console.

Certificate Request Timed Out

Requests for ACM Certificates time out if they are not validated within 72 hours. To correct this condition, delete your request and choose Request a certificate to begin again. For more information about how to approve a certificate request, see Validate Domain Ownership.

Certificate Request Failed

A request for an ACM Certificate can fail. If that happens, the following explanations can help you understand why the request failed and suggest steps you can take to fix the problem.

No Available Contacts

ACM could not find an email address to use for validating one or more of the domain names in the certificate request. To correct this problem, you can do one of the following:

  • Ensure that you have a working email address that is registered in WHOIS and that the address is visible when performing a standard WHOIS lookup for the domain names in the certificate request. Typically, you do this through your domain registrar.

  • Ensure your domain is configured to receive email. Your domain's name server must have a mail exchanger record (MX record) so ACM's email servers know where to send the domain validation email.

Accomplishing one of the preceding tasks is enough to correct this problem; you don't need to do both. After you correct the problem, request a new certificate. You cannot resubmit a failed certificate request.

For more information about how to ensure that you receive domain validation emails from ACM, see Configure Email for Your Domain or Not Receiving Validation Email. If you follow these steps and continue to get the No Available Contacts message, then report this to AWS so that we can investigate it.

Domain Not Allowed

ACM does not allow certificate requests for one or more of the domain names in the certificate request. Typically, this is because one or more of the domain names in the certificate request was found in the Google Safe Browsing list of unsafe websites or the PhishTank list of valid phishes. To correct this problem, you can do the following:

After you correct the problem, request a new certificate. You cannot resubmit a failed certificate request.

Additional Verification Required

ACM requires additional information to process this certificate request. To provide this information, use the Support Center to contact AWS Support. If you don't have a support plan, post a new thread in the AWS Certificate Manager discussion forum.

Note

You cannot request a certificate for Amazon-owned domain names such as those ending in amazonaws.com, cloudfront.net, or elasticbeanstalk.com. This failure reason occurs when your certificate request includes these domain names.

Invalid Public Domain

One or more of the domain names in the certificate request is not valid. Typically, this is because a domain name in the request is not a valid top-level domain. Try to request a certificate again, correcting any spelling errors or typos that were in the failed request, and ensuring that all domain names in the request are for valid top-level domains. For example, you cannot request an ACM Certificate for example.invalidpublicdomain because "invalidpublicdomain" is not a valid top-level domain. If you continue to receive this failure reason, use the Support Center to contact AWS Support. If you don't have a support plan, post a new thread in the AWS Certificate Manager discussion forum.

Other

Typically, this failure occurs when there is a typographical error in one or more of the domain names in the certificate request. Try to request a certificate again, correcting any spelling errors or typos that were in the failed request. If you continue to receive this failure reason, use the Support Center to contact AWS Support. If you don't have a support plan, post a new thread in the AWS Certificate Manager discussion forum.

Validation Not Complete

If the ACM Certificate request status is Pending validation, the request is awaiting approval. To approve the request, the authorized representative must respond to the validation email sent to the registered WHOIS contact addresses and other common email addresses for the requested domain. For more information about how to approve a request, see Validate Domain Ownership.

Important

If your request includes more than one domain name in the certificate, then you must approve every domain name that you included. If you do not receive a validation email for each domain name included in the request, then see Not Receiving Validation Email.