Troubleshoot DNS validation problems - AWS Certificate Manager

Troubleshoot DNS validation problems

Consult the following guidance if you are having trouble validating a certificate with DNS.


The first step in DNS troubleshooting is to check the current status of your domain with tools such as the following:

Underscores prohibited by DNS provider

If your DNS provider prohibits leading underscores in CNAME values, you can remove the underscore from the ACM-provided value and validate your domain without it. For example, the CNAME value can be changed to for validation purposes. However, the CNAME name parameter must always begin with a leading underscore.

You can use either of the values on the right side of the table below to validate a domain.




_<random value>


_<random value>

_<random value>


<random value>

Default trailing period added by DNS provider

Some DNS providers add by default a trailing period to the CNAME value that you provide. As a result, adding the period yourself causes an error. For example, "<random_value>" is rejected while "<random_value>" is accepted.

DNS validation on GoDaddy fails

DNS validation for domains registered with Godaddy and other registries may fail unless you modify the CNAME values provided by ACM. Taking as the domain name, the issued CNAME record has the following form:


You can create a CNAME record compatible with GoDaddy by truncating the apex domain (including the period) at the end of the NAME field, as follows:

NAME: _ho9hv39800vb3examplew3vnewoib3u VALUE:

ACM Console does not display "Create record in Route 53" button

If you select Amazon Route 53 as your DNS provider, AWS Certificate Manager can interact directly with it to validate your domain ownership. Under some circumstances, the console's Create record in Route 53 button may not be available when you expect it. If this happens, check for the following possible causes.

  • On the Validation page, you did not click the down-arrow next to your domain name.

  • You are not using Route 53 as your DNS provider.

  • You are logged into ACM and Route 53 through different accounts.

  • You lack IAM permissions to create records in a zone hosted by Route 53.

  • You or someone else has already validated the domain.

  • The domain is not publicly addressable.

Route 53 validation fails on private (untrusted) domains

During DNS validation, ACM searches for a CNAME in a publicly hosted zone. When it doesn't find one, it times out after 72 hours with a status of Validation timed out. You cannot use it to host DNS records for private domains, including resources in an Amazon VPC private hosted zone, untrusted domains in your private PKI, and self-signed certificates.

AWS does provide support for publicly untrusted domains through the ACM Private CA service.

Validation fails for DNS server on a VPN

If you locate a DNS server on a VPN and ACM fails to validate a certificate against it, check if the server is publicly accessible. Public certificate issuance using ACM DNS validation requires that the domain records be resolvable over the public internet.