Documentation

Pending Domain Validation (DV) SSL certificate validation in Adobe Experience Manager

Last update: Wed May 07 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

If your Domain Validation (DV) SSL certificate is stuck in a Pending state despite successful ACME validation, restrictive Certification Authority Authorization (CAA) records might be the culprit. To fix this, check and update CAA records, allow DNS propagation, and recreate or refresh certificate request.

Description description

Environment

Adobe Experience Manager as a Cloud Service  (AEMaaCS) - Sites

Issue/Symptoms

  • DV SSL certificate request remains in Pending  status after several hours despite successful ACME validation.
  • ACME CNAME record is correctly configured, but secondary validation fails due to restrictive CAA records on the parent domain.
  • Let’s Encrypt is not included in the existing CAA records, preventing certificate issuance.

Resolution resolution

  1. Ensure the ACME challenge record (_acme-challenge.subdomain.parentdomain.com) is correctly configured and verified by running the following command:

    • dig _acme-challenge.subdomain.parentdomain.com +short
    • ​​​​​​​This command should return the CNAME record that Let’s Encrypt uses to validate domain ownership (for example, bcexxxxxxxxxxxxxxxxxxxxae7a7080b.cm-verify.adobe.com.).

  2. Investigate the parent domain’s DNS configuration for existing CAA records. Confirm whether Let’s Encrypt is authorized within these records.

  3. If Let’s Encrypt is not authorized, add a new CAA record permitting Let’s Encrypt: <parent-domain>. IN CAA 0 issue "letsencrypt.org".

    Alternatively, remove restrictive CAA records if they are unnecessary.

  4. After updating DNS settings, allow sufficient time for changes to propagate across global DNS servers (typically up to 72 hours).

  5. Perform one of the following actions in Cloud Manager:

    • Use an Edit and Save  action on the existing certificate entry to trigger a backend refresh.
    • Delete and recreate the SSL request if necessary.

  6. Check Cloud Manager’s UI periodically for updates on certificate status once DNS propagation completes.

By following these steps, you should be able to resolve issues with pending DV SSL certificates and successfully validate them for use within Adobe Experience Manager as a Cloud Service.

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f