# Troubleshoot certificate validation
If the ACM certificate request status is **Pending validation**, the request is waiting for action from you. If you chose email validation when you made the request, you or an authorized representative must respond to the validation email messages. These messages were sent to the common email addresses for the requested domain. For more information, see [AWS Certificate Manager email validation](email-validation.md). If you chose DNS validation, you must write the CNAME record that ACM created for you to your DNS database. For more information, see [AWS Certificate Manager DNS validationDNS validation](dns-validation.md).
**Important**
You must validate that you own or control every domain name that you included in your certificate request. If you chose email validation, you will receive validation email messages for each domain. If you do not, then see [Not receiving validation email](troubleshooting-email-validation.md#troubleshooting-no-mail). If you chose DNS validation, you must create one CNAME record for each domain.
**Note**
Public ACM certificates can be installed on Amazon EC2 instances that are connected to a [Nitro Enclave](acm-services.md#acm-nitro-enclave). You can also [export a public certificate](export-public-certificate.md) to use on any Amazon EC2 instance. For information about setting up a standalone web server on an Amazon EC2 instance not connected to a Nitro Enclave, see [Tutorial: Install a LAMP web server on Amazon Linux 2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-lamp-amazon-linux-2.html) or [Tutorial: Install a LAMP web server with the Amazon Linux AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-LAMP.html).
We recommend that you use DNS validation rather than email validation.
Consult the following topics if you experience validation problems.
**Topics**
+ [Troubleshoot DNS validation problems](troubleshooting-DNS-validation.md)
+ [Troubleshoot email validation problems](troubleshooting-email-validation.md)
+ [Troubleshooting HTTP validation problems](troubleshooting-HTTP-validation.md)
# Troubleshoot DNS validation problems
Consult the following guidance if you are having trouble validating a certificate with DNS.
The first step in DNS troubleshooting is to check the current status of your domain with tools such as the following:
+ **dig** — [Linux](https://linux.die.net/man/1/dig), [Windows](https://help.dyn.com/how-to-use-binds-dig-tool/)
+ **nslookup** — [Linux](https://linux.die.net/man/1/nslookup), [Windows](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup)
**Topics**
+ [Underscores prohibited by DNS provider](#underscores-prohibited)
+ [Default trailing period added by DNS provider](#troubleshooting-trailing-period)
+ [DNS validation on GoDaddy fails](#troubleshooting-DNS-GoDaddy)
+ [ACM Console does not display "Create records in Route 53" button](#troubleshooting-route53-1)
+ [Route 53 validation fails on private (untrusted) domains](#troubleshooting-route53-2)
+ [Validation is successful but issuance or renewal fails](#troubleshooting-dns-pending-violation)
+ [Validation fails for DNS server on a VPN](#troubleshooting-vpn)
## Underscores prohibited by DNS provider
If your DNS provider prohibits leading underscores in CNAME values, you can remove the underscore from the ACM-provided value and validate your domain without it. For example, the CNAME value `_x2.acm-validations.aws` can be changed to `x2.acm-validations.aws` for validation purposes. However, the CNAME name parameter must always begin with a leading underscore.
You can use either of the values on the right side of the table below to validate a domain.
| Name | Type | Value |
| --- | --- | --- |
| `_.example.com.` | CNAME | `_.acm-validations.aws.` |
| `_.example.com.` | CNAME | `.acm-validations.aws.` |
## Default trailing period added by DNS provider
Some DNS providers add by default a trailing period to the CNAME value that you provide. As a result, adding the period yourself causes an error. For example, "`.acm-validations.aws.`" is rejected while "`.acm-validations.aws`" is accepted.
## DNS validation on GoDaddy fails
DNS validation for domains registered with Godaddy and other registries may fail unless you modify the CNAME values provided by ACM. Taking example.com as the domain name, the issued CNAME record has the following form:
```
NAME: _ho9hv39800vb3examplew3vnewoib3u.example.com. VALUE: _cjhwou20vhu2exampleuw20vuyb2ovb9.j9s73ucn9vy.acm-validations.aws.
```
You can create a CNAME record compatible with GoDaddy by truncating the apex domain (including the period) at the end of the NAME field, as follows:
```
NAME: _ho9hv39800vb3examplew3vnewoib3u VALUE: _cjhwou20vhu2exampleuw20vuyb2ovb9.j9s73ucn9vy.acm-validations.aws.
```
## ACM Console does not display "Create records in Route 53" button
If you select Amazon Route 53 as your DNS provider, AWS Certificate Manager can interact directly with it to validate your domain ownership. Under some circumstances, the console's **Create records in Route 53** button may not be available when you expect it. If this happens, check for the following possible causes.
+ You are not using Route 53 as your DNS provider.
+ You are logged into ACM and Route 53 through different accounts.
+ You lack IAM permissions to create records in a zone hosted by Route 53.
+ You or someone else has already validated the domain.
+ The domain is not publicly addressable.
