loading...

Generating ACM certificates for a Vercel-managed domain.

wulfmann profile image Joseph Snell ・2 min read

When you use Vercel to manage your DNS records, they generate SSL certificates for you.

I want to manage my DNS with Vercel, but still need an ACM Certificate in my AWS account. I've done this before with Route 53, but with Vercel I kept seeing mysterious failures.

After trying Email Validation, I switched to DNS Validation. I still got errors, but this time I got more information:

The status of this certificate request is "Failed". One or more domain names have failed validation due to a Certificate Authority Authentication (CAA) error.

After googling around, I found this note:

One or more domain names have failed validation due to a Certification Authority Authentication (CAA) error, check your CAA DNS records..

After going back to my domain in the Vercel dashboard, I found this record:

CAA 0 issue "letsencrypt.org"

Since there is no CAA Record allowing amazon to issue certificates, the request fails.

AWS provides documentation on how to configure a CAA record to allow ACM to generate certs. We need to add an extra record in Vercel:

CAA 0 issue "amazon.com"

Request a new ACM cert and this time it succeeds!

Posted on by:

wulfmann profile

Joseph Snell

@wulfmann

Occasionally I have an average idea

Discussion

pic
Editor guide