## Route 53 validation fails on private (untrusted) domains
During DNS validation, ACM searches for a CNAME in a publicly hosted zone. When it doesn't find one, it times out after 72 hours with a status of **Validation timed out**. You cannot use it to host DNS records for private domains, including resources in an Amazon VPC [private hosted zone](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-private-hosted-zones), untrusted domains in your private PKI, and self-signed certificates.
AWS does provide support for publicly untrusted domains through the [AWS Private CA](https://aws.amazon.com/certificate-manager/private-certificate-authority/) service.
## Validation is successful but issuance or renewal fails
If certificate issuance fails with "Pending validation" even though DNS is correct, check that issuance is not being blocked by a Certification Authority Authorization (CAA) record. For more information, see [(Optional) Configure a CAA record](setup.md#setup-caa).
## Validation fails for DNS server on a VPN
If you locate a DNS server on a VPN and ACM fails to validate a certificate against it, check if the server is publicly accessible. Public certificate issuance using ACM DNS validation requires that the domain records be resolvable over the public internet.
# Troubleshoot email validation problems
Consult the following guidance if you are having trouble validating a certificate domain with email.
**Topics**
+ [Not receiving validation email](#troubleshooting-no-mail)
+ [Persistent initial timestamp for email validation](#initial-dates)
+ [I can't switch to DNS validation](#troubleshoot-switch-to-dns)
## Not receiving validation email
When you request a certificate from ACM and choose email validation, domain validation email is sent to the five common administrative addresses. For more information, see [AWS Certificate Manager email validation](email-validation.md). If you are experiencing problems receiving validation email, review the suggestions that follow.
**Where to look for email**
ACM sends validation email messages to your requested domain name. You can also specify a superdomain as a validation domain if you wish to receive these emails at that domain instead. Any subdomain up to the minimal website address is valid, and is used as the domain for the email address as the suffix after @. For example, you can receive an email to admin@example.com if you specify example.com as the validation domain for subdomain.example.com. Review the list of email addresses that are displayed in the ACM console (or returned from the CLI or API) to determine where you should be looking for validation email. To see the list, click the icon next to the domain name in the box labeled **Validation not complete**.
**The email is marked as spam**
Check your spam folder for the validation email.
**GMail automatically sorts your email**
If you are using GMail, the validation email may have been automatically sorted into the **Updates** or **Promotions** tabs.
**Contact the Support Center**
If, after reviewing the preceding guidance, you still don't receive the domain validation email, please visit the [Support Center](https://console.aws.amazon.com/support/home) and create a case. If you don't have a support agreement, post a message to the [ACM Discussion Forum](https://forums.aws.amazon.com/forum.jspa?forumID=206).
## Persistent initial timestamp for email validation
The timestamp of a certificate's first email-validation request persists through later requests for validation renewal. This is not evidence of an error in ACM operations.
## I can't switch to DNS validation
After you create a certificate with email validation, you cannot switch to validating it with DNS. To use DNS validation, delete the certificate and then create a new one that uses DNS validation.
# Troubleshooting HTTP validation problems
Consult the following guidance if you're having trouble validating a certificate with HTTP.
The first step in HTTP troubleshooting is to check the current status of your domain with tools such as the following:
+ **curl** — [Linux and Windows](https://curl.se/docs/manpage.html)
+ **wget** — [Linux and Windows](https://www.gnu.org/software/wget/manual/wget.html)
**Topics**
+ [Content mismatch between RedirectFrom and RedirectTo locations](#http-validation-content-mismatch)
+ [Incorrect CloudFront configuration](#http-validation-cloudfront-configuration)
+ [HTTP redirect issues](http-validation-redirect-issues.md)
+ [Validation timeout](http-validation-timeout.md)
## Content mismatch between RedirectFrom and RedirectTo locations
If the content at the `RedirectFrom` location doesn't match the content at the `RedirectTo` location, validation will fail. Ensure that the content is identical for each domain in the certificate.
## Incorrect CloudFront configuration
Make sure your CloudFront distribution is correctly configured to serve the validation content. Check that the origin and behavior settings are correct and that the distribution is deployed.
# HTTP redirect issues
If you're using a redirect instead of serving the content directly, follow these steps to verify your configuration.
**To verify redirect configuration**
1. Copy the `RedirectFrom` URL and paste it into your browser's address bar.
1. In a new browser tab, paste the `RedirectTo` URL.
1. Compare the content at both URLs to ensure they match exactly.
1. Verify that the redirect returns a 302 status code.
# Validation timeout
HTTP validation may time out if the content isn't available within the expected time frame. To troubleshoot validation issues, follow these steps.
**To troubleshoot validation timeout**
1. Do one of the following to check which domains are pending validation:
1. Open the ACM console and view the certificate details page. Look for domains marked as **Pending validation**.
1. Call the `DescribeCertificate` API operation to view the validation status of each domain.
1. For each pending domain, verify that the validation content is accessible from the internet.